cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
20999
Views
0
Helpful
9
Replies

Excluded clients on Cisco WLC 5508

living_laser
Level 1
Level 1

Hello

Need some help on Cisco WLC 5508, clients get into "excluded" status after 5 wrong attempts, after that I have to manually select and move them from excluded to "associated".

Question is how to automate this process, on time basis, ie client should be blocked / excluded on wrong attempts, but after certain period of time client automatically gets back to associated status.

Any way around to configure that.

 

Thanks

9 Replies 9

mohanak
Cisco Employee
Cisco Employee

Client exclusion might be enabled or disabled on a per-WLAN basis. By default it is enabled with a timeout of 60 seconds.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/117714-technote-aireoswlc-00.html

Freerk Terpstra
Level 7
Level 7

What is the exact reason that the clients are getting excluded? You can find that information in the log of the WLC.

My advise is to look for the cause of the exclusions and see if you can fix them, if not then change your security policy or let them be excluded. Wrong client configuration for example could be the cause for multiple 802.1X authentication failures.

living_laser
Level 1
Level 1

The reason may be any, ie multiple wrong credentials,

I have this feature enabled the clients are put up in excluded list.

But every time i have take them out manually from excluded list, here my point is there any way to set a time period say 1 hour , for 1 hour that client is excluded and after 1 hour that is returned to associated automatically ?

You can configure this timeout under the advanced settings tab of the SSID, the default is 60 seconds which should be fine. My guess is that in your configuration someone changed that value to 0, what can be the reason that you need to release them manually.

However, I still think that you need to investigate why does clients are getting excluded and if you can do something about it.

Freerk

The clients getting excluded is fine, they are going due to excessive number of wrong password attempts.

But we are going to launch the wireless and after that lot of users will be getting excluded, and selecting one by one and getting them out would be a quite hectic job.

I still can not find in the advanced settings , how to remove them from excluded automatically.

 

 

Client Exclusion in the WLAN advanced tab, sets a timer that will place the user in exclusion and will also remove them. If the device keeps sending bad credentials, they will never be removed. Please review these links for more info on how clients get excluded.  If clients are getting excluded and your using 802.1x, then you have issues you need to fix either on the WLAN setting or the devices itself.  You should not see any to be honest.

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_0111010.html

-Scott

-Scott
*** Please rate helpful posts ***

"When the user fails to authenticate, the controller excludes the client and the client cannot connect to the network until the exclusion timer expires or is manually overridden by the administrator."

This was from an older post of mine

-Scott

-Scott
*** Please rate helpful posts ***

Hi , Good day Scott

Security > Wireless Protection Policies > Client Exclusion Policies ... This is where Exclusion policy is configured.

But Unable to find "timer" under WLANs --> Advanced --> AP Groups.

 

excluding policy should work , and its working fine, when a user's AD password is expired / changed and SSID is connected it keeps sending that old password, due to which WLC puts it into excluded.

But it does not comes back, even forget SSID, switch OFF wifi for 1-2 days (Practically did that).

 

Really need help in finding "timer" because as wifi is being rolled out to more and more users, removing them from excluded list is becoming time consuming.

 

 

Thanks

The timers is on the advanced tab in the WLAN configuration. If the user changes his/her password and gets excluded, then it's the laptop that is still Dennis the old credentials.  If it's excluded and the devices still is sending the cached credentials wrong, well, they will always be stuck in that excluded state. I tend to not use that feature anymore to be honest and on downfall of using PEAP with AD credentials is when the password expires. This will usually lock out the users account and what ends up happening is that users plug in wired and change their credentials and then reboot and connect to the wireless. This is from the feedback I get from my customers in what end users have to do to get back on the wireless.  Excluded clients is just more of a headache if you constantly have to remove them from that. 

-Scott

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card