Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC WLAN ADVANCED TAB CLIENT EXCLUSION TIME OUT

I configured client exclusion policy for web authentication , i need to know what is the use of client exclusion time out configured for individual wlans in WLAN advanced tab.

3 REPLIES

Re: WLC WLAN ADVANCED TAB CLIENT EXCLUSION TIME OUT

I just had an issue a few weeks ago where we had the wrong DHCP server in our WLC. The client would ass/auth and 802.1x AUTH but not get an address and continue to loop in that fashion.

We had about 100 clients on this one controller. All 100 clients were pounding the ACS on top of the normal request. It actually brought down our ACS service. After a TAC call we discovered we needed to patch the ACS due to a known bug that causes the service to stop if it gets hit hard.

Had we used client exclusion (turned on later) the clients would have been put in timeout for a period of time.

Also, if you have a hacker perhaps trying to get around security and the controller picks up on a signature it could also exclude them as well. But an easy way around that is to spoof your MAC.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: WLC WLAN ADVANCED TAB CLIENT EXCLUSION TIME OUT

what is the time out i need to configure i have 4 different WLANs configured and if i configure a time out in a specific WLAN all the client connecting with wrong authentication will be excluded or what? So please suggest me how to configure.

Hall of Fame Super Silver

Re: WLC WLAN ADVANCED TAB CLIENT EXCLUSION TIME OUT

I would leave it at default setting of 60 sec. Here is a summary from a doc:

When the user fails to authenticate, the controller excludes the client and the client cannot connect to the network until the exclusion timer expires or is manually overridden by the administrator.

Exclusion detects authentication attempts made by a single device. When that device exceeds a maximum number of failures, that MAC address is not allowed to associate any longer.

Exclusion occurs:

•After 5 consecutive authentication failures for shared authentications (6th try is excluded)

•After 5 consecutive association failures for MAC authentication (6th try is excluded)

•After 3 consecutive EAP/802.1X authentication failures (4th try is excluded)

•Any external policy server failure (NAC)

•Any IP address duplication instance

•After 3 consecutive web authentication failures (4th try is excluded)

The timer for how long a client is excluded can be configured, and exclusion can be enabled or disabled at the controller or WLAN level.

-Scott
*** Please rate helpful posts ***
10922
Views
5
Helpful
3
Replies