1. Administrative Security Guide
  2. Configuring IKEv2 Interfaces
  3. Configuring Access Control
  4. Configuring White Lists
  5. Configure Black Lists

Configure Black Lists

A black list is provisioned with a femtocell's EAP identity, taking the form <MAC ID>@cellID.serviceProvider.com and denying authentication for such femtocells trying to establish IKE/IPsec tunnels. Black lists are only applicable for femtocell clients doing EAP authentication to the OCSBC and are not applicable for clients doing password-based or certificate-based authentication.

  1. Access the ike-access-control configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# ike
ORACLE(ike)# ike-access-control
ORACLE(ike-access-control)#
  2. name—Provide a unique identifier. 
    ORACLE(ike-access-control)# name black_01
  3. state—Enable access control.
  4. blacklisted-dentifiers—Provide one or more MAC-based match patterns for MAC-address-based black lists.

    The following double-quote delimited list identifies three specific MAC addresses whose authentication is summarily rejected. 

    ORACLE(ike-access-control)# blacklisted-dentifiers "0123456789AB 6789912345BF DA2345918290"

    This identifier, which uses the wildcard symbol (^) signifying any single hexadecimal digit, specifies two ranges of contiguous MAC addresses. 

    ORACLE(ike-access-control)# blacklisted-dentifiers "0123456789A^, ^123456789AB"

    For IMSI-based black lists, this example uses a double-quote delimited list of prefixes separated by spaces, to match Verizon Wireless United States networks. 

    ORACLE(ike-access-control)# blacklisted-dentifiers "310004 310012"

    Note:

    Do not configure an empty black list. Assigning an empty black list to an IKEv2 interface results in authentication eligibility for all presented identities.
  5. Tyoe done to save your configuration.
  6. If necessary, configure additional ike-access-control configuration elements.