Security

Reply
New Contributor
Posts: 4
Registered: ‎12-06-2011

MAC addresses not staying permanently blacklisted

We are using Captive Portal authentication on our Public Wifi.  We have blacklisted several devices.  Prior to doing so, I adjusted the blacklist timeout on the virtual AP from 3600 to 0 so they would be permanently blacklisted.  For the most part, this is working quite well, however there are about 5 devices that are not staying blacklisted--when I look at the blacklisted clients, either within the CLI or the GUI, it shows those few devices as counting down the number of minutes until they will be re-enabled.  It is the same few MAC addresses, one is an iPod, and the rest are iPhones.  Other iPods and iPhones have been blacklisted permanently successfully.  I have tried both blacklisting them while connected, through the GUI, as well as when they are not connected, using the command line.  I have not done a user-debug, since it's only been after they were blacklisted that I noticed this behavior.

 

Any ideas as to why these few wouldn't be behaving as expected?  Please advise.  Thanks!

 

Aruba
Posts: 1,636
Registered: ‎04-13-2009

Re: MAC addresses not staying permanently blacklisted

Any chance they are being blacklisted for another reason, maybe another virtual AP?   You can also manually blacklist them if you want:

 

stm add-blacklist-client <MAC>

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Occasional Contributor II
Posts: 11
Registered: ‎10-01-2007

Re: MAC addresses not staying permanently blacklisted

[ Edited ]

If you blacklist a client while they are not associated, the blacklist time comes from the controller rather than the VAP profile. To permanently blacklist those clients, first add the following to each controller config:

 

ap ap-blacklist-time 0

New Contributor
Posts: 4
Registered: ‎12-06-2011

Re: MAC addresses not staying permanently blacklisted

[ Edited ]

No, I don't think so--I'm manually clicking each device listed under "Monitoring > Clients" on the GUI, then the Blacklist button.  I've been doing the same for each, and for some it works permanently, and for others it counts down the hour??  It's only a few, but it's still annoying.

 

I've also tried disconnecting them and doing the manual blacklist from the CLI, but I get the same results. 

 

I have already edited the AP blacklist time from 3600 seconds to 0. 

Guru Elite
Posts: 20,357
Registered: ‎03-29-2007

Re: MAC addresses not staying permanently blacklisted


colek wrote:

No, I don't think so--I'm manually clicking each device listed under "Monitoring > Clients" on the GUI, then the Blacklist button.  I've been doing the same for each, and for some it works permanently, and for others it counts down the hour??  It's only a few, but it's still annoying.

 

I've also tried disconnecting them and doing the manual blacklist from the CLI, but I get the same results. 

 

I have already edited the AP blacklist time from 3600 seconds to 0. 


So when a client is connected to the controller, the blacklist time is obtained from the Virtual AP that the client is currently connected to.  If the client is NOT in the user table, the blacklist time is then derived from the "ap ap-blacklist-time 0" that Jbranton mentioned.

 

Type "show ap blacklist-clients" when you do a blacklist to see who is blacklisted and how much time is left.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎12-06-2011

Re: MAC addresses not staying permanently blacklisted

I am blacklisting the clients as they are connected, using the GUI.  Yesterday, I didn't have any problems--all devices blacklisted permanently.  Today, I blacklisted 2 devices, one was fine, the other is showing an hour only (please see attached.)  I did the exact same process using the GUI.  So they should all be getting their blacklist time from the VAP.  

 

Sometimes it has been the same device/mac address over and over that won't blacklist permanently, then the next day, that same device/mac will permanently blacklist.  I am just trying to figure out what might be going on, as this behavior is not making any sense.

Guru Elite
Posts: 20,357
Registered: ‎03-29-2007

Re: MAC addresses not staying permanently blacklisted

[ Edited ]

Please open a support case so that they can sort this out.

 

There are a number of questions like (1) Are all your clients connected to the same VAP (2) What is the time in the VAP (3) What is the  result of "show ap blacklist-clients" after you blacklist those devices (4) Is your configuration correct and consistent that will be answered with an open support case.  

 

Answering those questions on this forum would be tedious and time-consuming for you without all the information on the controller.  If support obtains your logs.tar they can bring it to a quicker resolution.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 4
Registered: ‎12-06-2011

Re: MAC addresses not staying permanently blacklisted

Ok, thank you.  I will do that.

Search Airheads
Showing results for 
Search instead for 
Did you mean: