Security

I have Clearpass as well as mobility controllers with 350 AP's.  Is there a easy way to disable devices from connecting to the wifi?  we have AD policies requiring users to change their password every 90 days.. they forget to change their wifi password on their smart device (BB, Android, iPhone) and their account gets locked out and someone from the service desk needs to unlock.  Clearpass gave us the ability to find the source of the lockout but still cumbersome.  Can I revoke this globally?

Not really. The device has to connect once in order for it to be profiled and then you can put the user into a deny all all role but at that point, authentication has already happened.

Why not onboard the devices to alleviate the password issues?

Also if you are running aruba controllers you can enable the blacklist for failed auths

 

For example: you can blacklist anyone that failed authentication 4 times so if your AD has a 5 failed auth limit they will not lock up the AD account.

 

yes, I have aruba controllers... once the client fails auth 4 times.. it will not allow them to connect?  does it blacklist it for good?  because once they fix their password issue, I want them to connect again.

I believe it is by default 1 hour. One of the controller guys will need to confirm.

I enabled this, however, lockout clients are are still attempting to connect.  is there something else that needs to be enabled?

 

Do you have station blacklisting enabled in your virtual-ap?

yes

does anything need to be enabled here?

i don't believe so. is it still not working? have you tested it yourself to see if you get on the blacklist?

Yes, I have this working.. works great..  just enabled it on the controller with a timer.

The problem with onboarding is that they are already company provisioned devices (MDM = Airwatch)..also Blackberry is not supported and I would have to create a separate SSID for mobile devices because we have company laptops connecting already.  I dont want cert based auth for laptops.