Wireless Access

Hi can anyone advise me on how to change the default blacklist timeout period?

See page 580-583 in the userguide:

Blacklist Duration
You can configure the duration that clients are blacklisted on a per-SSID basis via the virtual AP profile.
There are two different blacklist duration settings:
 For clients that are blacklisted due to authentication failure. By default, this is set to 0 (the client is
blacklisted indefinitely).
 For clients that are blacklisted due to other reasons, including manual blacklisting. By default, this is set
to 3600 seconds (one hour). You can set this to 0 to blacklist clients indefinitely.

To configure the blacklist duration via the WebUI:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP name.
3. In the Profiles list, select Wireless LAN, then Virtual AP. Select the virtual AP instance.
 To set a blacklist duration for authentication failure, enter a value for Authentication Failure
Blacklist Time.
 To set a blacklist duration for other reasons, enter a value for Blacklist Time.
4. Click Apply.
To configure the blacklist duration via the command-line interface, access the CLI in config mode and issue
the following commands:
wlan virtual-ap <profile>
auth-failure-blacklist-time <seconds>
blacklist-time <seconds>

 .. John

top man John

Hi John,

I have a client continually failing authentication and am being flooded with messages from Airwave.  It seems to be someone who tried to connect with their phone, failed, and now that phone is constantly trying to connect.

I set the blacklist-time on the vap to 0, but when I manually blacklist the client and then do a 'show ap blacklist-client', it is not showing as indefinate.

Version 6.1.3.4

Same here, it keeps saying 3600 even though I have set both to 0 as mentioned in the user guide posted above.

the command is not in the 6.1 documentation, I had to call aruba suppport to get the undocumented command: config t, ap ap-blacklist-time 0

I'm actually on 6.1.3 but when I block some devices on the same SSID it appears to work for some but not others.   See below some are counting down for the 1 hour default, but others have been blocked for hours. any ideas?

If a client is associated, it will get the blacklist timer from the Virtual AP that it is currently connected to.  If it is not connected, it will get the blacklist timer from the "ap-blacklist-time" parameter.

ok, but I have set both parameters to 0, shouldn't that permantly exclude?

What version of 6.1.3 are you on?  That is when the last parameter appeared.

How are you blacklisting that client?

6.1.3.0

I have just upgraded other partition to 6.1.3.4, but can't reboot until next week.

I select the client from the monitoring client list and then click on the blacklist option at the bottom.

If the client is connected it would get it from the Virtual AP.  First you need to find out what virtual AP the client is connected to and then what that timer is.  If you blacklist on the commandline when the user is not connected, it will take the "ap blacklist-time" parameter.

"show ap blacklist-time" will tell you what that is.  By default it is 3600 seconds.  To blacklist a user:

(host) #stm ?  
add-blacklist-client    Add a client to DoS list
kick-off-sta            Kick off an STA
purge-blacklist-clien.. Purge all clients from DoS list
remove-blacklist-clie.. Remove a client from DoS list

just a FYI, you can max blacklist for 2147483647 seconds, which is 24855 days or 68 years.