Unanswered Question
May 24th, 2009
User Badges:

I configured client exclusion policy for web authentication , i need to know what is the use of client exclusion time out configured for individual wlans in WLAN advanced tab.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
George Stefanick Mon, 05/25/2009 - 06:44
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

I just had an issue a few weeks ago where we had the wrong DHCP server in our WLC. The client would ass/auth and 802.1x AUTH but not get an address and continue to loop in that fashion.

We had about 100 clients on this one controller. All 100 clients were pounding the ACS on top of the normal request. It actually brought down our ACS service. After a TAC call we discovered we needed to patch the ACS due to a known bug that causes the service to stop if it gets hit hard.

Had we used client exclusion (turned on later) the clients would have been put in timeout for a period of time.

Also, if you have a hacker perhaps trying to get around security and the controller picks up on a signature it could also exclude them as well. But an easy way around that is to spoof your MAC.

kamalakannan1k Mon, 05/25/2009 - 23:05
User Badges:

what is the time out i need to configure i have 4 different WLANs configured and if i configure a time out in a specific WLAN all the client connecting with wrong authentication will be excluded or what? So please suggest me how to configure.

Scott Fella Tue, 05/26/2009 - 03:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I would leave it at default setting of 60 sec. Here is a summary from a doc:

When the user fails to authenticate, the controller excludes the client and the client cannot connect to the network until the exclusion timer expires or is manually overridden by the administrator.

Exclusion detects authentication attempts made by a single device. When that device exceeds a maximum number of failures, that MAC address is not allowed to associate any longer.

Exclusion occurs:

•After 5 consecutive authentication failures for shared authentications (6th try is excluded)

•After 5 consecutive association failures for MAC authentication (6th try is excluded)

•After 3 consecutive EAP/802.1X authentication failures (4th try is excluded)

•Any external policy server failure (NAC)

•Any IP address duplication instance

•After 3 consecutive web authentication failures (4th try is excluded)

The timer for how long a client is excluded can be configured, and exclusion can be enabled or disabled at the controller or WLAN level.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode