11-26-2023 11:40 AM
Is it possible to instruct / trigger a 9800 WLC to move a wireless Client to the Excluded Clients list by sending a RADIUS av-pair to the WLC?
I am aware that it is possible to accomplish this via CLI like this:
EWC#conf t
Enter configuration commands, one per line. End with CNTL/Z.
EWC(config)#wireless exclusionlist 1111.2222.3333 desc "Manually excluded"
EWC(config)#^Z
EWC#wr
But can the same functionality be accomplished via RADIUS also? For example via CoA command to ISE, which would trigger ISE to send the necessary RADIUS av-pair to the WLC.
I am unable to find any documentation stating that this is possible so any help would be most appreciated!
Many thanks in advance!
11-26-2023 04:46 PM
Look at the SSID's Policy profile and look for Client Exclusion Timeout.
If enabled, this means multiple attempts to authenticate with the wrong password will "block" the wireless client from joining the SSID until the end of the exclusion period.
11-26-2023 09:53 PM
Thanks Leo, but this is not the functionality I am looking for. I need to be able to move a client to the Excluded Clients list immediately, preferably by triggering a CoA and using RADIUS. If I understand your proposal correct (please correct me if I miss something) your proposal requires the client to perform multiple failed authentication attempts, which will then trigger an exclusion.
11-27-2023 01:57 AM
@2nhansen wrote:
I need to be able to move a client to the Excluded Clients list immediately
Not sure if this could be done using TCL.
11-27-2023 02:29 AM
The exclude list can apply with radius if user is failed to access the radius send access reject and wlc put the client to exclude list.
For EWC i will check if this feature is available or not.
11-27-2023 06:03 AM
Config-> secuirty->wireless protection policy->client exclusions policy
Then check op and select auth failure
MHM
11-27-2023 07:58 AM
I'm not aware of any way to do what you're asking but you might be able to do it via the yang models using netconf or restconf.
Check out https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/programmability-guide/b_c9800_programmability_cg/cisco-catalyst-9800-series-wireless-controller-programmability-guide.html
and
https://github.com/YangModels/yang/blob/main/vendor/cisco/xe/1791/Cisco-IOS-XE-wireless-general-cfg.yang
and you might need to look in some of the other models.
11-27-2023 08:32 AM
Thanks all for your help and suggestions! I will investigate further and post my findings here, if I am able to crack it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide