Main Nav

Just posted this on Cisco discussion forum, curious if anyone else has pondered it: I have around 16k wireless clients at peek on my WLAN, all doing 802.1x with latest ACS and things are generally fine. But also have hundreds of misconfigured smartphones where WiFi is on, but users don't really care if they hit my wireless network from them and these can frequently overwhelm ACS with hundreds of thousands of auth failures that have to be processed. Is there any way between controllers and ACS to say after X failed auth attempts that a client is moved to another vlan ( dead end) or auth attempts get suspended for a while, or that client device is forcibly blocked at L2, or anything that could tame the condition automatically? On wired 802.1x, you can do an auth failure vlan that a client lands in after x failed attempts at auth. Not quite seeing it on wireless yet in docs, but would be handy for the misconfigured handhelds that are clobbering ACS with as many as 50K+ plus failed attempts, each, daily. Or even alerting out of ACS would good if some device exceeded an insane auth failure threshold so they could be manually blocked, but not optimal ( or possible, probably) Lee Badman ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Message from mrdorshimer@ship.edu

Reference the following link for Layer 1 Security Solutions on your controllers. Client Exclusion Policies should be enabled by default but you may want to try increasing their per-WLAN timeout value.


Michael Dorshimer

Network Administrator

Shippensburg University


From: Lee H Badman <lhbadman@SYR.EDU>
Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Date: Saturday, October 20, 2012 7:42 AM
To: "WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU" <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>
Subject: [WIRELESS-LAN] Auth failure options?

Just posted this on Cisco discussion forum, curious if anyone else has pondered it:

I have around 16k wireless clients at peek on my WLAN, all doing 802.1x with latest ACS and things are generally fine. But also have hundreds of misconfigured smartphones where WiFi is on, but users don't really care if they hit my wireless network from them and these can frequently overwhelm ACS with hundreds of thousands of auth failures that have to be processed. Is there any way between controllers and ACS to say after X failed auth attempts that a client is moved to another vlan ( dead end) or auth attempts get suspended for a while, or that client device is forcibly blocked at L2, or anything that could tame the condition automatically?


On wired 802.1x, you can do an auth failure vlan that a client lands in after x failed attempts at auth. Not quite seeing it on wireless yet in docs, but would be handy for the misconfigured handhelds that are clobbering ACS with as many as 50K+ plus failed attempts, each, daily.

Or even alerting out of ACS would good if some device exceeded an insane auth failure threshold so they could be manually blocked, but not optimal ( or possible, probably)

Lee Badman

**********
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Thanks Michael- I did find out that others have asked for a configurable value on the number of failed auth attempts. An enhancement bug can be followed here:

 

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto15912

 

three failures may be too aggressive for some environments. I’d like to see it configured for a few hundred failed auth attempts, then permanent exclusion.

 

-Lee

 

Lee H. Badman

Network Architect/Wireless TME

Information Technology and Services (ITS)

Syracuse University

315 443-3003

 

 

 

IF you use Aruba, you can blacklist clients after x failed attempts to authenticate. 

 

Marcelo Lew

Wireless Enterprise Administrator

University Technology Services

University of Denver

Desk: (303) 871-6523

Cell: (303) 669-4217

Fax:  (303) 871-5900

Email: mlew@du.edu

 

 

Well. I better switch right over to Aruba then.

:)



On Oct 22, 2012, at 17:15, "Marcelo Lew" <Marcelo.Lew@DU.EDU> wrote:

IF you use Aruba, you can blacklist clients after x failed attempts to authenticate. 

 

Marcelo Lew

Wireless Enterprise Administrator

University Technology Services

University of Denver

Desk: (303) 871-6523

Cell: (303) 669-4217

Fax:  (303) 871-5900

Email: mlew@du.edu

 

<image001.jpg>

 

Welcome to Aruba, Lee.  J

 

By default the blacklist time is 60 minutes, so either you can have job security blacklisting clients, or you can change the default value.

 

Bruce Osborne

Network Engineer

IT Network Services

 

(434) 592-4229

 

LIBERTY UNIVERSITY

Training Champions for Christ since 1971

 

Actually, this timer is configurable in Cisco. It’s the number of consecutive failures before exclusion is invoked that is not (but needs to be) as the default of excluding on fourth invalid auth can be waaaay too aggressive depending on what’s going on with a client.