Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
668
Views
5
Helpful
4
Replies

DHCP Denied, Still WLC Client?

ferriterj1
Level 1
Level 1

‎09-01-2021 11:29 AM

I was wondering if we deny a wireless device in our DHCP filter on our Windows DC and that wireless client tries to connect to our WLAN, do they still show as a client on the WLC even though they are denied an IP address?

 

Basically, our WLC client list is getting a little high and we want to control the number until we can get our new WLC in place in a couple of months. I'm wondering if denying some clients through DHCP will be good enough to make sure that they don't end up as a client and take up those slots.

 

Thank you for any help!

0 Helpful
4 Replies 4

Arshad Safrulla
VIP Alumni
VIP Alumni

‎09-01-2021 11:40 AM

I do not think denying dhcp is a good idea, since Mac randomization is supported in majority of the devices these days. you may also explore the idea of Mac filtering in the WLC, again this will be useless if the Mac randomization is enabled on the client side. I would look at deploying a radius server with eap-tls to make sure only authorized clients are given access to the network. Keep in mind this requires very good working knowledge in pki infra, radius server and identity source integration, dot1x configuration in the WLC, certificate distribution mechanism to the clients etc. you can check on eap-peap which uses username+password combination, but I always recommend eap-tls

.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎09-01-2021 03:46 PM

The answer to the question is right dancing in front of everyone:  DHCP.  

Limit the size of the DHCP pool to correspond to the amount of wireless client the organization want.

0 Helpful

Tony Rosolek
Level 1
Level 1

‎09-02-2021 12:57 AM

If you limit IP pools or DHCP assignments WLAN clients will still be able to connect to your access points. WLAN authentication and association happens before the clients request an IP address. WLAN stuff is on OSI Layer 1+2 and IP addressing happens on Layer 3. 

 

I think a client which can connect to the network, but is not receiving an IP address is no good idea, because these clients will be unhappy with your network service and will probably call the service desk. As mentioned by @Arshad Safrulla this can also cause other problems related to MAC randomization. 

 

Majority of WLCs have a fixed client limit. For example the Cisco 2504 can support 1.000 clients. Why you want to manually limit the clients? Is it due to limited bandwidth or something else? Maybe you can share what is the background, then we might have alternative ideas how you can solve this problem. 

 

Two potential ideas: 

- limit the number of users per SSID (WLAN -> Edit -> Advanced -> Maximum Allowed Clients)

- rate limit traffic per SSID/user

||| Please rate helpful posts. Thanks! |||

Scott Fella
Hall of Fame
Hall of Fame

‎09-02-2021 07:46 AM

Don't do that... you will cause user experience issues and everyone will blame the network!  Design for the increase in clients and density, that is the best way to tackle this and to improve the overall user experience.  If you see high clients per ap, then you don't have enough ap density in your environment.  If you are reaching the limit of your controller, then that means you need to look at another model that can handle the load.  When you start limiting the number of clients per ap or per wlan, you will have users that are able to connect at times and not connect at time.  If you were one of those users, what would your experience be?

-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card