Locking Wi‑Fi to a Single BSSID — A Practical Guide

A hands‑on guide (Linux/NetworkManager) to list all SSIDs/BSSIDs, choose a stable access point and pin your connection — with verification and how to undo it.

Why this helps

If you see frequent disconnects or your laptop keeps switching between APs that have the same SSID, pinning to a single BSSID (AP MAC address) prevents roaming between APs — stopping the "flapping". Use this when you want stability and prefer a single AP.

Overview

Scan and list all nearby SSIDs and their BSSIDs.
Pick the BSSID with the best, stable signal (or the AP you trust).
Lock NetworkManager to that BSSID for your saved connection.
Verify the lock and monitor for changes.
How to undo/unlock later.

1) List all available SSIDs & BSSIDs

Run the following to get a readable scan using nmcli (NetworkManager):

nmcli -f SSID,BSSID,CHAN,FREQ,SIGNAL,BARS,SECURITY dev wifi list

Sample output (trimmed):

SSID                BSSID              CHAN  FREQ      SIGNAL  BARS  SECURITY
IITG_CONNECT        1C:3A:60:6E:D4:88  9     2452 MHz  62      ▂▄__  WPA2
IITG_CONNECT        1C:3A:60:2F:19:6C  149   5745 MHz  44      ▂▄__  WPA2
eduroam             1C:3A:60:AE:D4:88  9     2452 MHz  62      ▂▄__  WPA2

Tip: if you prefer lower-level tools, use iw or iwlist:

sudo iw dev wlan0 scan | egrep "SSID|BSS|signal"
# or
sudo iwlist wlan0 scan | egrep "Cell|ESSID|Channel|Signal" -A3

This lets you identify all APs broadcasting the same SSID and compare channels, frequency bands and signal strengths.

2) Group & pick the best BSSID (quick shell)

One‑liner that groups scan results by SSID and prints BSSIDs per SSID:

nmcli -f SSID,BSSID,CHAN,SIGNAL,FREQ dev wifi list | awk 'NR>1 {ssid[$1]=ssid[$1] "\n  → " $2 "  (chan:" $3 " sig:" $4 ")"} END {for (i in ssid) print i ":" ssid[i] "\n"}'

To filter only the SSID you care about:

nmcli -f SSID,BSSID,CHAN,SIGNAL dev wifi list | grep IITG_CONNECT

Pick the BSSID with the highest SIGNAL percent and/or the band you prefer (5GHz for speed when close, 2.4GHz for range).

3) Connect once to a chosen BSSID (one‑time)

To make a one-time connection to a specific BSSID (useful to test):

nmcli dev wifi connect <SSID> bssid <BSSID>
# Example
nmcli dev wifi connect IITG_CONNECT bssid 1C:3A:60:6E:D4:88

If it is a WPA2-Enterprise network (802.1X) you may need to provide identity/password/PEM per your campus instructions; nmcli will prompt or you can pass specific connection parameters.

4) Lock NetworkManager profile to a BSSID (persistent)

Find the connection name (saved profile):

nmcli connection show | grep IITG_CONNECT

Set the 802-11-wireless.bssid property to pin the profile to one BSSID:

nmcli connection modify "IITG_CONNECT" 802-11-wireless.bssid 1C:3A:60:6E:D4:88
# then restart the connection
nmcli connection down "IITG_CONNECT" && nmcli connection up "IITG_CONNECT"

To confirm the property was saved:

nmcli connection show "IITG_CONNECT" | grep 802-11-wireless.bssid
# Expected:
# 802-11-wireless.bssid:                   1C:3A:60:6E:D4:88

When locked, NetworkManager will refuse to roam to other APs with the same SSID. If the pinned AP disappears, your device will drop the connection instead of switching.

5) Verify you are connected to that BSSID

Use iw to check the currently connected AP:

iw dev wlp3s0 link
# sample output
# Connected to 1c:3a:60:6e:d4:88 (on wlp3s0)
#     SSID: IITG_CONNECT
#     freq: 2452
#     signal: -65 dBm

Or use a terse nmcli view:

nmcli -t -f ACTIVE,SSID,BSSID,SIGNAL dev wifi | grep yes
# yes:IITG_CONNECT:1C:3A:60:6E:D4:88:67

Check the saved profile contains the bssid:

nmcli connection show "IITG_CONNECT" | grep bssid

6) Unlock / Remove the BSSID restriction

If you later want to allow roaming again (remove the BSSID constraint):

nmcli connection modify "IITG_CONNECT" 802-11-wireless.bssid ""
# or explicitly delete the setting
nmcli connection modify "IITG_CONNECT" -802-11-wireless.bssid

# restart connection
nmcli connection down "IITG_CONNECT" && nmcli connection up "IITG_CONNECT"

Confirm the BSSID field is gone:

nmcli connection show "IITG_CONNECT" | grep bssid || echo "No bssid setting found"

7) Troubleshooting & advanced tips

If connection immediately drops: The pinned AP might be out of range or blocked — unlocking will allow NetworkManager to roam.
Prefer 5GHz vs 2.4GHz: If you want 5GHz APs, pick a BSSID on channels >=36. For range, choose 2.4GHz (channels 1–13).
Check real-time link info: iw dev wlp3s0 link shows signal, bitrate and connection stats.
Automate choosing the best BSSID: Use a script that picks the strongest BSSID and sets it with nmcli connection modify ... bssid <BSSID>.
Reduce roaming sensitivity: Configure NetworkManager background-scan settings in /etc/NetworkManager/conf.d/ to avoid frequent scans:

[device]
wifi.scan-rand-mac-address=no

[wifi]
bgscan="simple:30:-70:86400"

8) Handy scripts

Pick best BSSID and connect (run as your user)

#!/bin/bash
# connect_best.sh: connect to the strongest BSSID for a given SSID
SSID="$1"
if [ -z "$SSID" ]; then
  echo "Usage: $0 <SSID>"; exit 1
fi
BEST=$(nmcli -f SSID,BSSID,SIGNAL dev wifi list | grep "^$SSID" | awk '{print $2" " $3}' | sort -k2 -nr | head -n1)
if [ -z "$BEST" ]; then
  echo "No networks found for $SSID"; exit 2
fi
BSSID=$(echo $BEST | awk '{print $1}')
echo "Connecting to $SSID (BSSID=$BSSID)"
nmcli dev wifi connect "$SSID" bssid $BSSID
# optionally make persistent
# nmcli connection modify "$SSID" 802-11-wireless.bssid $BSSID

Simple logger: record SSID/BSSID every 60s

#!/bin/bash
OUT=~/wifi_bssid_log.txt
while true; do
  TS=$(date +"%F %T")
  INFO=$(iw dev wlp3s0 link | egrep "Connected to|SSID|signal" | tr '\n' '|' )
  echo "$TS | $INFO" >> "$OUT"
  sleep 60
done

9) Practical cautions

Pinned BSSID prevents automatic roaming — use when you need stability but be ready to unlock if you move around.
Enterprise networks might require 802.1X credentials; nmcli may prompt for certificates/identity when connecting.
Some network environments intentionally use the same SSID across multiple APs (properly managed by controllers). Pinning is a client-side override.