How to Blacklist Wired Clients based on ACL hits

MVP Expert
MVP Expert
Requirement:

How to Blacklist Wired Clients in 8.x controllers/network based on ACL hits?



Solution:

When a client is blacklisted in the controller, the client is not allowed to associate with any AP in the network for a specified amount of time. If a client is connected to the network when it is blacklisted, a de-authentication message is sent to force the client to disconnect.

This feature is designed to support for tunnel based RAPs



Configuration:

Configure a session-acl:

ip access-list session blacklist

any host 52.220.178.8 any deny blacklist log

 

Add the ACL to the specific role:

(Aruba7210) [mynode] (config) #user-role authenticated

(Aruba7210) [mynode] (config-submode)#access-list session blacklist position 3

 

Configuration command for setting the blacklist timer:

  (Aruba7024) ^[mynode] (config) #aaa authentication wired

  (Aruba7024) ^[mynode] (Wired Authentication Profile) #blacklist-time 600

 

To delete a blacklist user manually from the blacklist-table:

  (Aruba7210) [mynode] (config) #delete-wired-blacklist-user mac b4:b5:2f:8d:cc:96

  Wired user with mac b4:b5:2f:8d:cc:96 removed.



Verification

Show command for checking wired blacklist clients

  (Aruba7210) [mynode] (config) #show wired-blacklist-clients

  Wired user Blacklist table

  --------------------------

  MAC          AP name              Slot/Port         Reason                  Blacklist Time

  --- -------          --------- -                ----- ----            ----------                  -------------

  b4:b5:2f:8d:cc:96     ap205h                   0/1            session-blacklist      600

 

Enable the below logging on Aruba Controller

logging level debugging security

 

Debug Commands on Aruba Controller

–show log security <number>

 

(Aruba7205) #show wired-blacklist-clients

Wired user Blacklist table

--------------------------

MAC                         AP name   Slot/Port          Reason               Blacklist Time (Sec)

---                     -------  -         --------  -          -----                     --------------------

d0:67:e5:3f:e5:75  ap225            0/1            session-blacklist        599

(Aruba7205) #show user

This operation can take a while depending on number of users. Please be patient ....

 

Users

-----

    IP             MAC            Name     Role      Age(d:h:m)  Auth  VPN link  AP name  Roaming  Essid/Bssid/Phy  Profile  Forward mode  Type  Host Name  User Type

----------    ------------       ------    ----      ----------  ----  --------  -------  -------  ---------------  -------  ------------  ----  ---------     ---------

10.15.24.218  d0:67:e5:3f:e5:75            logon     00:00:04                             Wired    tunnel down      default                tunnel               WIRED

User Entries: 1/1

 Curr/Cum Alloc:4/585 Free:2/581 Dyn:6 AllocErr:0 FreeErr:0

(Aruba7205) #

 

(Aruba7205) #show log security 50

Aug 9 22:28:16 :124026:  <3705> <WARN> |authmgr|  wired_client_add_blacklist(): 12462, Adding wired user with mac d0:67:e5:3f:e5:75 to the blacklist table.

Aug 9 22:28:16 :124004:  <3705> <DBUG> |authmgr|   logging role event for 0x10d27bc: 0x225878c,0x10009, index 2

Aug 9 22:28:16 :124863:  <3705> <DBUG> |authmgr|  Auth GSM : IP_USER notify for mac d0:67:e5:3f:e5:75 ip:10.15.24.218 pan-integ:Disabled - UserDeauth

Aug 9 22:28:16 :124105:  <3705> <DBUG> |authmgr|  MM: mac=d0:67:e5:3f:e5:75, state=3, name=smoke1, role=logon, dev_type=, ipv4=10.15.24.218, ipv6=10.15.24.218, new_rec=1.

Aug 9 22:28:16 :124105:  <3705> <DBUG> |authmgr|  MM: mac=d0:67:e5:3f:e5:75, state=3, name=, role=logon, dev_type=, ipv4=10.15.24.218, ipv6=10.15.24.218, new_rec=0.

Aug 9 22:28:16 :124004:  <3705> <DBUG> |authmgr|  Station delete : mac d0:67:e5:3f:e5:75

Aug 9 22:28:16 :124004:  <3705> <DBUG> |authmgr|  vlan_alloc_update (vlan_alloc.c:144): Vlan Alloc  usage ; usage=2 vlan 24

Aug 9 22:28:16 :124225:  <3705> <DBUG> |authmgr|  auth_send_vlan_usage_to_stm Sending STM wired vlan info: vlan 24, status DOWN

Aug 9 22:28:16 :124006:  <3705> <WARN> |authmgr|  {336} TCP srcip=10.15.24.218 srcport=58849 dstip=216.58.197.46 dstport=443, action=deny, role=authenticated, policy=blacklist

Version history
Revision #:
1 of 1
Last update:
‎03-21-2019 02:50 PM
Updated by:
 
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: