Security

We are using Captive Portal authentication on our Public Wifi.  We have blacklisted several devices.  Prior to doing so, I adjusted the blacklist timeout on the virtual AP from 3600 to 0 so they would be permanently blacklisted.  For the most part, this is working quite well, however there are about 5 devices that are not staying blacklisted--when I look at the blacklisted clients, either within the CLI or the GUI, it shows those few devices as counting down the number of minutes until they will be re-enabled.  It is the same few MAC addresses, one is an iPod, and the rest are iPhones.  Other iPods and iPhones have been blacklisted permanently successfully.  I have tried both blacklisting them while connected, through the GUI, as well as when they are not connected, using the command line.  I have not done a user-debug, since it's only been after they were blacklisted that I noticed this behavior.

Any ideas as to why these few wouldn't be behaving as expected?  Please advise.  Thanks!

Any chance they are being blacklisted for another reason, maybe another virtual AP?   You can also manually blacklist them if you want:

stm add-blacklist-client <MAC>

No, I don't think so--I'm manually clicking each device listed under "Monitoring > Clients" on the GUI, then the Blacklist button.  I've been doing the same for each, and for some it works permanently, and for others it counts down the hour??  It's only a few, but it's still annoying.

I've also tried disconnecting them and doing the manual blacklist from the CLI, but I get the same results. 

I have already edited the AP blacklist time from 3600 seconds to 0. 

---

@colek wrote:

No, I don't think so--I'm manually clicking each device listed under "Monitoring > Clients" on the GUI, then the Blacklist button.  I've been doing the same for each, and for some it works permanently, and for others it counts down the hour??  It's only a few, but it's still annoying.

 

I've also tried disconnecting them and doing the manual blacklist from the CLI, but I get the same results. 

 

I have already edited the AP blacklist time from 3600 seconds to 0. 

---

So when a client is connected to the controller, the blacklist time is obtained from the Virtual AP that the client is currently connected to.  If the client is NOT in the user table, the blacklist time is then derived from the "ap ap-blacklist-time 0" that Jbranton mentioned.

Type "show ap blacklist-clients" when you do a blacklist to see who is blacklisted and how much time is left.

I am blacklisting the clients as they are connected, using the GUI.  Yesterday, I didn't have any problems--all devices blacklisted permanently.  Today, I blacklisted 2 devices, one was fine, the other is showing an hour only (please see attached.)  I did the exact same process using the GUI.  So they should all be getting their blacklist time from the VAP.  

Sometimes it has been the same device/mac address over and over that won't blacklist permanently, then the next day, that same device/mac will permanently blacklist.  I am just trying to figure out what might be going on, as this behavior is not making any sense.

Please open a support case so that they can sort this out.

There are a number of questions like (1) Are all your clients connected to the same VAP (2) What is the time in the VAP (3) What is the  result of "show ap blacklist-clients" after you blacklist those devices (4) Is your configuration correct and consistent that will be answered with an open support case.  

Answering those questions on this forum would be tedious and time-consuming for you without all the information on the controller.  If support obtains your logs.tar they can bring it to a quicker resolution.

Ok, thank you.  I will do that.

If you blacklist a client while they are not associated, the blacklist time comes from the controller rather than the VAP profile. To permanently blacklist those clients, first add the following to each controller config:

ap ap-blacklist-time 0