Controller Based WLANs

What are the reasons to blacklist a client, and how do I do it?

Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x.

This article provides the following information about blacklisting clients:
· Ways to Blacklist a Client
· Configuring the Duration of Blacklisting
· Removing a Client from the Blacklist
· Listing Blacklisted Clients

 

Ways to Blacklist a Client

 

· Manual: You may choose to blacklist a client for different reasons. For example, you can enable different Aruba intrusion detection system (IDS) features that detect suspicious activities, such as MAC address spoofing or denial of service attacks. When these activities are detected, an event is logged and an SNMP trap is sent with the client information. To blacklist a client, you need to know its MAC address.


To manually blacklist a client:


Using the WebUI:

1) Navigate to the Monitoring > Controller > Clients page.
2) Select the client to be blacklisted and click Blacklist.

Using the CLI:
stm add-blacklist-client <macaddr>

 

· Maximum Authentication failure: You can configure a maximum authentication failure threshold for each of the following authentication methods:

 

 

• 802.1x
• MAC
• Captive Portal
• VPN

When a client exceeds the configured threshold for one of these methods, the client is automatically blacklisted by the controller, an event is logged, and an SNMP trap is sent. By default, the maximum authentication failure threshold is set to 0 for these authentication methods, which means that there is no limit to the number of times a client can attempt to authenticate.

With 802.1x authentication, you can also configure blacklisting of clients who fail machine authentication.

When clients are blacklisted because they exceed the authentication failure threshold, they are blacklisted indefinitely by default. You can configure the duration of the blacklisting.

To set the authentication failure threshold:

Using the WebUI:

1) Navigate to the Configuration > Security > Authentication > Profiles page.
2) In the Profiles list, select the appropriate authentication profile, then select the profile instance.
3) Enter a value in the Max Authentication failures field.
4) Click Apply.

Using the CLI:
aaa authentication {captive-portal|dot1x|mac|vpn} <profile>
max-authentication-failures <number>

· Attack Blacklisting: Two types of automatic client blacklisting can be enabled:


• Blacklisting due to spoofed deauthentication
Man in the middle (MITM) attacks begin with an intruder impersonating a valid enterprise AP. If an AP needs to reboot, it sends deauthentication packets to connected clients to enable them to disconnect and reassociate with another AP.

An intruder or attacker can spoof deauthentication packets, which forces clients to disconnect from the network and reassociate with the attacker's AP. A valid enterprise client associates to the intruder's AP, while the intruder then associates to the enterprise AP. Communication between the network and the client flows through the intruder (the man in the middle), thus allowing the intruder the ability to add, delete, or modify data. When this type of attack is identified by the Aruba system, the client can be blacklisted, which blocks the MITM attack. You enable this blacklisting ability in the IDS DoS profile (this is disabled by default).

To enable spoofed deauth detection and blacklisting:

Using the WebUI:

1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Click either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. In the Profiles list, select IDS, then select IDS profile.
4. Select the IDS DOS profile instance.
5. Select (check) Spoofed Deauth Blacklist.
6. Click Apply.

Using the CLI:
ids dos-profile <profile>
spoofed-deauth-blacklist

• Blacklisting due to other types of denial of service (DoS) attacks: This is enabled by default. You can disable this blacklisting on a per-SSID basis in the virtual AP profile.

Examples this kind of attack:

• Ping Flood Attack: If ping flood attack detection is enabled and happens, the station is blacklisted.

 

• SYN Attack: same as ping flood

 

• Session Flood Attack: same as ping flood

 

• Session blacklist: If AAA ACL configuration with blacklist action has a hit, the station is blacklisted.

 

 

· An external application or appliance that provides network services: such as virus protection or intrusion detection, can blacklist a client and send the blacklisting information to the controller via an XML API server. When the controller receives the client blacklist request from the server, it blacklists the client, logs an event, and sends an SNMP trap.

 

 

 

Note: This requires that the External Services Interface (ESI) license be installed in the controller.


Configuring the Duration of the Blacklisting

You can configure the duration that clients are blacklisted on a per-SSID basis.
The two different blacklist duration settings are:

· For clients that are blacklisted due to authentication failure. By default, this is set to 0 (the client is blacklisted indefinitely).
· For clients that are blacklisted due to other reasons, including manual blacklisting. By default, this is set to 3600 seconds (one hour). You can set this to 0 to blacklist clients indefinitely.

You configure these settings in the virtual AP profile.

To configure the blacklist duration:

Using the WebUI:

1) Navigate to the Configuration > Wireless > AP Configuration page.
2) Select either the AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3) In the Profiles list, select Wireless LAN, then Virtual AP. Select the virtual AP instance.
• To set blacklist duration for authentication failure, enter a value for Authentication Failure Blacklist Time.
• To set blacklist duration for other reasons, enter a value for Blacklist Time.
4) Click Apply.

Using the CLI:
wlan virtual-ap <profile>
auth-failure-blacklist-time <seconds>
blacklist-time <seconds>

 

Removing a Client from the Blacklist
To manually remove a client from the blacklist:

Using the WebUI:

1) Navigate to the Monitoring > Controller > Blacklist Clients page.
2) Select the client that you want to remove from the blacklist, and click Remove from Blacklist.

Using the CLI:
Enter the following command in enable mode:

stm remove-blacklist-client <macaddr>

 

Listing Blacklisted Clients

To list all blacklisted clients, along with reason of blacklisting, blacklisting time, and remaining time:

 

 

Using the WebUI:
Navigate to the Monitoring > Controller > Blacklist Clients page.

Using the CLI:
show ap blacklist-clients

 

 

Version history
Revision #:
1 of 1
Last update:
‎07-09-2014 01:26 PM
Updated by:
 
Labels (1)
Contributors
Tags (1)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.