Wireless client can not connect - "status excluded"

Answered Question
Aug 20th, 2010

Hi,

we have a Cisco Wireless controller AIR-WLC2106-K9 with 6.0.196.0 code.

There are three SSIDs where one has 802.1x and others [WPA + WPA2][Auth(PSK)] securty policy.

Some clients have problems with the SSID with 802.1x. I noticed today that these clients are "excluded" under

MONITOR>CLIENTS>STATUS.

The client can connect after I manually remove the client, the status is then "associated".

I attached a screenshot (the clients are all associated on the pic because I removed it manually).

Is there a way to automaticallty remove the "excluded" status after some time?

Attachment: 
I have this problem too.
0 votes
Correct Answer by Leo Laohoo about 3 years 8 months ago

Can you tell me how to disable this feature?

Are you sure this is the way you want to go?  Please don't "run away" from the real problem, i.  e.  the direction you are undertaking will not solve the issue in the long term PLUS you are opening the opportunity for hackers to take your WLAN down.

If you are still adamant then here it is ...

Security > Wireless Protection Policies > Client Exclusion Policies.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Leo Laohoo Fri, 08/20/2010 - 19:02

There are several reasons why a client gets excluded.  One fo the default reason is when a client tries multiple times to un-successfully associate to the WLAN for 60 seconds.  The logic behind is to DEFEND your WLAN from hackers trying to bring down your WLAN by using a "dictionary" attack to guess the password of your SSID(s).

Disable this at your own risk.

Smailmilak83_2 Sun, 08/22/2010 - 09:57

First thank you for the answer.

Can you tell me how to disable this feature?

I really dont have a clue why the users sometimes dont authenticate. The log message on the controller is this: *Aug 20 15:27:39.444: %DOT1X-3-MAX_EAP_RETRANS: 1x_ptsm.c:426 Max EAP retransmissions exceeded for client 00:18:de:ae:10:91

The users computer is in the domain so it should be always authenticated.

Correct Answer
Leo Laohoo Sun, 08/22/2010 - 15:10

Can you tell me how to disable this feature?

Are you sure this is the way you want to go?  Please don't "run away" from the real problem, i.  e.  the direction you are undertaking will not solve the issue in the long term PLUS you are opening the opportunity for hackers to take your WLAN down.

If you are still adamant then here it is ...

Security > Wireless Protection Policies > Client Exclusion Policies.

Smailmilak83_2 Sun, 08/22/2010 - 23:19

Thank you.

I will first try to solve this problem. I will disable only this policiy: Excessive 802.1X Authentication Failures if I not solve this problem.

Actions

Login or Register to take actions

This Discussion

Posted August 20, 2010 at 5:18 AM
Stats:
Replies:6 Avg. Rating:5
Views:3179 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard