CISCO WLC How to Block a Client

Similar Messages

• How to block "Wync" client ?

  Hello,
  I am looking for a hint how to block "Wync" client. It does not provide any Agent information and because of this seems "unblockable"
  Is there any way to block it?
  Kind regards,
  LL
  With kind regards, ll __________________________________________________________________________________ Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you.

  Hi,
  You can try to set with the help of Client Version Policy and Client Version Configuration. After you configuring Client Version Policy, on Client Version Configuration modify the default action to Block or Block with URL according to you requirement.
  More details:
  http://technet.microsoft.com/en-us/library/gg520994.aspx
  Best Regards,
  Eason Huang   
  Eason Huang
  TechNet Community Support

• WLC - How to block a single client MAC address?

  Hi Sir,
  On a WLC (software version 4.1.185.0), how to block a single client MAC address?
  I thought of using the SECURITY -> Disabled Clients. Is it right?
  There are currently 250 users connected to the WLC. MAC Filtering is not a scalable solution because as I understand it, we have to specify all the legitimate MAC addresses in the local database.
  Thank you.
  B.Rgds,
  Lim TS

  Hi Lim,
  As you have discovered, the Mac filtering on the WLC is an Allow (based on Mac address) rather than what you need which is a Deny (based on Mac address). I have not tried this feature but I think you are on the right track in using the Exclusion List (Blacklist) feature. Have a look;
  Use SECURITY > AAA > Disabled Client then click New or MONITOR > Clients then click Disable to navigate to this page.
  This page allows you to manually Exclusion List (blacklist) a client by MAC address.
  Add the MAC Address and an optional Client Description for the client to be disabled.
  Note When you enter a client MAC address to be disabled, the Operating System checks that the MAC address is not one of the known Local Net clients ( Local Net Users), Authorized clients ( MAC Filtering), or Local Management users ( Local Management Users) MAC addresses. If the entered MAC address is on one of these three lists, the Operating System does not allow the MAC address to be manually disabled.
  Hope this helps! Let us know.
  Rob

• Cisco wlc ios 7.2 with clients windows 8 can not authenticate with 802.1x

  Hello my name is Ivan:
  I have a solution a unified solution wireless with a cisco wlc 7.2 and ap cisco. My issue is the follow:
  My users are using laptops with OS windows 8, and they can not access to the network wireless because they authenticate in to the network using 802.1x wpa/wpa2 with tkip or aes.
  I find a bug in the ios of the wlc. The number is CSCua29504. I would not to change the drivers in the laptop to join the users in to the solution.
  Please is possible to find any software to do the upgrade in the wlc? Or perhaps we need to do an upgrade in to cisco lightweight access point?
  Please help me in this issue.
  Regards
  Ivan

  Bug ID CSCua29504 has been fixed in WLC firmware 7.0.235.3, 7.3.101.X or 7.4.100.X.
  So if you are NOT running any one of these codes, then yes.  Upgrade your firmware is your solution.
  Fixed in:  (12)
  7.4(100.0),7.4(1.20),7.3(112.0),7.3(101.0),7.3(1.67)
  7.2(111.3),7.2(111.1),7.2(110.4),7.0(236.0),7.0(235.3)

• Cisco WLC AP count over SNMP

  Hi,
  Is it possible to monitore a quantity of AP on Cisco WLC and quantity of wireless clients?
  I was found only list of AP names over snmp...
  Thanks in advance

  Hi, Ralf
  If not late
  I use script directly in monitoring system
  main ()
  VALUE=`snmpwalk -v 2c -c xxxCommunityxxx X.X.X.X 1.3.6.1.4.1.9.9.513.1.1.1.1.2 | wc -l`
  echo "Message: Warning! Number of registed APs decriased."
  echo "Data:Count"
  echo "Count\t$VALUE"
  exit 0
  main $*
  This is shell. but you can use simple only one line
  `snmpwalk -v 2c -c xxxCommunityxxx X.X.X.X 1.3.6.1.4.1.9.9.513.1.1.1.1.2 | wc -l`
  (from linux)

• How to Block LAP1242 AG connect WLC

  Hi Friends,
  Did you meet this issues that the remote site (US) AP 1242 always connect to our site(ASIA) WLC 5508 (maybe some DHCP configure caused when troubleshooting, right nowDHCP back to normal. only enable vendor and option 43 for 1262 and 3602, no option 43 for 1242), but now we cannot block these AP1242 to join our site 5508 WLC. even I reset the 1242 AP to default configure from WLC GUI and CLI , but it's still there in a mins.
  Since in our site Core SW, Router cannot find these AP mac address, and also those AP not the IP address in the WLC GUI and CLI . SO we don't know where it is?  can you pls help?

  Well that is how to block APs from joining:). If you know these APs have to join a specific WLC, then create a dhcp option 43 for these APs or temporarily create a DNS entry for these APs to join the WLC it is suppose to. You can't just block these APs from joining if you have mo ility between the WLCs and or if your using option 43 and or DNS that helps these APs join the WLC. So now what your stuck with is making these join the right WLC. When you do that, then remove all your option 43 from dhcp and disable the DNS so none of the APs will be able to join the wrong WLC.
  Sent from Cisco Technical Support iPhone App

• How many concurrent VPN client sessions available for cisco 2621XM?

  I have cisco router 2621XM with IOS c2600-advipservicesk9-mz.124-11.T4.
  I want to know, how many concurrent VPN client sessions can be available in this image.

    here is the configuration on PIX,
  group-policy DfltGrpPolicy attributes
  wins-server value 10.0.0.67 10.0.0.68
  dns-server value 10.0.0.67 10.0.0.68
  vpn-simultaneous-logins 20
  vpn-idle-timeout 5
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn-acl
  default-domain value mydomain.com
  address-pools value vpnpool group-policy DfltGrpPolicy attributes
  wins-server value 10.0.0.67 10.0.0.68
  dns-server value 10.0.0.67 10.0.0.68
  vpn-simultaneous-logins 20
  vpn-idle-timeout 5
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value vpn-acl
  default-domain value want-want.com
  address-pools value vpnpool

• How to check if Cisco WSA is already blocking the malicious sites?

  How to check if Cisco WSA is already blocking the malicious sites? 

  Depends on what you mean, but in general what you did will not work.
  The usual intent of RMI is to have several processs running and all of them use one process as the repository.
  A static value is only visible in one VM instance thus it will not be visible in another process.
  So in that situation you could check if the the server socket that the RMI using is open. But just catching the exception, presuming that you catch the correct one, is also sufficient.

• Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users

  Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
  I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
  We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
  I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
  Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
  I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
  We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
  Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space. 
  Any suggestions would be gratefully appreciated from the knowledgeable community.
  Cheers,
  Mike

  Hi Rasika,
  We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
  Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows  <1ms.
  currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem. 
  any suggestions,
  Thank you,
  Arjun

• How to restrict AP client-to-client traffic in same SSID

  Dear all,
  Please kindly advise how wireless client-to-client traffic can be restricted? The AP is controlled by WLC.
  Thanks.
  Eric

  Hi Eric,
  Great question! Here is the related info, note the nice change in WLC Version 4.2.x.x;
  Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
  A. The feature or the mode that performs the similar function of PSPF in Lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP.
  If this mode is disabled on the controller, which is by default, it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller.
  It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml
  Configuring Peer-to-Peer Blocking
  In controller software releases prior to 4.2, peer-to-peer blocking is applied globally to all clients on all WLANs and causes traffic between two clients on the same VLAN to be transferred to the upstream VLAN rather than being bridged by the controller. This behavior usually results in traffic being dropped at the upstream switch because switches do not forward packets out the same port on which they are received.
  In controller software release 4.2, peer-to-peer blocking is applied to individual WLANs, and each client inherits the peer-to-peer blocking setting of the WLAN to which it is associated.
  http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html#wp1084832
  Hope this helps!
  Rob

• Cisco WLC 2504 webportal for Server 2008 R2 DC LDAP or RADIUS

  HI,Friends.
  I want to get my mobile or Notebook clients connecting to wireless and use my Domain users ,Cisco WLC 2504 to authenticate via LDAP or  RADIUS to our Windows Server 2008 Domain Controllers
  question:
  one,i can use my domain one Organizational Unit ,such as cn=use01,ou=test,dc=lzh,dc=com. now, noly user01 can logon on web, But how I make all my domain users can use web log it ? 
  I was using radius authentication or ldap certification to do web authentication ?which is good. ？？？
  I specified child ou, ou its users superiors can not be landed on

  hi ,Scott Fella
  Thank you,I am very happy to receive your reply,  I finally binding domain user authentication LDAP authentication done successfully. but You say the combination of nps I did not do the radius authentication is successful, I do not know where the problems.
  the err:
  <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">11</User-Name><Service-Type data_type="0">1</Service-Type><NAS-IP-Address data_type="3">10.10.10.253</NAS-IP-Address><NAS-Port data_type="0">1</NAS-Port><NAS-Identifier data_type="1">WLC-CNNEWCITY</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Vendor-Specific data_type="2">00003763010600000001</Vendor-Specific><Calling-Station-Id data_type="1">10.12.0.11</Calling-Station-Id><Called-Station-Id data_type="1">10.10.10.253</Called-Station-Id><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Authentication-Type data_type="0">1</Authentication-Type><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
  <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Authentication-Type data_type="0">1</Authentication-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">66</Reason-Code></Event>
  then,You gave two figures is that what you mean? what's the meaning it that services-type =login ?

• Query About Cisco WLC 2504 TDLS

  Dear Friends,
  One of my client want to encrypt data over the wireless. I have cisco WLC 2504 IOS Version 7.2.0.0.
  Please help me on this. I think by-default data encrypt is enable. If not so how can I enable it. If I enable it is there any impact to my wireless user's.
  Please help me out .....
  Thanks & Regards,
  Rahul Wankhade

  How to enable:
  http://www.cisco.com/c/en/us/support/docs/wireless/2500-series-wireless-controllers/113034-2500-deploy-guide-00.html#enable
  Impact:
  2500, WiSM2, WLC2—These platforms by default will not contain DTLS. To turn on data DTLS, you must install a license. These platforms will have a single image with data DTLS turned off. To use data DTLS you will need to have a license.
  http://www.cisco.com/c/en/us/products/collateral/wireless/2500-series-wireless-controllers/data_sheet_c78-645111.html
  AS per cisco: Encryption limits throughput at both the controller and the access point.
  Regards
  Dont forget to rate helpful posts

• How to block calls based ANI for individual user?

  I want to know how to block calls based on ANI for individual user in CUCM?  Lets say if the individual wants to block calls from certain number.
  Malicious call id - softkey will not work for our purpose.
  calls come to cucm via mgcp gateway.  cucm 9.x
  thanks,

  How to block calls has been asked hundreds, and hundreds of times at CSC, a simple search would have provided you with all the necesarry information. Please search before you ask
  https://supportforums.cisco.com/docs/DOC-19628
  HTH
  java
  if this helps, please rate
  www.cisco.com/go/pdihelpdesk

• Certificate based authentication with Cisco WLC and Juniper IC

  Hi
  I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
  I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
  My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
  i have also looked at this article :
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
  What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
  All your help is appreciated.

  Hi,
  Since you use an external radius server you don't have to worry for this.
  The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
  The doc you refer is only for Local Radius on WLC.
  Hope this helps
  Regards,
  Christos

• Cisco ISE - How to map User- Location - Restrict Access to other locations

  Hi,
  i've got a simple question and I hope someone here can help me out with this mess.
  The problem is about WLAN 802.1x Auth with Cisco WLC and a ISE.
  The design goal is the following:
  There are several branch facilities. A user belongs to only ONE facility. This user should not access the WLAN in other facilities.
  The technical design is this:
  Local WLC and/or central vWLC. In the datacenter is one ISE which must handle the auth-requests. The identity source of the users, where I add and manage them, should be the ISE itself for the first time, later I want to AD and LDAP sources.
  Here is the problem:
  I don't understand how I can create a ruleset or something else where I can define that a user of facility A can only login over APs, WLCs,.....in facility A and NOT facility B. Or maybe my design is so bad that I have to start from scratch.
  PLEASE HELP.

  I don't know but may be this is the correct way to validate the user:
  NAS-ID in AP-Groups (One AP-Group per facility) must match "12345" AND Identity-Group must match "12345".
  Iam confused because there is no way to compare these values. 
  In this case to compare the value of "NAS-ID" and die users "IDENTITY-GROUP".
  If they match against each other than "Permit-Access".