Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20335
Views
0
Helpful
9
Replies

Excluded clients on Cisco WLC 5508

living_laser
Level 1
Level 1

‎01-01-2015 04:53 AM - edited ‎07-05-2021 02:12 AM

Hello

Need some help on Cisco WLC 5508, clients get into "excluded" status after 5 wrong attempts, after that I have to manually select and move them from excluded to "associated".

Question is how to automate this process, on time basis, ie client should be blocked / excluded on wrong attempts, but after certain period of time client automatically gets back to associated status.

Any way around to configure that.

 

Thanks

Labels:
0 Helpful
9 Replies 9

mohanak
Cisco Employee
Cisco Employee

‎01-02-2015 03:16 AM

Client exclusion might be enabled or disabled on a per-WLAN basis. By default it is enabled with a timeout of 60 seconds.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/117714-technote-aireoswlc-00.html

0 Helpful

Freerk Terpstra
Level 7
Level 7

‎01-02-2015 09:20 AM

What is the exact reason that the clients are getting excluded? You can find that information in the log of the WLC.

My advise is to look for the cause of the exclusions and see if you can fix them, if not then change your security policy or let them be excluded. Wrong client configuration for example could be the cause for multiple 802.1X authentication failures.

0 Helpful

living_laser
Level 1
Level 1

‎01-04-2015 02:19 AM

The reason may be any, ie multiple wrong credentials,

I have this feature enabled the clients are put up in excluded list.

But every time i have take them out manually from excluded list, here my point is there any way to set a time period say 1 hour , for 1 hour that client is excluded and after 1 hour that is returned to associated automatically ?

0 Helpful

Freerk Terpstra
Level 7
Level 7
In response to living_laser

‎01-04-2015 04:47 AM

You can configure this timeout under the advanced settings tab of the SSID, the default is 60 seconds which should be fine. My guess is that in your configuration someone changed that value to 0, what can be the reason that you need to release them manually.

However, I still think that you need to investigate why does clients are getting excluded and if you can do something about it.

0 Helpful

living_laser
Level 1
Level 1
In response to Freerk Terpstra

‎01-19-2015 03:25 AM

Freerk

The clients getting excluded is fine, they are going due to excessive number of wrong password attempts.

But we are going to launch the wireless and after that lot of users will be getting excluded, and selecting one by one and getting them out would be a quite hectic job.

I still can not find in the advanced settings , how to remove them from excluded automatically.

 

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to living_laser

‎01-19-2015 03:55 AM

Client Exclusion in the WLAN advanced tab, sets a timer that will place the user in exclusion and will also remove them. If the device keeps sending bad credentials, they will never be removed. Please review these links for more info on how clients get excluded.  If clients are getting excluded and your using 802.1x, then you have issues you need to fix either on the WLAN setting or the devices itself.  You should not see any to be honest.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111010.html

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎01-19-2015 03:57 AM

"When the user fails to authenticate, the controller excludes the client and the client cannot connect to the network until the exclusion timer expires or is manually overridden by the administrator."

This was from an older post of mine

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful

living_laser
Level 1
Level 1
In response to Scott Fella

‎05-13-2015 05:40 AM

Hi , Good day Scott

Security > Wireless Protection Policies > Client Exclusion Policies ... This is where Exclusion policy is configured.

But Unable to find "timer" under WLANs --> Advanced --> AP Groups.

 

excluding policy should work , and its working fine, when a user's AD password is expired / changed and SSID is connected it keeps sending that old password, due to which WLC puts it into excluded.

But it does not comes back, even forget SSID, switch OFF wifi for 1-2 days (Practically did that).

 

Really need help in finding "timer" because as wifi is being rolled out to more and more users, removing them from excluded list is becoming time consuming.

 

 

Thanks

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to living_laser

‎05-13-2015 05:59 AM

The timers is on the advanced tab in the WLAN configuration. If the user changes his/her password and gets excluded, then it's the laptop that is still Dennis the old credentials.  If it's excluded and the devices still is sending the cached credentials wrong, well, they will always be stuck in that excluded state. I tend to not use that feature anymore to be honest and on downfall of using PEAP with AD credentials is when the password expires. This will usually lock out the users account and what ends up happening is that users plug in wired and change their credentials and then reboot and connect to the wireless. This is from the feedback I get from my customers in what end users have to do to get back on the wireless.  Excluded clients is just more of a headache if you constantly have to remove them from that. 

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card