WLC WLAN ADVANCED TAB CLIENT EXCLUSION TIME OUT

Unanswered Question
May 24th, 2009

I configured client exclusion policy for web authentication , i need to know what is the use of client exclusion time out configured for individual wlans in WLAN advanced tab.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
George Stefanick Mon, 05/25/2009 - 06:44

I just had an issue a few weeks ago where we had the wrong DHCP server in our WLC. The client would ass/auth and 802.1x AUTH but not get an address and continue to loop in that fashion.

We had about 100 clients on this one controller. All 100 clients were pounding the ACS on top of the normal request. It actually brought down our ACS service. After a TAC call we discovered we needed to patch the ACS due to a known bug that causes the service to stop if it gets hit hard.

Had we used client exclusion (turned on later) the clients would have been put in timeout for a period of time.

Also, if you have a hacker perhaps trying to get around security and the controller picks up on a signature it could also exclude them as well. But an easy way around that is to spoof your MAC.

kamalakannan1k Mon, 05/25/2009 - 23:05

what is the time out i need to configure i have 4 different WLANs configured and if i configure a time out in a specific WLAN all the client connecting with wrong authentication will be excluded or what? So please suggest me how to configure.

Scott Fella Tue, 05/26/2009 - 03:48

I would leave it at default setting of 60 sec. Here is a summary from a doc:

When the user fails to authenticate, the controller excludes the client and the client cannot connect to the network until the exclusion timer expires or is manually overridden by the administrator.

Exclusion detects authentication attempts made by a single device. When that device exceeds a maximum number of failures, that MAC address is not allowed to associate any longer.

Exclusion occurs:

•After 5 consecutive authentication failures for shared authentications (6th try is excluded)

•After 5 consecutive association failures for MAC authentication (6th try is excluded)

•After 3 consecutive EAP/802.1X authentication failures (4th try is excluded)

•Any external policy server failure (NAC)

•Any IP address duplication instance

•After 3 consecutive web authentication failures (4th try is excluded)

The timer for how long a client is excluded can be configured, and exclusion can be enabled or disabled at the controller or WLAN level.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode