Command of the Day

Reply
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

COTD: stm add-blacklist-client

Have you ever suspected that a wifi client was causing you problems and you needed to keep that client off your network until you could check it out? "stm add-blacklist-client" can keep that client off your network, even though it is not currently on your system. In the GUI, you can only blacklist a client that has already connected to your system. To blacklist a client, you would simply just do the following in enable mode:

(Aruba800-4) #stm add-blacklist-client 00:23:12:53:1d:f4

To show what clients are blacklisted you would use the "show ap blacklist-clients" command:

(Aruba800-4) #show ap blacklist-clients
Blacklisted Clients
-------------------
STA reason block-time(sec) remaining time(sec)
--- ------ --------------- -------------------
00:23:12:53:1d:f4 user-defined 5 Permanent

Please note, that in order for a user to be blacklisted, the "station blacklist" parameter must be enabled in the Virtual-AP that the user is trying to connect to. Also, the "blacklist time" parameter in the Virtual-AP must be populated with the time you want the user to be denied (in seconds) when you blacklist the user. If this parameter is zero, it is permanent. What this means is that if you have an "Employee" network and a "Guest" network and you have blacklisted a user, he will be denied access to the Employee network if you have blacklisting enabled in the Employee Virtual AP, but that client will still be able to connect to the Guest network if you don't have blacklisting enabled in that Virtual ap, so you need blacklisting enabled in both.
If you have user debugging configured, a client that has been blacklisted but is being rejected by the system will show up in the user log as follows:

(Aruba800-4) #show log user all | include 00:23:12:53:1d:f4
Dec 21 21:49:34 :501103: |stm| Blacklist add: 00:23:12:53:1d:f4: Reason: user-defined <-------Administrator Manually added Blacklist
Dec 21 21:50:07 :501097: |stm| Assoc request: 00:23:12:53:1d:f4: Dropped AP 1.1.1.246-00:0b:86:42:a1:20-Study-AP65 for STA DoS protection <---Shows up when blacklisted user tries to associate
Dec 21 21:50:34 :501080: |stm| Deauth to sta: 00:23:12:53:1d:f4: Ageout AP 1.1.1.246-00:0b:86:42:a1:28-Study-AP65 Denied; STA Blacklisted

To remove a user from blacklist, use the "stm remove-blacklist-client" command:

(Aruba800-4) #stm remove-blacklist-client 00:23:12:53:1d:f4

The following two messages in the user debug denote a user blacklist that is removed by the administrator (via commandline or gui) and the second denotes when the blacklist timer has expired:

(Aruba800-4) #show log user all | include 00:23:12:53:1d:f4
Dec 21 21:56:25 :501115: |stm| Blacklist del: 00:23:12:53:1d:f4: by administrator <--------- Administrator Removed blacklist
Dec 21 21:59:39 :501116: |stm| Blacklist del: 00:23:12:53:1d:f4: timeout <--------- Timer Expired and user's blacklist removed by timer

This post is the ArubaOS 3.x version of the 2.x command here: https://edge.arubanetworks.com/forum/cotd-station-dos-prevention
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Occasional Contributor II
Posts: 35
Registered: ‎04-29-2009

Blacklist client

Based on the info above, I take it to mean that if I had to enable blacklisting of clients that fail authentication on one SSID, they will still be able to connect to other SSID's even if both SSID's are in the same AP group or on the same controller?
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Will Not




It is global, and they will not be able to connect to ANY SSID in the controller.

Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
Contributor II
Posts: 134
Registered: ‎05-12-2010

Re: COTD: stm add-blacklist-client

I believe that the blacklist is only permanent until the controller is rebooted. Am I correct, Colin?

Bruce Osborne
Liberty University
Bruce Osborne - Wireless Engineer
ACCP
Guru Elite
Posts: 19,997
Registered: ‎03-29-2007

Correct

That is correct. In our next major version of code, that is scheduled to change.
Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs