Wireless Access

Reply
Occasional Contributor II
Posts: 25
Registered: ‎12-10-2013

Client "Exclusion" Function on Aruba WLAN, Impact on ClearPass RADIUS

On Cisco WLAN, there is a function per SSID called Client Exclusion which can be toggled on or off, and which can put a client device in a time-configurable "penalty box" after 3 failed 802.1x auth attempts. With the feature on, sometimes good clients get caught, but with it off, the RADIUS servers can get pounded by bad client auths from devices that are either misconfigured or that just find the SSID. Too many of these c lients can DOS the RADIUS servers, so using Client Exclusion is a must. In Aruba's WLAN, is there similair functionality, and is the number of failed attempts fixed or configurable?

Guru Elite
Posts: 8,464
Registered: ‎09-08-2010

Re: Client "Exclusion" Function on Aruba WLAN, Impact on ClearPass RADIUS

You can blacklist after X number of auth failures.






Sent from Windows Mail

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 130
Registered: ‎06-11-2013

Re: Client "Exclusion" Function on Aruba WLAN, Impact on ClearPass RADIUS

Make sure you have blacklisting enabled on the Virtual AP and the "max authentication failures" configured on the related 802.1X-profile.

 

Under "monitoring > blacklist clients" you can see which clients are blacklisted.


ACMX#255 | ACMP | ACCP | AWMP
www.securelink.nl
MVP
Posts: 562
Registered: ‎11-28-2011

Re: Client "Exclusion" Function on Aruba WLAN, Impact on ClearPass RADIUS

You know what, I couldn't resist sharing some thoughts on this.

 

This Cisco feature is terrible.

 

At one time, it was on by default (don't know if it is now).

 

I've seen it cause horrible issues in certain environments. As we all know, clients tend to be unpredictable. In a couple of troubleshooting situations (warehouses mostly) I saw this cause instability and business impact. The fact was clients were triggering on the client exclusion. For example, handheld guns tend to reconnect and not send a DHCP. With some Cisco deployments, the result was guns being excluded due to "normal" behaviour. Consider other scenarios where the poorly engineered client fails to authenticate because, well it's poorly engineered (seen this too).

 

It causes more pain that gain. I'm not a fan.

 

A better way to exclude this from a security perspective, is get the auth server to lock out the account after a number of failures. BUT consider the engineering quality of your clients. Not all clients are created equal.

Kudos appreciated, but I'm not hunting! (ACMX 104)
Occasional Contributor II
Posts: 25
Registered: ‎12-10-2013

Re: Client "Exclusion" Function on Aruba WLAN, Impact on ClearPass RADIUS

And you define both x and the length of block?
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Client "Exclusion" Function on Aruba WLAN, Impact on ClearPass RADIUS

The blacklist time is configurable under the VAP.  Default is 3600 seconds.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: