Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16165
Views
10
Helpful
3
Replies

WLC WLAN ADVANCED TAB CLIENT EXCLUSION TIME OUT

kamalakannan1k
Level 1
Level 1

‎05-24-2009 11:23 PM - edited ‎07-03-2021 05:38 PM

I configured client exclusion policy for web authentication , i need to know what is the use of client exclusion time out configured for individual wlans in WLAN advanced tab.

Labels:
0 Helpful
3 Replies 3

George Stefanick
VIP Alumni
VIP Alumni

‎05-25-2009 06:44 AM

I just had an issue a few weeks ago where we had the wrong DHCP server in our WLC. The client would ass/auth and 802.1x AUTH but not get an address and continue to loop in that fashion.

We had about 100 clients on this one controller. All 100 clients were pounding the ACS on top of the normal request. It actually brought down our ACS service. After a TAC call we discovered we needed to patch the ACS due to a known bug that causes the service to stop if it gets hit hard.

Had we used client exclusion (turned on later) the clients would have been put in timeout for a period of time.

Also, if you have a hacker perhaps trying to get around security and the controller picks up on a signature it could also exclude them as well. But an easy way around that is to spoof your MAC.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

kamalakannan1k
Level 1
Level 1
In response to George Stefanick

‎05-25-2009 11:05 PM

what is the time out i need to configure i have 4 different WLANs configured and if i configure a time out in a specific WLAN all the client connecting with wrong authentication will be excluded or what? So please suggest me how to configure.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to kamalakannan1k

‎05-26-2009 03:48 AM

I would leave it at default setting of 60 sec. Here is a summary from a doc:

When the user fails to authenticate, the controller excludes the client and the client cannot connect to the network until the exclusion timer expires or is manually overridden by the administrator.

Exclusion detects authentication attempts made by a single device. When that device exceeds a maximum number of failures, that MAC address is not allowed to associate any longer.

Exclusion occurs:

•After 5 consecutive authentication failures for shared authentications (6th try is excluded)

•After 5 consecutive association failures for MAC authentication (6th try is excluded)

•After 3 consecutive EAP/802.1X authentication failures (4th try is excluded)

•Any external policy server failure (NAC)

•Any IP address duplication instance

•After 3 consecutive web authentication failures (4th try is excluded)

The timer for how long a client is excluded can be configured, and exclusion can be enabled or disabled at the controller or WLAN level.

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card