topic You can adjust the number of in Wireless

Failed Radius requests increase possible?

patoberli — Mon, 05 Jul 2021 10:18:51 GMT

Hello

We have a Cisco WLC 7.0.240.0 based infrastructure with Radius servers and a Windows domain. Some clients are joined, some are BYOD. Our SSID is protected with WPA2-Enterprise PEAP-MSCHAPv2 username/password authentication. No certificate and no machine authentication.

Now Windows default behavior, for devices joined to some domain, is to send the machine name as username when connecting the first few tries and only later the logged in username/password.

My WLC will block the client because of excessive, wrong authentication tries for a few seconds. This makes it impossible to join the client automatically, without manually creating the wifi-profile and disabling the "automatic machine or user authentication" option.

It looks like the WLC will block the client after 3 unsuccessful authentication tries.

Is there a way to increase those 3 to maybe 5 or 10? I have the hope that this is enough for Windows to change to the username/password combo instead of machine name.

Thanks

Patrick

You can adjust the number of

Stephen Rodriguez — Thu, 28 May 2015 15:24:47 GMT

You can adjust the number of attempts a client makes before it gets excluded...

Excluded Clients

HTH,
Steve

Hmm based on your link:Step 4

patoberli — Fri, 29 May 2015 05:40:27 GMT

Hmm based on your link:

Step 4

Configure the controller to exclude clients that reaches the maximum failure 802.1X authentication attempt with the RADIUS server by entering this command: config wps client-exclusion 802.1x-auth max-1x-aaa-fail-attempts

You can configure the maximum failure 802.1X authentication attempt from 1 to 3 and the default value is 3.

So the maximum seems to be only 3 😞

Oh and that command is not available for 7.0.

Hi,Yes config wps client

abwahid — Tue, 09 Jun 2015 08:55:36 GMT

Hi,

Yes config wps client-exclusion 802.1x-auth max-1x-aaa-fail-attempts is not available in 7.0 code.

Using the GUI to Configure Client Exclusion Policies

To configure client exclusion policies using the controller GUI, follow these steps:

Step 1 Choose Security > Wireless Protection Policies > Client Exclusion Policies

Step 2 Select any of these check boxes if you want the controller to exclude clients for the condition specified. The default value for each exclusion policy is enabled.

•Excessive 802.11 Association Failures—Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures.

•Excessive 802.11 Authentication Failures—Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures.

•Excessive 802.1X Authentication Failures—Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures.

•IP Theft or IP Reuse—Clients are excluded if the IP address is already assigned to another device.

•Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication attempt, after three consecutive failures.

Step 3 Click Apply to commit your changes.

Step 4 Click Save Configuration to save your changes.