Environment Information : Any Aruba Controllers and Aruba OS
Redundancy setup (Master-local, Master-standby, local-local)
Symptoms : Clients blacklisted on one Controller are still able to connect to another Controller.
Cause : In a Multi-Controller environment, we must define the manual blacklisted clients on each Controller.
Resolution :
There is no centralized way to blacklist the clients for all the controllers, to blacklist a client you’ll have to manually add it by logging into each controller individually.
The command "stm add-blacklist-client" can keep that client off your network, even though it is not currently on your system.
In the GUI, you can only blacklist a client that has already connected to your system. To blacklist a client, you would simply just do the following in enable mode:
(Aruba800-4) #stm add-blacklist-client 00:23:12:53:1d:f4
To show what clients are blacklisted you would use the "show ap blacklist-clients" command:
(Aruba800-4) #show ap blacklist-clients
Blacklisted Clients
-------------------
STA reason block-time(sec) remaining time(sec)
--- ------ --------------- -------------------
00:23:12:53:1d:f4 user-defined 5 Permanent
Please note, that in order for a user to be blacklisted, the "station blacklist" parameter must be enabled in the Virtual-AP that the user is trying to connect to. Also, the "blacklist time" parameter in the Virtual-AP must be populated with the time you want the user to be denied (in seconds) when you blacklist the user. If this parameter is zero, it is permanent. What this means is that if you have an "Employee" network and a "Guest" network and you have blacklisted a user, he will be denied access to the Employee network if you have blacklisting enabled in the Employee Virtual AP, but that client will still be able to connect to the Guest network if you don't have blacklisting enabled in that Virtual ap, so you need blacklisting enabled in both.
If you have user debugging configured, a client that has been blacklisted but is being rejected by the system will show up in the user log as follows:
(Aruba800-4) #show log user all | include 00:23:12:53:1d:f4
Dec 21 21:49:34 :501103: |stm| Blacklist add: 00:23:12:53:1d:f4: Reason: user-defined <-------Administrator Manually added Blacklist
Dec 21 21:50:07 :501097: |stm| Assoc request: 00:23:12:53:1d:f4: Dropped AP 1.1.1.246-00:0b:86:42:a1:20-Study-AP65 for STA DoS protection <---Shows up when blacklisted user tries to associate
Dec 21 21:50:34 :501080: |stm| Deauth to sta: 00:23:12:53:1d:f4: Ageout AP 1.1.1.246-00:0b:86:42:a1:28-Study-AP65 Denied; STA Blacklisted
To remove a user from blacklist, use the "stm remove-blacklist-client" command:
(Aruba800-4) #stm remove-blacklist-client 00:23:12:53:1d:f4
The following two messages in the user debug denote a user blacklist that is removed by the administrator (via command line or gui) and the second denotes when the blacklist timer has expired:
(Aruba800-4) #show log user all | include 00:23:12:53:1d:f4
Dec 21 21:56:25 :501115: |stm| Blacklist del: 00:23:12:53:1d:f4: by administrator <--------- Administrator Removed blacklist
Dec 21 21:59:39 :501116: |stm| Blacklist del: 00:23:12:53:1d:f4: timeout <--------- Timer Expired and user's blacklist removed by timer.
Starting Aruba OS 6.0, we have a global command to configure the blacklist time. The time should be “0” for blacklisting a user indefinitely. The value here is in seconds.
(Aruba) (config) #ap ap-blacklist-time <ap-blacklist-time>
Answer
There is no centralized way to blacklist the clients for all the controllers, to blacklist a client you’ll have to manually add it by logging into each controller individually.
The command "stm add-blacklist-client" can keep that client off your network, even though it is not currently on your system.
In the GUI, you can only blacklist a client that has already connected to your system. To blacklist a client, you would simply just do the following in enable mode:
(Aruba800-4) #stm add-blacklist-client 00:23:12:53:1d:f4
To show what clients are blacklisted you would use the "show ap blacklist-clients" command:
(Aruba800-4) #show ap blacklist-clients
Blacklisted Clients
-------------------
STA reason block-time(sec) remaining time(sec)
--- ------ --------------- -------------------
00:23:12:53:1d:f4 user-defined 5 Permanent
Please note, that in order for a user to be blacklisted, the "station blacklist" parameter must be enabled in the Virtual-AP that the user is trying to connect to. Also, the "blacklist time" parameter in the Virtual-AP must be populated with the time you want the user to be denied (in seconds) when you blacklist the user. If this parameter is zero, it is permanent. What this means is that if you have an "Employee" network and a "Guest" network and you have blacklisted a user, he will be denied access to the Employee network if you have blacklisting enabled in the Employee Virtual AP, but that client will still be able to connect to the Guest network if you don't have blacklisting enabled in that Virtual ap, so you need blacklisting enabled in both.
If you have user debugging configured, a client that has been blacklisted but is being rejected by the system will show up in the user log as follows:
(Aruba800-4) #show log user all | include 00:23:12:53:1d:f4
Dec 21 21:49:34 :501103: |stm| Blacklist add: 00:23:12:53:1d:f4: Reason: user-defined <-------Administrator Manually added Blacklist
Dec 21 21:50:07 :501097: |stm| Assoc request: 00:23:12:53:1d:f4: Dropped AP 1.1.1.246-00:0b:86:42:a1:20-Study-AP65 for STA DoS protection <---Shows up when blacklisted user tries to associate
Dec 21 21:50:34 :501080: |stm| Deauth to sta: 00:23:12:53:1d:f4: Ageout AP 1.1.1.246-00:0b:86:42:a1:28-Study-AP65 Denied; STA Blacklisted
To remove a user from blacklist, use the "stm remove-blacklist-client" command:
(Aruba800-4) #stm remove-blacklist-client 00:23:12:53:1d:f4
The following two messages in the user debug denote a user blacklist that is removed by the administrator (via command line or gui) and the second denotes when the blacklist timer has expired:
(Aruba800-4) #show log user all | include 00:23:12:53:1d:f4
Dec 21 21:56:25 :501115: |stm| Blacklist del: 00:23:12:53:1d:f4: by administrator <--------- Administrator Removed blacklist
Dec 21 21:59:39 :501116: |stm| Blacklist del: 00:23:12:53:1d:f4: timeout <--------- Timer Expired and user's blacklist removed by timer.
Starting Aruba OS 6.0, we have a global command to configure the blacklist time. The time should be “0” for blacklisting a user indefinitely. The value here is in seconds.
(Aruba) (config) #ap ap-blacklist-time <ap-blacklist-time>