Cisco Wireless LAN Controller Configuration Guide, Release 7.4
Configuring Client Exclusion Policies
Downloads: This chapterpdf (PDF - 1.23MB) The complete bookPDF (PDF - 18.89MB) | Feedback

Configuring Client Exclusion Policies

Configuring Client Exclusion Policies (GUI)


    Step 1   Choose Security > Wireless Protection Policies > Client Exclusion Policies to open the Client Exclusion Policies page.
    Step 2   Select any of these check boxes if you want the controller to exclude clients for the condition specified. The default value for each exclusion policy is enabled.
    • Excessive 802.11 Association Failures—Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures.
    • Excessive 802.11 Authentication Failures—Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures.
    • Excessive 802.1X Authentication Failures—Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures.

    • IP Theft or IP Reuse—Clients are excluded if the IP address is already assigned to another device.
    • Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication attempt, after three consecutive failures.
    Step 3   Click Apply.
    Step 4   Click Save Configuration.

    Configuring Client Exclusion Policies (CLI)


      Step 1   Enable or disable the controller to exclude clients on the sixth 802.11 association attempt, after five consecutive failures by entering this command: config wps client-exclusion 802.11-assoc { enable | disable}
      Step 2   Enable or disable the controller to exclude clients on the sixth 802.11 authentication attempt, after five consecutive failures by entering this command:

      config wps client-exclusion 802.11-auth { enable | disable}

      Step 3   Enable or disable the controller to exclude clients on the fourth 802.1X authentication attempt, after three consecutive failures by entering this command: config wps client-exclusion 802.1x-auth { enable | disable}
      Step 4   Enable or disable the controller to exclude clients if the IP address is already assigned to another device by entering this command: config wps client-exclusion ip-theft { enable | disable}
      Step 5   Enable or disable the controller to exclude clients on the fourth web authentication attempt, after three consecutive failures by entering this command:

      config wps client-exclusion web-auth { enable | disable}

      Step 6   Enable or disable the controller to exclude clients for all of the above reasons by entering this command:

      config wps client-exclusion all { enable | disable}

      Step 7   Use the following command to add or delete client exclusion entries.

      config exclusionlist { add MAC [ description] | delete MAC | description MAC [ description]}

      Step 8   Save your changes by entering this command: save config
      Step 9   See a list of clients that have been dynamically excluded, by entering this command:

      show exclusionlist

      Information similar to the following appears:

      
                  
                
      Dynamically Disabled Clients
      ----------------------------
        MAC Address             Exclusion Reason        Time Remaining (in secs)
        -----------             ----------------        ------------------------
      
      00:40:96:b4:82:55         802.1X Failure          	51
      
      Step 10   See the client exclusion policy configuration settings by entering this command:

      show wps summary

      Information similar to the following appears:

      
                  
                
      Auto-Immune
        Auto-Immune.................................... Disabled
      
      Client Exclusion Policy
        Excessive 802.11-association failures.......... Enabled
        Excessive 802.11-authentication failures....... Enabled
        Excessive 802.1x-authentication................ Enabled
        IP-theft....................................... Enabled
        Excessive Web authentication failure........... Enabled
      
      Signature Policy
        Signature Processing........................ Enabled