Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
3
Helpful
7
Replies

Can clients be moved to the Excluded Clients list on a 9800 via RADIUS

2nhansen
Level 1
Level 1

‎11-26-2023 11:40 AM

Is it possible to instruct / trigger a 9800 WLC to move a wireless Client to the Excluded Clients list by sending a RADIUS av-pair to the WLC?

I am aware that it is possible to accomplish this via CLI like this:

 

EWC#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
EWC(config)#wireless exclusionlist 1111.2222.3333 desc "Manually excluded"
EWC(config)#^Z
EWC#wr

 

But can the same functionality be accomplished via RADIUS also? For example via CoA command to ISE, which would trigger ISE to send the necessary RADIUS av-pair to the WLC.

I am unable to find any documentation stating that this is possible so any help would be most appreciated!

Many thanks in advance!

Labels:
0 Helpful
7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

‎11-26-2023 04:46 PM

Look at the SSID's Policy profile and look for Client Exclusion Timeout.  

If enabled, this means multiple attempts to authenticate with the wrong password will "block" the wireless client from joining the SSID until the end of the exclusion period.

0 Helpful

2nhansen
Level 1
Level 1
In response to Leo Laohoo

‎11-26-2023 09:53 PM

Thanks Leo, but this is not the functionality I am looking for. I need to be able to move a client to the Excluded Clients list immediately, preferably by triggering a CoA and using RADIUS. If I understand your proposal correct (please correct me if I miss something) your proposal requires the client to perform multiple failed authentication attempts, which will then trigger an exclusion.

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to 2nhansen

‎11-27-2023 01:57 AM

@2nhansen wrote:
I need to be able to move a client to the Excluded Clients list immediately

Not sure if this could be done using TCL.  

0 Helpful

MHM Cisco World
VIP
VIP
In response to 2nhansen

‎11-27-2023 02:29 AM

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-6/b_Cisco_Wireless_LAN_Controller_Configuration_Best_Practices.html#concept_5E9C14D0D3A249A2986A15B65866F48F

The exclude list can apply with radius if user is failed to access the radius send access reject and wlc put the client to exclude list.

For EWC i will check if this feature is available or not.

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎11-27-2023 06:03 AM

Config-> secuirty->wireless protection policy->client exclusions policy 

Then check op and select auth failure 

MHM

Rich R
VIP
VIP

‎11-27-2023 07:58 AM

I'm not aware of any way to do what you're asking but you might be able to do it via the yang models using netconf or restconf.
Check out https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/programmability-guide/b_c9800_programmability_cg/cisco-catalyst-9800-series-wireless-controller-programmability-guide.html
and 
https://github.com/YangModels/yang/blob/main/vendor/cisco/xe/1791/Cisco-IOS-XE-wireless-general-cfg.yang
and you might need to look in some of the other models.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

2nhansen
Level 1
Level 1

‎11-27-2023 08:32 AM

Thanks all for your help and suggestions! I will investigate further and post my findings here, if I am able to crack it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card