You can configure this timeout under the advanced settings tab of the SSID, the default is 60 seconds which should be fine. My guess is that in your configuration someone changed that value to 0, what can be the reason that you need to release them manually.

However, I still think that you need to investigate why does clients are getting excluded and if you can do something about it.

Freerk

The clients getting excluded is fine, they are going due to excessive number of wrong password attempts.

But we are going to launch the wireless and after that lot of users will be getting excluded, and selecting one by one and getting them out would be a quite hectic job.

I still can not find in the advanced settings , how to remove them from excluded automatically.

Client Exclusion in the WLAN advanced tab, sets a timer that will place the user in exclusion and will also remove them. If the device keeps sending bad credentials, they will never be removed. Please review these links for more info on how clients get excluded.  If clients are getting excluded and your using 802.1x, then you have issues you need to fix either on the WLAN setting or the devices itself.  You should not see any to be honest.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111010.html

-Scott

"When the user fails to authenticate, the controller excludes the client and the client cannot connect to the network until the exclusion timer expires or is manually overridden by the administrator."

This was from an older post of mine

-Scott

Hi , Good day Scott

Security > Wireless Protection Policies > Client Exclusion Policies ... This is where Exclusion policy is configured.

But Unable to find "timer" under WLANs --> Advanced --> AP Groups.

excluding policy should work , and its working fine, when a user's AD password is expired / changed and SSID is connected it keeps sending that old password, due to which WLC puts it into excluded.

But it does not comes back, even forget SSID, switch OFF wifi for 1-2 days (Practically did that).

Really need help in finding "timer" because as wifi is being rolled out to more and more users, removing them from excluded list is becoming time consuming.

Thanks

The timers is on the advanced tab in the WLAN configuration. If the user changes his/her password and gets excluded, then it's the laptop that is still Dennis the old credentials.  If it's excluded and the devices still is sending the cached credentials wrong, well, they will always be stuck in that excluded state. I tend to not use that feature anymore to be honest and on downfall of using PEAP with AD credentials is when the password expires. This will usually lock out the users account and what ends up happening is that users plug in wired and change their credentials and then reboot and connect to the wireless. This is from the feedback I get from my customers in what end users have to do to get back on the wireless.  Excluded clients is just more of a headache if you constantly have to remove them from that. 

-Scott