Introduction :
Unlike Wired networks, wireless access spans across physical boundaries and thereby client blacklisting becomes significant feature to keep the unauthorized users from associating to the network. The following types of client blacklisting are available in Instant:
- Manual Blacklisting
- Authentication Failure Blacklisting
- Session Firewall Based Blacklisting
Feature Notes :
Authentication failure blacklisting takes place only when blacklisting is enabled in authentication settings of an SSID
Environment : This article applies to Aruba Instant Access Points.
Network Topology : Wireless clients association to Aruba Instant Access Points.
Configuration Steps :
Following is the configuration steps for different client blacklisting features of Instant AP:
Manual Blacklisting:
-
Login to Web interface of Instant cluster
-
Click on "Security" from the main-menu
-
On the "Backlisting" tab, add the MAC address of the client to be blacklisted. These clients are permanently blacklisted.
Authentication Failure Blacklisting:
This method is applicable only where authentication request is generated to internal server or external auth server.
- Login to Web interface of Instant cluster.
- Select the SSID from the list and click on "Edit"
- Move to "Security" and enable the "Blacklisting" under authentication settings.
Mention the no. of authentication failures. (Range: 0 - 10)
The duration that this user is blacklisted can be configured. As below:
Session Firewall Based Blacklisting:
This method is used to blacklist a authorized user when an unexpected traffic is seen.As the user session hits the ACL, the user is blacklistedand is de-authenticated.
- Login to Web interface of Instant cluster.
-
Click on "Security" from the main-menu
-
On the "Roles" tab, edit the existing ACl create a new one.
Verification : Blacklisted clients can be verified on IAP Web interface as well as in command line:
On Web Interface:
On Command Line:
NOTE: The reason column indicates the method that the is client is blacklisted.