Understanding Client Blacklisting behavior in AOS 6.3.X and Below

By Arunkumar posted Jun 26, 2014 04:04 PM


This article applies to Aruba Mobility Controllers running ArubaOS version and Below



When you choose to blacklist a client as below, the client is not allowed to associate with any AP in the network

Using the WebUI:

1) Navigate to the Monitoring > Controller > Clients page.
2) Select the client to be blacklisted and click Blacklist.

Using the CLI:
(Aruba) # stm add-blacklist-client <macaddr>

Client Blacklisting behavior :


  • The controller retains the client blacklist in the user database, so the information is not lost if the controller reboots.

  • When you import or export the controller’s user database, the client blacklist will be exported or imported as well.

  • Blacklist is based on per-controller and not synchronized between controllers (e.g Master and Local).

  • The client blacklist supports upto 4,000 individual client entries.

  • You can set the max blacklist for 65535 seconds, which is 18 days

  • Blacklist Duration :-


In Aruba OS 6.1.2 and Prior , the duration that clients are blacklisted would default to permanent if the clients are not associated to any AP when you blacklist it and If the client is connected to the network when you blacklist it, a deauthentication message is sent to force the client to disconnect and it would use the blacklist time of the corresponding Virtual AP profile to which the client was associated when it was blacklisted.

wlan virtual-ap <profile>
auth-failure-blacklist-time <seconds>
blacklist-time <seconds>

In the latter case, re-entering the add-blacklist command would make it permanent.

From 6.1.3.x and higher the duration that clients are blacklisted when not associated to any AP is now controlled via a CLI config parameter "ap ap-blacklist-time X” where X is seconds or 0 for permanent.

(Aruba) #configure terminal
(Aruba) (config) # ap ap-blacklist-time 0
(Aruba) #stm add-blacklist-client e8:92:a4:9a:3c:95

(Aruba) #configure terminal
(Aruba) (config) # ap ap-blacklist-time 600
(Aruba) #stm add-blacklist-client 00:50:56:c0:00:01

(Aruba) #show ap blacklist-client

Blacklisted Clients
         STA                              reason        block-time(sec)  remaining time(sec)
            ---                                ------             ---------------             -------------------
e8:92:a4:9a:3c:95         user-defined             5                        Permanent

00:50:56:c0:00:01         user-defined             10                            590