Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
147
Views
2
Helpful
5
Replies

Client Exclusion Policies for 9800

tvancamp6
Level 1
Level 1

‎05-12-2025 06:50 AM

Is it possible to create a client exclusion policy for the Cisco 9800's to prevent bad password attempts from locking out a users AD account? I have found some documentation that all seems to be for AireOS for configuring Client Exclusion Policies which appears to be what I am after, but I can't find the equivalent configuration on 9800. I wanted to configure an exclusion policy to exclude a client that failed 802.1x authentication after 4 failed attempts. Our AD lockout policy is 5 failed attempts so hoping to stop the client from continually locking out the account before it hits AD. I have found the Client Exclusion policy under Wireless Protection Policies, but there aren't any options to configure the max failures or lockout duration, just some checkboxes to enable the events. We have 1 particular SSID that relies on PEAP for non-company-managed devices where this scenario is a problem. I couldn't find anything under this SSID's policy profile that would allow me to set a max failure for bad passwords.

0 Helpful
5 Replies 5

JPavonM
VIP
VIP

‎05-12-2025 08:14 AM

That policy can be only enabled in the RADIUS server (ISE/NPS) but not in the WLCs.

The only option is to tweak the Client Exclusion Policy in WLC to block the client for x amount of time if they send multiple failed authentications:

wireless wps client-exclusion dot11-assoc
wireless wps client-exclusion dot1x-auth
wireless wps client-exclusion dot1x-timeout
no wireless wps client-exclusion ip-theft
wireless wps client-exclusion web-auth

tvancamp6
Level 1
Level 1
In response to JPavonM

‎05-12-2025 08:49 AM

it's possible that I misunderstood the client exclusion policies, it appeared in the AireOS configuration that it was more customizable rather than just enabled or disabled as you could specify the max-1x-aaa-fail-attempts, maybe this only applies when you are running internal RADIUS on the controller. If it's not possible to do from the controller, I will investigate the possibility of enabling MaxDenials in Microsoft NPS.

0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee

‎05-12-2025 08:34 AM

Since your AD lockout policy is 5 failed attempts, it should not happen. Because, by design, exclusion due to excessive 802.1x auth failure will only happen when client fail 3 consecutive attempts. In the 4th attempt it will be excluded.

0 Helpful

tvancamp6
Level 1
Level 1
In response to Saikat Nandy

‎05-12-2025 08:41 AM

I would love if this is how it was working, but unfortunately clients are not being excluded after 4 consecutive failed attempts and ultimately their accounts are being locked out in AD. I can confirm that we do have wireless wps client-exclusion dot1x-auth enabled. Just for clarity, this is on a 9800 running 17.9.6 code.

0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee
In response to tvancamp6

‎05-12-2025 08:49 AM

If possible, can you take RA trace+ EPC with client mac address as filter and share? make sure that you start these first and then repro the issue.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card