Wireless Access

On Cisco WLAN, there is a function per SSID called Client Exclusion which can be toggled on or off, and which can put a client device in a time-configurable "penalty box" after 3 failed 802.1x auth attempts. With the feature on, sometimes good clients get caught, but with it off, the RADIUS servers can get pounded by bad client auths from devices that are either misconfigured or that just find the SSID. Too many of these c lients can DOS the RADIUS servers, so using Client Exclusion is a must. In Aruba's WLAN, is there similair functionality, and is the number of failed attempts fixed or configurable?

Make sure you have blacklisting enabled on the Virtual AP and the "max authentication failures" configured on the related 802.1X-profile.

Under "monitoring > blacklist clients" you can see which clients are blacklisted.

You know what, I couldn't resist sharing some thoughts on this.

This Cisco feature is terrible.

At one time, it was on by default (don't know if it is now).

I've seen it cause horrible issues in certain environments. As we all know, clients tend to be unpredictable. In a couple of troubleshooting situations (warehouses mostly) I saw this cause instability and business impact. The fact was clients were triggering on the client exclusion. For example, handheld guns tend to reconnect and not send a DHCP. With some Cisco deployments, the result was guns being excluded due to "normal" behaviour. Consider other scenarios where the poorly engineered client fails to authenticate because, well it's poorly engineered (seen this too).

It causes more pain that gain. I'm not a fan.

A better way to exclude this from a security perspective, is get the auth server to lock out the account after a number of failures. BUT consider the engineering quality of your clients. Not all clients are created equal.

The blacklist time is configurable under the VAP.  Default is 3600 seconds.