Main Nav

To ALL: I am running Cisco controllers version 7.4 code. I was looking at my controllers and I noticed a bunch of clients excluded for reason "unknown". These also have a timer of "n/a" so they would stay excluded forever. Since I don't normally look at the client exclusions I am not sure when this started. I was wondering if anyone else has seen this before? I deleted them all so we will see if they come back. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

Hi Jerry, In the controllers, you'll fund under Security the settings for Client Exclusion options, these are global and come into play if enabled on a WLAN under advanced settings. If Client Exclusion is enabled on a WLAN, it will follow the settings under the global settings. There are like 6 of of them, and they can cause all kinds of trouble. There is no adjustment to any sort of threshold- it's literally three strikes against whatever exclusion parameter is being hit and then client is excluded for whatever time is specified under advanced settings of the WLAN (again, if enabled on the WLAN). On 802.1x networks, I'd recommend excluding on failed 802.1x authentications but putting the timer at like 5 seconds. This will slow down DOS effects on RADIUS servers from misconfigured/unconfigured clients, but not shut out legit clients that sputter a bit in authing for whatever reason. I've asked Cisco for more control over this, as the 3-strike value is just too low. -Lee Lee H. Badman Network Architect/Wireless TME ITS, Syracuse University 315.443.3003 ________________________________________
Lee, Thanks for the reply. We do have 802.1x failed auth timers and have had for a very long time. We used to take the default 60 seconds but I moved it up a couple years ago to avoid load on our auth servers. But my issue is that this year we are seeing a "reason" of unknown with no timer so once excluded it never goes away. I am pretty sure this is a bug because in normal circumstances the system would know why it excluded the client. Also the system would have some timer associated with it, a default of some sort. On 3/2/2014 9:14 PM, Lee H Badman wrote: > Hi Jerry, > > In the controllers, you'll fund under Security the settings for Client Exclusion options, these are global and come into play if enabled on a WLAN under advanced settings. If Client Exclusion is enabled on a WLAN, it will follow the settings under the global settings. There are like 6 of of them, and they can cause all kinds of trouble. There is no adjustment to any sort of threshold- it's literally three strikes against whatever exclusion parameter is being hit and then client is excluded for whatever time is specified under advanced settings of the WLAN (again, if enabled on the WLAN). > > On 802.1x networks, I'd recommend excluding on failed 802.1x authentications but putting the timer at like 5 seconds. This will slow down DOS effects on RADIUS servers from misconfigured/unconfigured clients, but not shut out legit clients that sputter a bit in authing for whatever reason. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Ah- now I gotcha, Jerry. I've neither seen nor heard of that one. Have you dug around in the Cisco support community forums? Seems to be a lot of info there that doesn't otherwise make it to the light of day. -Lee
Close
Close


Connect: San Antonio
April 22–24
Register Now

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2015 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.