Security

Hi,

We have a Aruba 3200 controller. What i would like to do is block/ban/blacklist a devide (prob by MAC address) if i feel it is acting inappropriately. I know i can search for the device and select to blacklist it, but if the device is not currently connected then i cannot find it on the client search and therefore cannot blacklist it. 

Is there a way to manually add a MAC address so that device is blacklisted when it tries to connect? I have a list of MAC addresses id like to blacklist. Or is there a better way to blockban devices then above. I know i can do it at a firewall/UTM level but would prefer to do it at the Aruba WiFi level. Currently we are just using basic SSID with WPA security. No RADIUS, captive portal, etc.

Thanks in advance for your help.

You need to do it from the commandline.

Please see here:  http://community.arubanetworks.com/t5/Command-of-the-Day/COTD-stm-add-blacklist-client/m-p/1048/highlight/true#M79

Thanks for the reply. I tried that and got the attached result unfortunately.

You need to be in "enable" mode to do this.  type "enable" and  then the enable password.

Great! Thanks for that.

I know this is an old thread but for those like me who do end up reading it:

The blacklist now stays through controller reboot huzzah! 

Tested on 6.3.1.5

I can successfully block users from the CLI, but the problem is that i cant make them permanent blacklisted.

Ive set the Blacklist Time within the virtual APs that is affected to zero, but what ever I do when i use show ap blacklist-clients i get 3600 sec.

What am i doing wrong?

Regards,

Johan

jokohanho,

Are you blacklisting a user that is currently connected, or no longer connected.  If the user is connected, it is the virtual AP that controls it.  If the user is NOT connected to the controller it corresponds to the "show ap blacklist-time" parameter:

To see how long a user is not connected would be blacklisted:

(192.168.1.3) #show ap blacklist-time 

ap blacklist-time:3600

 To change the blacklist to permanent:

(192.168.1.3) #configure t
Enter Configuration commands, one per line. End with CNTL/Z

(192.168.1.3) (config) #ap ap-blacklist-time ?
<ap-blacklist-time>     time in seconds

(192.168.1.3) (config) #ap ap-blacklist-time 0

Sorry, i missed to mention im trying to block mac addresses. :)

The mac address is not connected at this point.

So how do I change the ap blacklist-time?

Sorry. I understand now. :) Thanks alot!

Glad you found it.  I edited my post to make it more clear and fixed a spelling error.

I black listed a client. Did a aaa user delete and stm kick-off-sta 

The device shows in the black list, but keeps connecting and passing traffic

 #show AP blacklist-clients

Blacklisted Clients
-------------------
STA reason block-time(sec) remaining time(sec)
--- ------ --------------- -------------------
34:23:87:6a:35:42 session-blacklist 60 240
1c:3e:84:65:2e:34 session-blacklist 255 45
20:16:d8:fb:cf:01 user-defined 635 2965

show user-table verbose | include 20:16:d8:fb:cf:01
10.207.4.185               20:16:d8:fb:cf:01     SSID     00:00:04

(CNJ_.11) #show datapath session table 10.207.4.185

Datapath Session Table Entries
------------------------------

Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge UsrIdx UsrVer Flags 

-------------- -------------- ---- ----- ----- ---- ---- --- --- ----------- ---- ------ ------ -----
10.207.4.185 54.187.20.232 6 50385 80 0/0 0 96 17 tunnel 3551 10d 5dd c0b4 CI
0/0 0 0 0 local
10.207.4.185 54.187.20.232 6 50384 80 0/0 0 96 17 tunnel 3551 10d 5dd c0b4 CI
0/0 0 0 0 local
10.207.4.185 54.244.29.192 6 50369 80 0/0 0 96 19 tunnel 3551 12b 5dd c0b4 CI
0/0 0 0 0 local
10.207.4.185 54.244.29.192 6 50368 80 0/0 0 96 19 tunnel 3551 12b 5dd c0b4 CI
0/0 0 0 0 local
10.207.4.185 96.16.77.229 6 50361 80 0/0 0 96 19 tunnel 3551 132 5dd c0b4 CI
0/0 0 0 0 local
10.207.4.185 96.16.77.229 6 50360 80 0/0 0 96 19 tunnel 3551 132 5dd c0b4 CI