Bypass options permit user access without authentication (whitelist), based on source or destinations IP/MAC. Below are the commands to achieve different objectives.
mbox(config)# security hotspot <LANIF>
Permit/whitelist access based DESTINATIONS:
- bypass-domain <domainlist> This command permits access based on domains, so all the URLs using sub-domains are automatically permitted, eg. if we permit .ransnet.com, then portal.ransnet.com and www.ransnet.com are both permitted. We can list multiple domains here, separated by commas. We also need put a . in front of each domain. Below is a sample entry (to enable facebook login)
- bypass-dst <dstlist> This command permits access based on destination URLs or IP address or Subnets. We can list multiple entries here, separated by commas. Below is a sample entry
- bypass-dst strictdns By default, if the "bypass-dst" command includes URLs, mbox will resolve the URLs into IP and bypass/whitelist access to these IPs. But sometimes, this may not be accuate enough, for example, some google sub-domains share the same IP address. So when we just want to permit google play, gmail is also auto permitted, and this is not desirable. Enabling strictdns ensures only exact/configured URL/sub-domains are permitted, even if they're sharing the same server IP. This feature is disabled by default.
Permit/whitelist access based SOURCE:
- bypass-src <srclist> This command permits access based on user source IP or subnets. We can list multiple entries here, separated by commas. Below is a sample entry
- bypass-mac <XX-XX-XX-XX-XX-XX> This command permits access based on device source MAC address.
- bypass-mac radius Permits access based on RADIUS MAC address authentication. The device source MAC addresses are added in RADIUS user database. There're a few additional options when using RADIUS MAC authentication.
- bypass-mac radius <password> (optional) When using RADIUS MAC address authentication, by default the password is set as "Accept", but sometimes the RADIUS server may require different password (based on security policy). Use this command to set the same MAC password.
- bypass-mac radius reauth (optional) We can set this option to periodically require re-authentication, so that in case if the device MAC is removed (access revoked), mbox can block out access for this device immediately.
NOTE: to configure bypass for MAP (when deployed in cloud mode as a remote hotspot AP), please use CLI in the MACC config template, below is an example for bypassing facebook domains for facebook login integration.
free-url url *.ransnet.com
free-url url *.akamaihd.net
free-url url *.facebook.com
free-url url *.facebook.net
free-url url *.fbcdn.net