Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Client Exclusion Policies on WLC not working with ISE as RADIUS Server

Hi,

for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
Am I missing any settings here or do you have some tipps on how to troubleshoot this?
Thanks very much!

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Hi Renata,The client

Hi Renata,

The client exclusing policies on the WLC will never be triggered. With wireless MAB & CWA or LWA, the WLC receives an RADIUS "Access_Accept" from ISE on the intial autthentication request. From this point on, as far as the WLC is concerned the client has successfully authenticated. 

The intial response from ISE also includes a redirect URL and an Pre-auth ACL, to support displaying the Guest Portal on the ISE PSN.

Once ISE authenticates the guest user credentials it sends a Change of Authorization request to the WLC to reauth the client's session. 

Then user session gets the Guest Access policy (Vs. intial Guest Redirect policy). At this point ISE will send a RADIUS response to WLC to remove the ACL and redirect URL from the client session.

Based on this process, failed authentications are only seen by ISE and not the WLC, so the WLC exclusion policies will never be triggered.

If you want login restrictions on Guest users, on the ISE Admin console:

Administration\Web Portal Management\Settings\Portal Policy\

Select the login restriction settings you need.

9 REPLIES
VIP Purple

Hi,Try this:The exclusion

Hi,

Try this:

The exclusion timer can be enabled or disabled per WLAN.

 

Regards

New Member

Hi,it's already enabled. I

Hi,

it's already enabled. I set it to 1800seconds. When a client authentication fails a few times on a SSID which uses 802.1x for authentication, the client gets excluded-as aspected. It just doesn't work for the SSID, which has "MAC Filtering" set as Security Policy. (The authentication happens on ISE)

 

New Member

Hi Renata,The client

Hi Renata,

The client exclusing policies on the WLC will never be triggered. With wireless MAB & CWA or LWA, the WLC receives an RADIUS "Access_Accept" from ISE on the intial autthentication request. From this point on, as far as the WLC is concerned the client has successfully authenticated. 

The intial response from ISE also includes a redirect URL and an Pre-auth ACL, to support displaying the Guest Portal on the ISE PSN.

Once ISE authenticates the guest user credentials it sends a Change of Authorization request to the WLC to reauth the client's session. 

Then user session gets the Guest Access policy (Vs. intial Guest Redirect policy). At this point ISE will send a RADIUS response to WLC to remove the ACL and redirect URL from the client session.

Based on this process, failed authentications are only seen by ISE and not the WLC, so the WLC exclusion policies will never be triggered.

If you want login restrictions on Guest users, on the ISE Admin console:

Administration\Web Portal Management\Settings\Portal Policy\

Select the login restriction settings you need.

New Member

Thanks for you answer. We

Thanks for you answer. We have clients, who constantly keep trying to connect without sending any credentials. Is there a way to prevent such "attacks"? under Administration\Web Portal Management\Settings\Portal Policy\   I can only apply settings based on time profiles, but we have authentication attempts as shown in the attachment. So the "guest"just leaves the credentials blank..

 

 

Kind regards

New Member

Hi Renata,If those guest

Hi Renata,

If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.

If your Guest WLAN has the following:

SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.

I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.

You can try and dull the noise a few ways.

Option 1. create and ISE log filter on those alerts so they don't cluter the console.

Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.

Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.

Option 4 - both 2 and 3

The most effective option would be 3.

Good Luck!

 

New Member

Ok, thanks!

Ok, thanks!

New Member

Hi,have you ever had the

Hi,

have you ever had the problem that a MACAddress cannot be added to exclusion list on WLC?

the problem are the first 4 digits...

03:00:03:52:01:52

If I change them, then it works.. otherwise I get the error message:

"Error in creating Disabled Client"

Cisco Employee

Excessive 802.11 Association

Excessive 802.11 Association Failures —Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0MR1/configuration/guide/wlc_cg70MR1/cg_security_sol.html#marker-1757438

New Member

I've enabled all of those

I've enabled all of those options, still no automatic exclusion, even if I trigger 15 failed attempts per a few seconds. =/

1094
Views
0
Helpful
9
Replies
CreatePlease to create content