WLC Client excluded - web authentication failed 3 times
Is there any more I can do with the following? The customer only has 4400 controllers and WCS' both on the highest firmware currently available...
An example of the alert generated in the event of an excessive authentication failure is as follows:
Client '08:60:6e:35:7c:29 (172.16.235.133)' which was associated with interface '802.11b/g/n' of AP '25CS-AP21-24SE' is excluded. The reason code is '5(Web Authentication failed 3 times.)'.
E-mail will be suppressed up to 30 minutes for these alarms.
I need clarification of the following so that a process can be put in place to show if it is possible to deal with potential threats/attempts to hack into the network as the customers security are not accepting notification only. Therefore please advise:
- What does ‘excluded’ mean in this scenario? Is the client permanently excluded or only temporarily?
- If the client is not permanently excluded - if there are multiple occurrences of this alert for the same client can the client be disabled via the WCS console?
- If necessary could e-mail suppression be turned off - for this alert only?
Hope you can help but I think they need Prime and ISE to satisfy their security concerns myself!
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...