Network Management

I want to enable blacklisting with failed auths on about 20 aruba controllers.  Can I apply a single command via Airwave?  We currently dont provision AP's or apply configurations via Airwave now.  Running latest code on everything.

You *can* do this with Airwave but you have to make sure that all controllers in the Group share a similar config because once you move to manage mode in the Group, it will use one of the controller's configs as a config template to then sync to all other controllers in the same group.  You can use overrides for the 20 controllers you wish to add the blacklist to.

Another thought...do you have Clearpass?  If not you really should consider it :-).  In there, we can write both the blacklisted clients and a policy to say if an auth comes in from X device group (20 controllers) AND the client Mac/user ID/device is part of the blacklist, then deny access or even redirect to a captive portal explaining what happened.  See below example.  We can write this blacklist based on a simple list or using more flexible regular expressions.  We can also write the blacklist on other context variables like device types and usernames/AD groups.

Hope this helps!

Yes, I have "accidently" pushed a config to another controller and they were not exact.  So I am scared to change to modify mode via Airwave.

We do have and use Clearpass.. I have the blacklisting enabled and working on 1 of our controllers, just want to enable the exact thing on all our remote controllers.

Well...if you have Clearpass, then have that solution do the blacklisting and don't worry about the controller config blacklisting devices.

Is there any documentation on creating a blacklist policy via Clearpass?  Basically how we have it setup now.. a wireless client connecting to our employee SSID has 4 attempts to connect to the network.. with 4 failed attempts, the client will be blacklisted for 60 mins and then try again.  We do this to avoid clients being locked out (via AD).. 5 failed password attempts will lock the client out and can only be unlocked by the helpdesk.. to elevate calls, the account will never be locked via the wireless.

Try this...

Attachment(s)

Preventing AD account lockout for ClearPass.pdf   593 KB 1 version

You can then blacklist on the controller FROM Clearpass using this logic...

http://community.arubanetworks.com/t5/ClearPass-Recipes/Blacklist-a-user-on-an-Aruba-Controller/ta-p/204337

thanks.. I will test that.  will I be able to see the clients who are actually being blacklisted?  I am able to monitor it currently on each controller.