Welcome to Aruba, Lee. :)
By default the blacklist time is 60 minutes, so either you can have job
security blacklisting clients, or you can change the default value.
Bruce Osborne
Network Engineer
IT Network Services
(434) 592-4229
LIBERTY UNIVERSITY
Training Champions for Christ since 1971
Actually, this timer is configurable in Cisco. It's the number of consecutive
failures before exclusion is invoked that is not (but needs to be) as the
default of excluding on fourth invalid auth can be wy too aggressive
depending on what's going on with a client.
From: The EDUCAUSE
We are having authentication issues with our wireless network and I was
wondering if any other universities are running a similar design without issue.
We have 17 wireless controllers each providing both an unsecured web auth and
a secured WPA/WPA2 access using radius. The secured access
We are having this exact issue and have been working with TAC for a month. We
have clients that are mis-configured pounding the RADIUS servers, and one by
one we are identifying and blacklisting devices that have never been on the
network. This is only a couple days in the works, but seems to
We have two ACS 4.2 servers behind load balancer(ACE) and we do not see any
issues with wireless PEAP authentications. We are going to upgrade these
servers to ACS 5.3 soon. Has Cisco confirmed the problem is related with LB?
What if the ACS servers are not load balanced, will the problem still
TAC has confirmed the problem and has not yet offered a work around to LB. The
LB is manually pointing controllers to one of the two RADIUS servers, which
helps, but of course is not really a solution. The ACE is RADIUS session aware
I take it?
|Bruce Boardman, Network Engineer, Syracuse
Yes ACE is radius session aware. Radius stickiness has been configured for ACS
servers.
---
Dennis Xu
Network Analyst, Computing and Communication Services
University of Guelph
5198244120 x 56217
- Original Message -
From: Bruce Boardman board...@syr.edu
To: d...@uoguelph.ca,
Just to add to Bruce's narrative- I estimate that a couple of dozen errant
clients (frequently Blackberry for some reason) add RADIUS transactional volume
of thousands more clients to the servers by the way they act. Using client
exclusion, or manually disabling the worst of the worst, seems to
