Client exclusion of WLC

Similar Messages

• Client Exclusion Policies on WLC not working with ISE as RADIUS Server

  Hi,
  for our Guest WLAN (Security Setting for this SSID:Layer2: MAC filtering, Layer3:none) we use ISE as RADIUS Server. On WLC I enabled client exclusion polices and checked all options (Excessive 802.11 Auth. Failures etc..).. But even if a client fails 20times at authentication, it is not excluded on the wlc. It works with other SSIDs, where security settings are set to 802.1x.
  Am I missing any settings here or do you have some tipps on how to troubleshoot this?
  Thanks very much!

  Hi Renata,
  If those guest failures are not associated with valid guest users (i.e. people who have forgotten their account or entering the wrong password) there isn't anything that can be done. The main point of Guest WLAN is to make it as easy as possible for Guests - individuals with device configurations you don't want to deal with or know about, to connect your network for internet access. From a WiFi/802.11 perspective, the standard Guest WLAN setup means its easy for any device to connect.
  If your Guest WLAN has the following:
  SSID is broadcast enabled, Security = OPEN, Encryption = none, then any 802.11 device can find the WLAN via passive scanning and connect. And any device that connects will get the ISE portal. Once recieveing that portal they can guess away at valid username/password.
  I would suspect that unless your Guest WiFi is adjacent to a Mall, school, hotel or other hi-density area of individuals  with time and electronics on their hands, other than alerts in your ops window and logs, resources associated with this (WLC & ISE) are very low.
  You can try and dull the noise a few ways.
  Option 1. create and ISE log filter on those alerts so they don't cluter the console.
  Option 2. Stop broadcasting the SSID.  This is not a security measure, but will cut volume of people connecting to the SSID significantly. You will have to tell your guests what SSID or include it in their credential communication.
  Option 3. Put a very simple PSK on the SSID. The PSK will become a public secret - shared with valid guests, doesn't have change as it's purpose is not security.  You will have to include this information on their credential communication.
  Option 4 - both 2 and 3
  The most effective option would be 3.
  Good Luck!

• WLC client exclusion

  Hi Experts,
  We are using Wism2 in our wireless environment, users authenticate against LDAP via Radius in a centralized architecture. What i have been seeing from one of our sites is one of user continously tries to authenticate every minute. We are using default client exclusion policies on Wism2 and client exlusion is set to 3000 secs, i guess my question is why WLC is unable to get this client excluded for auth flood? or do i need to have a specific signature attached to WLC? Please note i am not using any IDS/IPS.
  5:01:58 PM *dot1xMsgTask: 1x_auth_pae.c:2992 Max EAP identity request retries (3) exceeded for client 00:xx:xx:xx:xx
  5:02:58 PM *dot1xMsgTask: 1x_auth_pae.c:2992 Max EAP identity request retries (3) exceeded for client 00:xx:xx:xx:xx
  and so on every min
  cheers
  AP

  In the Session Timeout text box, enter a value between 300 and 86400 seconds to specify the duration of the client session. The default value is 1800 seconds for the following Layer 2 security types: 802.1X, Static WEP+802.1X, WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key management and 0 seconds for all other Layer 2 security types (Open WLAN/CKIP/Static WEP). A value of 0 is equivalent to no timeout.
  Maybe its because of this.

• Client Exclusion

  What are pros and cons of enabling / disabling client exclusion policies on a wlc?

  Hi
  If you enable this feature a wireless client will be excluded from the network for a configured amount of time.
  1. Excessive 802.11 Association Failures—Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures.
  2. Excessive 802.11 Authentication Failures—Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures.
  3. Excessive 802.1X Authentication Failures—Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures.
  4. IP Theft or IP Reuse—Clients are excluded if the IP address is already assigned to another device.
  5. Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication attempt, after three consecutive failures.
  If you do not want to client to be excluded (eg: sometime genuine user get excluded if he enter the wrong password more than 5 times) in those circumstances, you can disabled it.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• I Ask About WCS count Client not same WLC

  WCS  count Client not same WLC   as on WLC count client  = 100
  on WCS count = 23-23  
   Wireless Control System  Version 5.2.148.0
   WLC  7.0.250.0
  http://postimg.org/image/9boldeqd5/
  http://postimg.org/image/l482i9poz/

  Your WCS should have a higher (or not equal) version to your WLC.  
  I wouldn't even consider troubleshooting WCS problems if your WCS is running 5.X because WCS/WLC firmwares 5.X are very, very buggy.

• OS clients supported by WLC vesion 7.0.240.0

  Hi,
  I want to know the supported OS clients by the WLC version 7.0.240.0. I went through the release notes of this vesion but did not find anything related to supported OS clients.
  Customer wants to run Windows 8 on this version. WLC model is 4402 and current image is 7.0.230.0.
  If anyone know where to find the document, please guide me or send me the URL link of the document.
  Thanks

  Hi,
  Any device that is Wi-Fi certified should be able to connect (theoritically).
  Wi-Fi certified means it supports 802.11 a/b/g/n some of them or all of them and got a certification for that from Wi-Fi alliance (that should be mentioned on the client device itself it is certified or not). If some of them then it will be able to connect to the part that it is certified with. (i.e. if 802.11b certified only it then can connect with up to 11 Mbps data rate).
  Your question can be re-phrased to be (what supplicants/WiAdapters are compatible with the WLC version 7.0.240.0).
  The answer would be the one above.
  However, the Cisco guys do a test for some types of clients to check the interoperability.
  You can find the information in the release notes of 7.0.240.0 here:
  http://goo.gl/AaaT1f
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Client exclusion policies

  Just a quick note or heads up regarding client exclusion policies.
  I got called out to a facility because three laptops stopped working. I got on site and my laptop immediately worked so I knew it wasn't the network or that DHCP got full somehow.
  Rebuilding the profiles didn't do anything so when I got on site I saw that those three MAC addresses were excluded probably because they failed to do something. I un-excluded them and removed the default policies. This still didn't work. After an hour or so of banging my head I checked the other controllers to see if any of their clients were excluded and I found the same three macs on another controller for another facility. The only thing I can think of is it was already broken and then the controller blinked and shot those AP's to the wrong controller...and then came back.
  If any clients are excluded they are apparently excluded everywhere. Be sure to check all controllers for remnants to get everyone back up online.
  So far the only people who get excluded are supposed to be there so I'm on the fence as to whether or not this is a good thing.

  whoa! thanks for this 'just a quick note'.
  my laptop uses two wnic (wireless nic, that is). intel (on-board) and cisco abg pc card. i was confidently using the cisco wnic when after i tried something with the controller and failed to associate for some time, it was excluded from the controller. with this, the cisco wnic is unable to get associated. i've tried reconfiguring the controller to which i know the cisco wnic was registering, but all in vain. so i stopped using the cisco wnic and used the intel instead. and now came the hopeful solution. hehe... luckily, the controllers are still not in the production.
  i've 6 controllers, so it could probably be the same case as yours. let me go and check this.
  all hail the wireless experts!!!

• ISE client provisioning with wlc 7.3

  Hi Experts,
  i have the following challenge. I will try to be synthetic.
  ISE 1.1.2.145
  WLC 7.3
  Wireless clients, dot1x eap peap, posture required.
  Clients should download the nac agent through redirection.
  So, i have an authorization policy that, for posture status= unknown, apply a redirect av, in the form:
  "https://ip:port:8443/.....action=cpp
  the access list is correctly applied on wlc.
  The challenge is, it works for http traffic, but dont work for https traffic or if the browser is using a proxy (port 3128, 8080 etc).
  In case you wonder, the access-list on wlc:
  permit icmp, dns
  permit traffic to the PDPs
  deny all else.
  Thanks
  Andrea

  You may want to consider, explicity denying the proxy traffic in the WLC ACL and see if that resolves your issue. You may need to get clarification from Cisco TAC to see when the client is in the WEBAUTH state that it only listens for http traffic.
  You may want to consider using this option (however I do not if this will work for radius webauth redirection) -
  http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_01000100.html
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Report on WPA client level from WLC?

  I'm transitioning clients from WPA to WPA2 and I want to make sure we've gotten most of them.  Is there any way to run a report from the WLC to show encryption levels for clients?                  

  Or better yet, create a new WLAN with the same SSID but different profile name. Have one configured for WPA/TKIP and the other for WPA2/AES. This way clients still on the old wpa SSID will appear as associated and you can then track them down.
  Sent from Cisco Technical Support iPhone App

• Clients disconnected from WLC randomly

  Hi,
  I'm doing some tests with clients to see how much time they are kept registered in the controller while they are disconnected. I've set session timeout to 0 (infinite) and user idle timeout to 12 hours. 
  The problem is that sometimes the clients are disconnected from the controller before the user idle timeout expires:
  apfMsDeleteByMscb Scheduling mobile for deletion with deleteReason 6, reasonCode 1
  Other times they are expired normally by the user idle timeout (deleteReason4,reasonCode4).
  If I am not wrong deleteReason 6 corresponds to manual deletion of the client, but there is no manual interventention when this happen, is the controller who deletes it.
  Can anybody explain why this happens randomly?
  WLC version 6.0.196
  Thanks.

  Refer the 2 Bugs :
  Unified APs removing clients on maximum retries.
  CSCti91944
  Description
  Symptom:
  A wireless client might be removed from the mobility database before the user idle timeout. When this happens, if "debug client MAC" is in effect, messages similar to the following are seen on the WLC:
  *spamApTask3: clientmacaddrXYZ Received Idle-Timeout from
  AP macADDR-abc slot 0 for STA XYZ Client MAC ADDR
  *spamApTask3: apfMsDeleteByMscb Scheduling mobile for deletion with
  deleteReason 4, reasonCode 4
  The symptoms, as experienced by the user, depends on the behavior of the client device and on the WLAN configuration as follows:
  - If the WLAN is configured for web-auth, the client is forced to reauthenticate through the web.
  - If the WLAN is configured for L3 mobility and if the client performs an L3 roam at the time of the removal, the client's old IP address in the old subnet is no longer valid, and the client is forced to re-DHCP in the new subnet. Any existing TCP connections fail to work expected. If the client is a 792x wireless phone on a call, the talk path is lost for the remainder of the call.
  - If the WLAN is configured for L2 mobility, then the client is forced to perform a full EAP authentication (if EAP is configured) and to re-DHCP (if DHCP required is configured). In most cases, this does not cause a perceptible service interruption, unless the client's IP address changes.
  Conditions:
  This occurs when an access point fails to transmit 250 consecutive packets to the client (if there are 64 failed retransmits per packet, which means 4 consecutive dropped packets, it triggers the deauth).
  Examples:
  - Client radio is temporarily disabled.
  - Client has gone into hibernation/standby.
  - For a voice client, if the client is in a call and is unable to receive audio packets for a fraction of a second.
  Workaround:
  None; however, reconfiguring the WLAN for layer 2 rather than layer 3 mobility can mitigate the effect.
  Known Affected Releases:
  (3)
  7.0(98.0)
  6.0(199.0)
  6.0(199.4)
  Clients hit Idle timeout after successful authentication
  CSCue34763
  Description
  Symptom:
  A wireless client, while associated/authenticated (in RUN state), will be
  prematurely idle timed out by an AP. With "debug client" in effect on the
  WLC, messages similar to the following are seen:
  *spamApTask2: Jan 30 17:10:17.258: 00:11:22:33:44:55 Received Idle-Timeout from
  AP 84:78:ac:00:11:22, slot 1 for STA 00:11:22:33:44:558
  *spamApTask2: Jan 30 17:10:17.258: 00:11:22:33:44:55 apfMsDeleteByMscb
  Scheduling mobile for deletion with deleteReason 4, reasonCode 4
  The idle timeout event occurs while the client is not idle, and more rapidly,
  after the client's last reassociation, than the configured user idle timeout
  value.
  Conditions:
  Flexconnect (H-REAP) local switching is configured, with DHCP Required.
  Workaround:
  Clients hit Idle timeout after successful authentication
  CSCue34763
  Description
  Symptom:
  A wireless client, while associated/authenticated (in RUN state), will be
  prematurely idle timed out by an AP. With "debug client" in effect on the
  WLC, messages similar to the following are seen:
  *spamApTask2: Jan 30 17:10:17.258: 00:11:22:33:44:55 Received Idle-Timeout from
  AP 84:78:ac:00:11:22, slot 1 for STA 00:11:22:33:44:558
  *spamApTask2: Jan 30 17:10:17.258: 00:11:22:33:44:55 apfMsDeleteByMscb
  Scheduling mobile for deletion with deleteReason 4, reasonCode 4
  The idle timeout event occurs while the client is not idle, and more rapidly,
  after the client's last reassociation, than the configured user idle timeout
  value.
  Conditions:
  Flexconnect (H-REAP) local switching is configured, with DHCP Required.
  Workaround:
  Disable DHCP required.
  Disable DHCP required.

• Tracking client roaming via WLC in realtime

  I'm trying to resolve client roaming issues and would like to use the 4400 controller to report roaming events in realtime. Is there a debug situation that will enable that function?
  WLC version 4.0.127.0

  debug client

• Difference in client tables between WLC and AP controller d0

  Hello gang,
  Anyone know whether its normal to have an APs' d0/d1 controller output show clients that don't appear on the WLC's "sh client <AP>" output?
  Here's an example - 10 clients visible from a "sh client " on the controller, but 15 clients visible on AP4s "sh controller d0" debug.
  Granted the User Idle Timeout has been bumped up to 7200 seconds, but shouldn't the AP's d0/1 client table get updated if/when a client roams to another AP nonetheless? Wouldn't this otherwise cause confusion? Is the Split-MAC Split-brained?
  Thanks for your input,
  --Bruce Johnson
  (mcores2wlc1) >show client ap 802.11b mell9s1ap4
  MAC Address AP Id Status WLAN Id Authenticated
  00:40:9d:31:b0:79 130 Associated 6 Yes
  00:40:9d:34:1f:04 130 Associated 6 Yes
  00:40:9d:33:ee:04 130 Associated 6 Yes
  00:40:9d:2b:d1:6a 130 Associated 6 Yes
  00:40:9d:31:23:a3 130 Associated 6 Yes
  00:40:9d:33:e9:28 130 Associated 6 Yes
  00:40:9d:31:27:a5 130 Associated 6 Yes
  00:40:9d:33:eb:4b 130 Associated 6 Yes
  00:40:9d:31:22:1d 130 Associated 6 Yes
  00:40:9d:33:ee:cb 130 Associated 6 Yes
  (mcores2wlc1) >debug ap command "sh cont d0" mell9s1ap4
  (mcores2wlc1) >Thu Feb 26 18:54:10 2009: mell9s1ap4:
  Thu Feb 26 18:54:10 2009: mell9s1ap4: ---Clients AID VLAN Status Age Tx Mode Enc Key Rate
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d33.eaec 198 6 0000 0800000FF 7195/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d30.efd1 197 6 0000 0800000FF 7195/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d31.bc74 195 6 0000 2800001FF 7165/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d31.27a5 193 6 0000 0800000FF 7195/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d33.eecb 192 6 0000 2800000FF 7195/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d31.221d 190 6 0000 0800000FF 7194/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d33.eb4b 186 6 0000 0800000FF 7194/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0016.6faf.9d64 185 3 0000 0C00000FF 7186/7200 0-0 0191 200 0-10 10FC0000 06C
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d33.e928 177 6 0000 2800001FF 5818/7200 0-0 10111 200 0-10 10000000 016
  =>Thu Feb 26 18:54:10 2009: mell9s1ap4: 0016.6faf.9db8 176 3 0000 0C00000FF 7140/7200 0-0 0191 200 0-10 10FC0000 06C
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d31.23a3 174 6 0000 2800000FF 7195/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d2b.d16a 165 6 0000 1800000FF 7194/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d33.ee04 163 6 0000 0800000FF 7194/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d34.1f04 151 6 0000 1800000FF 7195/7200 0-0 10111 200 0-10 10000000 016
  Thu Feb 26 18:54:10 2009: mell9s1ap4: 0040.9d31.b079 147 6 0000 2800000FF 7194/7200 0-0 10111 200 0-10 10000000 016

  hi Leo,
    I tested this out, but i guess its not working as i thought it would work. I configured the backup primary controller IP and name in the global configuration of the Wireless tab of the WLC and left the AP high availability blank with no settings. I joined the AP to the WLC and show capwap client ha output on the AP shows the backup primary controller name. but if i shut down the primary controller, the AP does not join the back, it just tries to get WLC ip by renewing DHCP forever and stuck in that...   below are the outputs.. any idea why its like this ? I thot if there is no HA configured at the AP level, the global config on the controller level should take effect ?
  LWAP3-1042#sh cap cli ha
  fastHeartbeatTmr(sec)   7 (enabled)
  primaryDiscoverTmr(sec) 30
  primaryBackupWlcIp      0xA0A700A
  primaryBackupWlcName    WLC2-4402-50
  secondaryBackupWlcIp    0x0
  secondaryBackupWlcName  
  DHCP renew try count    0
  Fwd traffic stats get   0
  Fast Heartbeat sent     0
  Discovery attempt      0
  Backup WLC array:
  LWAP3-1042#
  *Apr 30 20:36:21.324: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
  Not in Bound state.
  *Apr 30 20:36:31.829: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.114.49, mask 255.255.255.0, hostname LWAP3-1042
  *Apr 30 20:37:17.832: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
  Not in Bound state.
  *Apr 30 20:37:28.337: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.114.50, mask 255.255.255.0, hostname LWAP3-1042
  *Apr 30 20:38:14.338: %CAPWAP-3-DHCP_RENEW: Could not discover WLC using DHCP IP. Renewing DHCP IP.
  Not in Bound state.
  *Apr 30 20:38:24.842: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.10.114.51, mask 255.255.255.0, hostname LWAP3-1042
  regards
  Joe

• Webauth DHCP exclusion in WLC 5.0

  Anyone knows what the "Config Guest-lan Webauth exclude" command does in 5.0 controller code? Doesn't seem to be documented anywhere.

  Allows you to turn off the webauth policy exclusion.
  config wlan webauth-exclude disable
  By default (somewhere around 4.0.179), a web-auth protected SSID will de-associate an unauthenticated client every 5 minutes to reclaim connections and resources. If you are implementing a pre-auth ACL to allow user access to say your external web server or DMZ without auth, then they will lose their connection every 5 minutes and re-associate again after 60 seconds. If you want them to stay connected to the resources specified in the pre-auth acl, but then be prompted to auth when accessing the Internet, then use this command. Keep in mind if you are broadcasting, then your guest wireless may begin to fill up with idle connections.

• Installing Net8 Client EXCLUSIVELY

  Hello,
  I work in an organisation that has many people that use an existing database query tool called Brio. They use ODBC connections.
  We are about to migrate to Oracle database and it turns out that the Oracle ODBC drivers alone will not be enough for these people. The Oracle ODBC relies on Net8 being installed.
  Is there a way for the Brio users to install the ODBC and just the Net8 Client without having to get the big entire Oracle package?
  We could have them use the Oracle Universal installer and then have them point to a location where only the Net8 Client installation package would be stored.
  That should be possible, so then we'donly need to identify which part of the Oracle 8.1.7 installation CD contains the Net8 package.
  Hope you can help,
  Alex

  Hi Alex,
  I'm working in the same environment as you, where many of our users has to use Oracle Client to connect to our Oracle databases. We're using Oracle Universal Installer to do the installation of Oracle Client. There must be a file called clientcustom response file in you Net8 Client installation kit. You can do all your customisation by modifying this response file. Also, you can run OUI in silent mode.
  HTH,
  Raja

• ISE 1.2 Anomalous Client Detection

  Hi Community!
  ISE 1.2 with patch 8,9.
  On MAB authentication with redirection I have clients that are suppressed by the RADIUS setting mentioned in the title. I have seen this post where suppression can be disabled, the thing is that it's not working at all.
  Testing I have donde this 
  1. Set the fields in Administration > System > Settings > Protocols > RADIUS to default values.
  2. Retired MAC address from Endpoints in Administration > Identity Management > Identities > Endpoints.
  3. Tried to connect with same device until 5434 Endpoint conducted several authentication attempts from same scenario error appears.
  4. In the first test the attribute "IsEndpointInRejectMode" was set to true, added the MAC in Disable Suppression > Result NOT ALLOWED
  5. In the second test the attribute "IsEndpointInRejectMode" was set to false,  added the MAC in Disable Suppression > Result NOT ALLOWED
  So none of these tests have been working at all.
  Am I expecting something that cannot be achieved?
  Why did it work before? Client states that after enabling dot1x it stopped working (We all know this is completely unrelated, unless bug)
  Any thoughts?

  Clients are being blocked even though suppression is disabled. The suppression is disabled via Collection Filters. One case I've seen is that if the MAC is not in the database (manually added) and the suppression enable via collection filters the endpoint no longer triggers the IsEndpointInRejectMode flag, so for me that means suppression is working.
  Yes, retiring is deleting the endpoint from the database and for this particular client I have "disabled" profiling(I mean no RADIUS, DHCP or any checkboxes in deployment tab) .
  I have not checked client exclusion in WLC but that would be a nice place to look next time.
  It's difficult for me to post the screens at the moment, but basically is the same as when the 5434 error shows. One with the flag set to true (IsEndpointInRejectMode) and the other set to false.
  For me it's something about timing and the way the client sees that this worked immediately before.