WLC Client Restrictions

Similar Messages

• CWA/ISE/WLC - client timeout when redirected to portal.

  Problem: When connecting to the CWA ssid, the client gets redirected to: https://lab-ise01.lab.local:8443/guestportal/gateway?sessionId=3c02a8c00000000878430a51&action=cwa
  but the link times out.
  I'm currently following this guide: https://supportforums.cisco.com/docs/DOC-26442
  Any thoughts or suggestions are appreciated.
  Info: ISE 1.1.1 and vWLC 7.3.101.0 is installed on vmware. Identity Source: Internal Users. AP is in FlexConnect mode. MAC filtering enable, no layer 3 security. Allow AAA Override enabled. Radius NAC enabled.
  Topology:
  Win7/iPad -  -  - AP----labswitch-----switch-----switch-----VMware
  (Traffic does not pass through FW and there are no ACL on the switches.)
  ACL on WLC:
  Client on WLC

  Hi all.
  Accoding with this behaviour, I have a similar problem with the renew of the IP address. In a similar scenario (ISE1.1.2 + vWLC 7.3.101. + CWA + DVLAN assigment); for test purposses I need to use the AP in flexconnect mode with central control and traffic data due to vWLC does not support APs in a local mode.
  Applying WCA in a SSID with a "non-routed" interface and two interfaces for both different profiles. Client passes CWA profile in "non route" subnet when redirected;  after a successful web authetication ISE sends to WLC the new attributes including the new VLAN, new ACL and the access-accept, but the client is not trying to change the IP address through DHCP.
  I use two rules for authentication
  First: Guest Redirection; condition "Wireless MAB" then "WLC-CWA" (central authentication - ACL-POSTURE-REDIRECT)
  Second (This rule above the first) Guest Traffic; Condition "Network access: UseCase EQUALS GuestFlow) then "Guest Permit Access"(with includes new vlan assigment in function of the role based - new ACL asigment - Termination-Action=0)
  WLC shows me the data correctly, it changes the interface, the ACL and changes the client status to RUN but maintains the IP address belonging to the old VLAN (non-routed vlan)
  Could be possible that this bug will be hitting me?
  Are there any Radius Attribute to force a DHCP IP procces for this devices?
  Thanks in advanced.
  Best Regards.

• Cisco 2504 WLC client VPN Access

  Hi,
  I was reading couple of posts related to Cisco WLC + Client VPN passthrough .. and got  a query.
  https://supportforums.cisco.com/thread/2183687
  https://supportforums.cisco.com/thread/2219356
  The second link says that "Remote Acces VPN connections through the WLC work out of the box". Is this True? No need to configure Layer 3 VPN-Pass though for the SSID?
  They are using WPA2+PSK as Layer 2 Security. Here WPA2-PSK + VPN Passthrough is the right combination for WLAN Layer2 + Layer 3 Security?
  Thanks,
  Jagan

  It works out of the box... you don't need to configure any passthrough.. just connect to the ssid and VPN away.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• AP WLC Client Traffic Query

  Hi Experts,
  I was trying to find any documentation explaining how return traffic works for wifi client data traffic in a capwap AP WLC architecture where the APs are in local mode (no HREAP) but was unable to find any detailed references for this.  I am specifically interested to find out if return traffic goes directly back to the client or whether it still goes via the WLC. 
  Some docs state that all traffic goes via the WLC-AP tunnel.  If this is the case then this means the WLC is performing NAT on the client traffic.  This assumption would also support the need for anchors in a roaming-mobility design.  The thing is i can't find any excerpts stating that NAT is indeed being performed by the WLC.
  Hope you could enlighten me on this.
  Thanks in advance.

  All traffic to and from a client will traverse the WLC and CAPWAP tunnel.
  NAT is not performed by the WLC for any client traffic.  The WLC is a layer 2 devices that needs to have all the client vlan's trunked to it.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• WLC Client Roaming Between APs

  I have a single WLC with AP1231's. I have clients associating to one AP, but they are not always re-associating to an alternate AP as always desired when roaming to an alternate location. Is there a way to adjust how clients associate to an alternate AP based on better signal strength of a closer AP?

  The best place to look for the commands, is in the command reference for your specific version as they do vary quite a bit from version to version.
  There are also client settings on the adaptor which dictate how the client behaves, on the Intel client you can change the conditions which cause the client to roam, I am also assuming that you have good wireless coverage otherwise the clients will tend to stick to the one cell, there are various settings on the controller to adjust for performance and coverage, there is one setting which says it can adjust the power settings on the client, I would check the notebook supplied as I recently did worth with an IBM which required a patch.
  On the Intel client under advance there is a setting called ?Roaming Aggressiveness?
  Best of luck

• Cisco WLC Client MAC address backup to new Controller & ISE

  Hi All,
  We have an existing 4400 controller with MAC filtering for clients configured. Right Now, we are migrating to 5500 WLC and ISE setup.
  We want to use MAC filtering due to company policies on the new Controller as well as ISE.
  Is there a way (from GUI/CLI) that we can export the client MAC Addresses into an Excel file from existing WLC to new WLC & ISE?
  Thanks,
  CJ

  On the CLI issue a show macfilter summary and then import that into excel or a text editor.
  Sent from Cisco Technical Support iPhone App

• WLC client exclusion

  Hi Experts,
  We are using Wism2 in our wireless environment, users authenticate against LDAP via Radius in a centralized architecture. What i have been seeing from one of our sites is one of user continously tries to authenticate every minute. We are using default client exclusion policies on Wism2 and client exlusion is set to 3000 secs, i guess my question is why WLC is unable to get this client excluded for auth flood? or do i need to have a specific signature attached to WLC? Please note i am not using any IDS/IPS.
  5:01:58 PM *dot1xMsgTask: 1x_auth_pae.c:2992 Max EAP identity request retries (3) exceeded for client 00:xx:xx:xx:xx
  5:02:58 PM *dot1xMsgTask: 1x_auth_pae.c:2992 Max EAP identity request retries (3) exceeded for client 00:xx:xx:xx:xx
  and so on every min
  cheers
  AP

  In the Session Timeout text box, enter a value between 300 and 86400 seconds to specify the duration of the client session. The default value is 1800 seconds for the following Layer 2 security types: 802.1X, Static WEP+802.1X, WPA+WPA2 with 802.1X, CCKM, or 802.1X+CCKM authentication key management and 0 seconds for all other Layer 2 security types (Open WLAN/CKIP/Static WEP). A value of 0 is equivalent to no timeout.
  Maybe its because of this.

• WLC Client excluded - web authentication failed 3 times

  Is there any more I can do with the following? The customer only has 4400 controllers and WCS' both on the highest firmware currently available...
  An example of the alert generated in the event of an excessive authentication failure is as follows:
  Client '08:60:6e:35:7c:29 (172.16.235.133)' which was associated with interface '802.11b/g/n' of AP '25CS-AP21-24SE' is excluded. The reason code is '5(Web Authentication failed 3 times.)'.
  E-mail will be suppressed up to 30 minutes for these alarms.
  I need clarification of the following so that a process can be put in place to show if it is possible to deal with potential threats/attempts to hack into the network as the customers security are not accepting notification only. Therefore please advise:
  - What does ‘excluded’ mean in this scenario? Is the client permanently excluded or only temporarily?
  - If the client is not permanently excluded - if there are multiple occurrences of this alert for the same client can the client be disabled via the WCS console?
  - If necessary could e-mail suppression be turned off - for this alert only?
  Hope you can help but I think they need Prime and ISE to satisfy their security concerns myself!
  BR
  Rockford

  There is a command line syntax which will also allow you to export and import an IAS config to other IAS servers. Then you will be sure they are identical...
  http://support.microsoft.com/kb/883619

• Howto block p2p traffic of clients connected to the same ssid on different wlc

  Hi all,
  I use two wlc 4400 (4.2.x version) with a mobility domain and one ssid, both wlc are connected to a cisco l2 switch infrastructure. On the wlc I use the p2p blocking action 'drop' (http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52wlan.html#wp1209597) to isolate the clients from each other. Does anybody know if only unicast traffic is blocked or also multicast and broadcast traffic like arp requests?
  Concerning blocking p2p traffic of clients connected to the same ssid but different controllers I found the following statement in the LAP FAQs (http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml):
  ===
  Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
  A. The feature or the mode that performs the similar function of PSPF in lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP. If this mode is disabled on the controller (which is the default setting), it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller. It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
  ===
  Does anybody know what's the best practise to prevent this inter wlc client traffic? I already read about using acls on the wlc dynamic interfaces, or private vlans on the l2 switch vlans where the dynamic interfaces are connected to. Is it allowed to completely isolate the wlc from each other on these dynamic interfaces with acls or private vlans or do the wlc need to see each other on this interfaces (e.g. heart beat)?
  Many thanks in advance,
  Thorsten

  Hi Sasha,Thorsten
  The bug is Junked and I believe which is what you are running into with your tests:
  CSCtr60787    WLC P2P Blocking Set to Forward-UpStream Doesn't Work.
  Bugtoolkit : http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
  To answer your original query :
  ACL is only solution to block client communication on same ssid between 2 wlcs. 5508 works better with ACLs then 44xx platform.
  ARP requests will be forwarded to upstream router just like any other traffic. WLC won't proxy arp for clients on same vlan.
  Gateway arp's I believe should be handled by WLC . ( Don't quote me on this but I am pretty sure it is ) ..If it was not, then how would client know about gw ?
  Multicast traffic is not applicable for p2p.
  Your ACL can be as simple as this for the scenario :
  WLC 1 - clientvlan = 10
  WLC 2 - clientvlan = 10
  and you want to restrict users from wlc1-wlc1, wlc1-wlc2, wlc2-wlc2 for same vlan10.
  Basically in that case the ACL should look like on both WLCs :
  1. Permit statement to talk to gateway.
  2. Deny to subnet.
  3. Permit all.
  4. If DHCP/DNS other services are on same subnet then you would need to add a permit
  statement before the deny.
  5. Attach the ACL to SSID or dymanic interface.
  Thanks..Salil
  CSCtr60787    WLC P2P Blocking Set to Forward-UpStream Doesn't Work.

• How to tell if client is channel bonding from WLC end?

  Greetings,
  I'm reading that if the WLC client detail shows rates m7 - m15, then it must be a 40Mhz wide channel (bonded 20's). However, I'm seeing those rates on 2.4 clients as well, which would be impossible, since those are not bonded.   I'm looking at a 4402 running 7.0.240.0.
  Is the 2.4 reading just buggy?  Different rules for 2.4 MCS?  Why doesn't Cisco simply show the Mbps like the client itself does rather than leaving us with this MCS mXX hieroglyph? :-)
  Thanks!
  Gary

  So long as the rate is avaialber and the client has RSSI/SNR to support it, it can connect at that rate.  There are diffferent rates for 20 vs 40 wide, as well as the guard interval.
  http://en.wikipedia.org/wiki/802.11n#Data_rates
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Cisco WLC 2504 webportal for Server 2008 R2 DC LDAP or RADIUS

  HI,Friends.
  I want to get my mobile or Notebook clients connecting to wireless and use my Domain users ,Cisco WLC 2504 to authenticate via LDAP or  RADIUS to our Windows Server 2008 Domain Controllers
  question:
  one,i can use my domain one Organizational Unit ,such as cn=use01,ou=test,dc=lzh,dc=com. now, noly user01 can logon on web, But how I make all my domain users can use web log it ? 
  I was using radius authentication or ldap certification to do web authentication ?which is good. ？？？
  I specified child ou, ou its users superiors can not be landed on

  hi ,Scott Fella
  Thank you,I am very happy to receive your reply,  I finally binding domain user authentication LDAP authentication done successfully. but You say the combination of nps I did not do the radius authentication is successful, I do not know where the problems.
  the err:
  <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><User-Name data_type="1">11</User-Name><Service-Type data_type="0">1</Service-Type><NAS-IP-Address data_type="3">10.10.10.253</NAS-IP-Address><NAS-Port data_type="0">1</NAS-Port><NAS-Identifier data_type="1">WLC-CNNEWCITY</NAS-Identifier><NAS-Port-Type data_type="0">19</NAS-Port-Type><Vendor-Specific data_type="2">00003763010600000001</Vendor-Specific><Calling-Station-Id data_type="1">10.12.0.11</Calling-Station-Id><Called-Station-Id data_type="1">10.10.10.253</Called-Station-Id><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Authentication-Type data_type="0">1</Authentication-Type><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Packet-Type data_type="0">1</Packet-Type><Reason-Code data_type="0">0</Reason-Code></Event>
  <Event><Timestamp data_type="4">07/27/2014 18:33:36.845</Timestamp><Computer-Name data_type="1">PDC-CQ</Computer-Name><Event-Source data_type="1">IAS</Event-Source><Class data_type="1">311 1 10.10.10.1 07/27/2014 09:41:28 5</Class><Fully-Qualifed-User-Name data_type="1">cnnewcity.com/user/test/11</Fully-Qualifed-User-Name><Quarantine-Update-Non-Compliant data_type="0">1</Quarantine-Update-Non-Compliant><Client-IP-Address data_type="3">10.10.10.253</Client-IP-Address><Client-Vendor data_type="0">0</Client-Vendor><Client-Friendly-Name data_type="1">WLC</Client-Friendly-Name><Proxy-Policy-Name data_type="1">Use Windows authentication for all users</Proxy-Policy-Name><Provider-Type data_type="0">1</Provider-Type><SAM-Account-Name data_type="1">CNNEWCITY\11</SAM-Account-Name><NP-Policy-Name data_type="1">Connections to other access servers</NP-Policy-Name><Authentication-Type data_type="0">1</Authentication-Type><Packet-Type data_type="0">3</Packet-Type><Reason-Code data_type="0">66</Reason-Code></Event>
  then,You gave two figures is that what you mean? what's the meaning it that services-type =login ?

• Need to send Aperture library to client in South America

  I need to get a whole Aperture library containing images and an Aperture book folders to a client in South America.
  Today I have already successful transferred the library from an external hard disk that used Tiger, to my new computer's admin account that that uses Leopoard, then transferred it over successfully to a separate user account in the client's name.
  I had originally planned to use GoToMyPC for the first time, to allow client restricted access of my computer for their account only, but GoToMyPC won't only allows global access to all accounts.
  - I then tried YouSendIt (file too large as it's 2.61GB and limit is 1GB)
  - Tried 'Cute Send It' as it has a 4GB limit (allowed me to select the file but constantly stalled on 'calculating time')
  - I then tried ShareFile - (everything looked promising as it had 10GB limit, signed up for the 30 free day trial with my credit card details, then when I went to select the library from my desk top it was 'grayed out').
  ... anyone else got any suggestions?
  Any help much appreciated as it's urgent now as I've been at it all day!

  Scott
  For the remote desktop solution you could try:
  1) Adobe's [ConnectNow|http://www.adobe.com/acom/connectnow>. This is a screen-sharing service which might fit your requirements but (1) it requires you to initiate a session so requires some input your side, and (2) I'm not sure what would happen if you switched user away from the account on your Mac you enabled for your client (i.e. would the connection die)?
  2) Apple's [BackToMyMac|http://www.apple.com/mobileme/features/mac.html] service is a screen and file sharing function that comes as part of a MobileMe subscription. It would allow your client to access your Mac computer (if s/he also has a Mac) but I suspect again it might not fit your requirements as it's really meant as a solution to share your own computers (and not to share with third parties)...you would need to share your MobileMe details with the client.
  Alternatively if you just want to send them the files:
  1) Again, as part of Apple's MobileMe, the [iDisk|http://www.apple.com/mobileme/features/idisk.html] service allows you to share storage space with third parties. Crucially, from a security perspective, you do not need to share your whole storage space but can select certain files or zipped folders to be shared (these can also be protected with a password).
  2) Another option - and this is very old school I know - might be to just ship them the project/library on DVD (unless they don't have an Apple computer nor an Aperture licence)? I have an FTP server in my studio but for large deliveries of TIF files of over 2GB the process is painfully slow (for the client) and I usually just end up couriering them a DVD!
  Raf

• ISE, WLC: web auth, blocking user account

  Hello!
  We are implementing BYOD concept with ISE (1.1.4) and WLC 5508 (7.4.100).
  On WLC there is SSID(WLAN) with MAC filtering without L2 security. For authentication user is redirected to the ISE Guest Portal.
  Credentials are created at the ISE sponsor portal.
  We create user account in ISE sponsor portal with one hour lease.
  In 10 minutes we delete (or block)  user credentials.
  In spite of it the user is still able to work. Even if we manually disconnect client and reconnect it again, client opens the browser and there is no redirection to the ISE web auth page.
  This happens because WLC thinks, that client is still associated.
  There are session and idle timeout timers in WLC WLAN, but they can't solve the problem of automatic client session removing.
  From my point of you, ISE must send some kind of reauth request to the user after account deletion, to make user authentication impossible .
  In practice, ISE doesn't tell wlc or user, that client sesssion is blocked.
  How the user account blocking process can be automated without manually deleting the client session from WLC client database?

  It seems that there is some bug about CoA when deleting Guest accounts
  CSCuc82135
  Guests need to be removed from the network on Suspend/Delete/Expiration
  When a guest user is deleted from the system, the RADIUS sessions   associated with that guest user still exists.
  Workaround   Reissue the Change of Authorization using the   session information from Monitoring reports for the sessions associated with   that guest user.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp411891
  from BUG Toolkit there is Release-Pending in "Fixed-in" option.

• Cisco WLC Local Net user Authentication

  Hi,
  I have a Controller configured with local net users. Web policy with authentication has been configured for Layer 3 security. When the user tries to access the Wireless, they will be redirected to a web authentication screen, where they need to enter the pre-configured credentials to gain access.
  Now, the requirement is: users shall have to provide login credentials only upon initial access (one time) and shall not have to accept an Acceptable Use Agreement when their systems connect to the wireless network. The next time user tries, they should be provided access automatically.
  We have configured the following setting on Windows 7 client:
  1. Connect automatically when the network is in range is selected
  2. Please refer the attached screenshots for further configuration for Windows 7 Clients.
  On WLC: SSID --> Advanced Options --> We have disabled the “Enable Session Timeout” setting, but we still have "Client Exclusion" Enabled.
  When a computer is shutdown and brought back up within a few minutes the wireless credentials seem to stick, however, when the computer is shutdown for a period of overnight, the credentials are no longer cached and we have to re-authenticate to the wireless.
  Is this issue because of  "Client Exclusion" Enabled on the SSID/WLAN ?
  If not, can someone share the complete procedure to make sure that users local net user credentials will be cache.
  Thanks,
  Jagan

  Well you only can keep it connected for an x number of minutes. You will not be able to set it longer than a day. This means, I can't configure the WLC/Client to cache the credentials permanently? And everyday, they have to enter the credentials to access SSID?You can extend it up to 30 days, but you have to run v7.5.  After that, they will have to login again.Change the idle timer to about 2-4 hours and that should keep the client on the WLC DB. This will allow the client to go away for the number set and come back without having to login again. As you said, if I configure the WLC Idle Time for 2-4 hours, do the client have to provide credentials the next day when they access Wireless?Yes.  See my previous answerIs there any other way via which this can be achieved? (The limitation is : client should be authenticated only with the WLC.)If you are looking for clients to login once and then never again, the answer is no.  You have two choices, you can use the new v7.5 and use the sleeping client feature which gives you max of 720 hours (30 days), or you use th eidle timer and after the idle timer expires, the user will have to login.Thanks,Jagan
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• WLC - Aggressive Load Balancing?

  Hello,
  The Wirless LAN Network bulit is as follows -
  1. 1 x 4404 WLC
  2. 40 x LWAPP 1131AG Access Points
  3. Windows Clients used by the Laptop Clients.
  4. Only one Wireless VLAN across the Capmus network - hence AP's, WLC & Clients are all in one VLAN / IP Subnet.
  5. No Access Point Group is created.
  6. Aggressive Load Balancing is enabled allowing 15 Clients as max connection per Access Point.
  Problem facing -
  1. Tried configuring the Aggressive Loadbalancing allowing only 2 x Clients per AP. But noticed that the 3rd Client connecting to the same AP as of the previous 2 Clients have connected. 3rd client is not associating to a different AP which is nearby.
  Please can one help me, if i'm configuring & testing Aggressive Load Balancing in the right way!
  Regards,
  Keshava Raju

  AMR is on target. In fact I just completed 20 hours worth of testing with variuos clients with ALB for a white paper I am doing. Code 17 isnt honored by most clients and is only sent 1 time from the AP. The clients will contiue to attempt to associate to the AP and the AP will allow them on.
  Here is a peek of my white paper "still in draft"
  WLC - Cisco WLC Aggressive Load Balancing; What is it and where did it go in 6.0!
  I've spent the majority of my WLC experience at code level 4.2. Not by choice really, more
  based on the fact that 4.2 is pretty darn stable and it is the only safe harbor to date for the Cisco WLC. Healthcare and Enterprise enviroments are typically slow to move on upgrades, especially when things are operating fine. 
  Since my latest project involves the deployment of hundreds of Cisco 1142s @ location grade, it required that I move to later code to support the 1142 access points. After much research, conversations with our
  local Cisco Wireless SE, conversation with peers at other healthcare organizations, and direct contact with the aware team I had decided that 6.0.188.0 was a release that was of great interest.
  As I start to get fimilar with the new code I am starting to see that things got moved around a little. One of the items is Aggressive Load Balancing. If you aren't fimilar with Aggressive Load Balancing (ALB) you definitly need to be and let me share why.
  First lets look at what ALB is and how it works and then we will dive into the differences between the 4.2 code and the new options 6.0 gives us. ALB when enabled, allows the Cisco WLC to load balance wireless clients on access points that are joined to the same controller. “Key word here – same controller”. You can configure the load balancing window globally in the controller. What is the load balancing window you ask? Well is the maximum number of clients that should be allowed on the access point BEFORE it will start to load balance.
  Lets assume for a moment you have an access point with 5 clients already attached. When client #6 sends association request to the access point the access point will kindly respond with an associaton response frame with the reason code of 17. The wireless client will see reason code 17 in the association response and will kindly find other access points to associate with. However, some devices will ignore this frame and yet still continue to try and associate to the access point. Note: The Cisco WLC will ONLY send 1 reassociation frame with a reason code of 17. It doesn’t flood the medium / client with multiple frames.
  Its up to the client to honor this information and move on. But I can tell you from my experience and testing this isn’t always the case.
  By default, 4.2 and 6.x both have a load balancing window of (5). Lets look at an example.
  The window setting controls when aggressive load−balancing starts. With a window setting of five, for
  example, all clients after the sixth client are load−balanced.
  I know, what is the reason code talk, right. Lets cover this as well. If you dive into the 802.11 frames you will see “Reason Codes”. When a client sees the reason code of “17”, it indicates to the client that the access point is busy and the client should look else where.
  yada yada yada
  I will post the complete paper on my site: my80211.com in the next week or so ...