Wireless Water Cooler

Reply
Occasional Contributor II

Deny known repeat offender

Trying to automate putting a rogue device in the deny all role.

 

Have an android phone connecting to a PSK networks  while advertising a wireless hot spot.

 

Can manually put the device into the deny all role on the controller.  Once the inactivity timer value is reached, the device is removed from the database (deny all role) and can connect again.

 

I created a derivation role for the devices MAC address and applied it to a AAA profile trying to force the device into the deny all role.

 

set role condition macaddr equals ##:##:## set-value Deny_all description "rogue_test"

 

aaa profile Deny_all

    Initial-role Deny_all

    user-derivation-rules "Rogue"

!

 

The device goes into the initial role for the PSK network instead of the deny all role.

 

 

 

 

 

 

 

 

Tom Engeleit
ACMP
Guru Elite

Re: Deny known repeat offender

Have you tried blacklisting?  http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-blacklist-users-permanently/ta-p/175712



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: Deny known repeat offender

The black list timer set to zero will work, but it does not write from the master to the locals.

 

Thank you

 

Tom Engeleit
ACMP
Guru Elite

Re: Deny known repeat offender

You can take the chance that the device will only show up in a single location and just issue the blacklist on that controller.  You can also employ an external policy engine to do mac authentication of PSK devices to protect enterprise wide from specific devices.  

 

It is difficult to maintain a blacklist on controllers using either a user derivation rule or simple blacklisting, because the interface is not designed to add/remove and change dozens of mac addresses.  An external policy engine like ClearPass would be the place to actually do this..



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: