wism excluded clients policy

Unanswered Question
Sep 28th, 2007
User Badges:
  • Bronze, 100 points or more

We configured clients policy (all default settings) for web auth and WPA wlans. From time to time, I can see some clients are excluded with reason "802.11 assoc failure". What could be the reason for "802.11 assoc failure"? Could wism exclude the client by mistake?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
zhenningx Mon, 10/01/2007 - 10:51
User Badges:
  • Bronze, 100 points or more

Today I have one user unable to associate to the WLAN. I checked and found she is in the excluded list and excluded reason is "802.11 assoc failure". I removed her from the list and she was able to associated immediatelly. I am not sure why she was excluded before. Could it be a bug?

Rob Huffman Mon, 10/01/2007 - 11:45
User Badges:
  • Super Red, 40000 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Hi Zhenning,

I beleive the default setting for web auth is a "5 strikes and your out" policy. Maybe this user is hitting this by accident (if they type like I do it's not impossible :)

From the WLC GUI, go to Security > Wireless Protection Policies > Client Exclusion Policies.

Hope this helps!


zhenningx Tue, 10/02/2007 - 07:40
User Badges:
  • Bronze, 100 points or more

Hi Rob,

Thank you for your reply. But the problem I see is not client excluded by web auth failure, but excluded by "802.11 Assoc Failure". What could cause the "802.11 Assoc Failure"? Once I remove the client from the excluded list, she got associated immediately. It doesn't seems like a client issue.

Also I do not see anywhere we can configure the threshold to trigger the exclusion.



pmccubbin Tue, 10/02/2007 - 10:22
User Badges:
  • Silver, 250 points or more


Rob pointed you in the right direction. This is from the Controller Configuration Guide under Security:

Configuring Client Exclusion Policies

Follow these steps to configure the controller to exclude clients under certain conditions using the controller GUI.

Step 1 Click Security > Wireless Protection Policies > Client Exclusion Policies to access the Client Exclusion Policies page.

Step 2 Check any of these check boxes if you want the controller to exclude clients for the condition specified. The default value for each exclusion policy is enabled.

Excessive 802.11 Association Failures?Clients are excluded on the sixth 802.11 association attempt, after five consecutive failure

As for troubleshooting this problem I would begin by looking for sources of interference which might be causing the high number of association failures.

You said that once you removed the client from the excluded list they associated immediately.


Can you now reproduce it? Is it happening at a certain time of day, in a particular location, or to a certain set of NIC cards?

Let us know what you find out.

Hope this helps.


zhenningx Wed, 10/03/2007 - 05:00
User Badges:
  • Bronze, 100 points or more

Hi Paul,

I am not able to reproduce the issue. The client has not been excluded again after that.

Yesterday I just saw another client got excluded with reason "802.11 Assoc Failure" and I have following debugs for this client:

Association received from mobile 00:04:e2:7e:cc:c3 on AP 00:17:0f:e7:b7:80

Tue Oct 2 11:06:15 2007: 00:04:e2:7e:cc:c3 STA: 00:04:e2:7e:cc:c3 - rates (4): 130 132 139 12 0 0 0 0 0 0 0 0 0 0 0 0

Tue Oct 2 11:06:15 2007: 00:04:e2:7e:cc:c3 Sending Assoc Response to station 00:04:e2:7e:cc:c3 on BSSID 00:17:0f:e7:b7:80 (status 18)

Tue Oct 2 11:06:15 2007: 00:04:e2:7e:cc:c3 Scheduling deletion of Mobile Station: 00:04:e2:7e:cc:c3 (callerId: 22) in 3 seconds

Does it mean the client is using some data rates that the WLC does not support? On WLC, we set 1Mbps, 2Mbps, 5.5Mbps and 11Mbps to be mandatory. Anything wrong with that? The strange thing is after a few hours, I saw the client successfully associated with the controller. I did not change anything. I do not know what happened.


pmccubbin Wed, 10/03/2007 - 12:34
User Badges:
  • Silver, 250 points or more

What model of controller and version of software are you using? What models of APs? Are you using H-REAP?

Do you have a WCS? If so, what version of software?

How do you have the NIC card set for Power Management? Is it CAM (Constantly Awake) or in Power Saving Mode?

How many users would you say are trying to associate with the AP when you notice a client having 802.11 Association Failure errors? You might simply have an over-subscribed AP.

In any event, I would read the release notes and check for bugs.

Hope this helps.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode