Welcome to Aruba, Lee. :) By default the blacklist time is 60 minutes, so either you can have job security blacklisting clients, or you can change the default value.
Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Lee H Badman [mailto:lhbad...@syr.edu] Sent: Monday, October 22, 2012 6:14 PM Subject: Re: Auth failure options? Well. I better switch right over to Aruba then. :) On Oct 22, 2012, at 17:15, "Marcelo Lew" <marcelo....@du.edu<mailto:marcelo....@du.edu>> wrote: IF you use Aruba, you can blacklist clients after x failed attempts to authenticate. Marcelo Lew Wireless Enterprise Administrator University Technology Services University of Denver Desk: (303) 871-6523 Cell: (303) 669-4217 Fax: (303) 871-5900 Email: m...@du.edu<mailto:m...@du.edu> <image001.jpg> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman Sent: Monday, October 22, 2012 10:21 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Auth failure options? Thanks Michael- I did find out that others have asked for a configurable value on the number of failed auth attempts. An enhancement bug can be followed here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto15912 three failures may be too aggressive for some environments. I'd like to see it configured for a few hundred failed auth attempts, then permanent exclusion. -Lee Lee H. Badman Network Architect/Wireless TME Information Technology and Services (ITS) Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Dorshimer, Michael Sent: Monday, October 22, 2012 8:48 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] Auth failure options? Reference the following link for Layer 1 Security Solutions on your controllers. Client Exclusion Policies should be enabled by default but you may want to try increasing their per-WLAN timeout value. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#diag Michael Dorshimer Network Administrator Shippensburg University From: Lee H Badman <lhbad...@syr.edu<mailto:lhbad...@syr.edu>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Date: Saturday, October 20, 2012 7:42 AM To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> Subject: [WIRELESS-LAN] Auth failure options? Just posted this on Cisco discussion forum, curious if anyone else has pondered it: I have around 16k wireless clients at peek on my WLAN, all doing 802.1x with latest ACS and things are generally fine. But also have hundreds of misconfigured smartphones where WiFi is on, but users don't really care if they hit my wireless network from them and these can frequently overwhelm ACS with hundreds of thousands of auth failures that have to be processed. Is there any way between controllers and ACS to say after X failed auth attempts that a client is moved to another vlan ( dead end) or auth attempts get suspended for a while, or that client device is forcibly blocked at L2, or anything that could tame the condition automatically? On wired 802.1x, you can do an auth failure vlan that a client lands in after x failed attempts at auth. Not quite seeing it on wireless yet in docs, but would be handy for the misconfigured handhelds that are clobbering ACS with as many as 50K+ plus failed attempts, each, daily. Or even alerting out of ACS would good if some device exceeded an insane auth failure threshold so they could be manually blocked, but not optimal ( or possible, probably) Lee Badman ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.