Wireless 802.1X client exclusions timeout issues

[Jess Walczak]

We are experiencing the following issue and I am wondering what other folks
are doing regarding expired password client exclusion blacklisting on their
802.1X WLANs.  This is specifically about a Cisco environment, but others
may have knowledge about it (albeit with different vendor-specific
language).

Client(supplicant) connects to our 802.1X WLAN(SSID) and it fails
authentication 3 times because of an expired password.  It is now
blacklisted (for 60 seconds), during which time the client will usually
then try to associate with our open WLAN, but cannot join and then retries
associating with the secure WLAN once again, failing once again.  I think
we are mainly seeing this when a user's Active Directory password expires
without their knowledge.

Here is our environment:
Cisco 8510 WLCs running 8.0.121.0 code
Cisco ISE Version 1.4.0.253, Patch 3,5,6

There are some settings involved:
1.)"Client Exclusion Policy" (which under Security-->Wireless Protection
Policy) has 6 elements, all on by default; one of these is "Maximum
802.1x-AAA Failure Attempts" which is set to "3" by default, and gives a
range of "1-3".
2.)"Client Exclusion" (under WLANs-->Advanced) is set to "enabled" with a
timeout of 60 seconds.

The Client Exclusion Policy is a global setting, and you can enable it for
each WLAN or not, and pick the timeout in seconds (or 0 seconds, which
means it must be manually cleared by an admin).  My questions are whether
other folks are leaving this feature on, or have they shortened the
timeout, or have they disabled it altogether?

We have this enabled on both WLANs, even on the open one--and this wouldn't
seem to matter here, and perhaps is causing the client to be unable to
connect to this one as well, erroneously.  The timeout of 60 seconds seems
like an eternity for a wireless client, and I imagine this feature intends
to prevent a massive DoS or spoofing attack, except for we've seen iPhones
that can register 100's of thousands of failed login attempts in less than
an hour before our wireless overhaul, and our AD servers never even broke a
sweat.  Is it then perhaps for the safety of the wireless controller?

We've resolved this in some instances, even today, by "forgetting this
network" on the client and powering it off, then finding its session in
both ISE and the WLC and deleting them each, before powering the client
back up.  Then, it works flawlessly, once again.  Because of this, it seems
like this setting might be more of a nuisance than anything.

Any thoughts would be appreciated.  Thanks!--JW

Jess Walczak
Senior Network Analyst
Information Technology Services
jwwalc...@stthomas.edu
University of St. Thomas | stthomas.edu

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Call for Posters and Demos: i-Society 2016 || October 10-13, 2016, Dublin, Ireland

[Lee H Badman]

David-

That’s three posts on the same topic, and we’re starting to get people 
concerned that you may send more.  We support your endeavors, but the multiple 
postings is a bit much for this particular user group.

Kind regards,

Lee Badman

Lee Badman | Network Architect (CWDP, CWNA, CWSP, Mobility+)
Information Technology Services
206 Machinery Hall
120 Smith Drive
Syracuse, New York 13244
t 315.443.3003   f 315.443.4325   e lhbad...@syr.edu w 
its.syr.edu
SYRACUSE UNIVERSITY
syr.edu

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Brown
Sent: Wednesday, June 01, 2016 9:22 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] Call for Posters and Demos: i-Society 2016 || October 
10-13, 2016, Dublin, Ireland


Apologies for cross-postings. Please send it to interested
colleagues and students. Thanks!

CALL FOR POSTERS AND DEMOS!

**
International Conference on Information Society (i-Society 2016)
Technical Co-Sponsored by IEEE UK/RI Computer Chapter
10-13 October, 2016
Dublin, Ireland
www.i-society.eu
*
The i-Society 2016 encourages the submission of poster or demo proposals.
All the accepted posters and demos will be included in the conference 
proceedings.
Important Dates:
* Poster/Demo Proposal Submission: June 20, 2016
* Notification of Poster/Demo Acceptance: July 01, 2016

The topics in i-Society 2016 include but are not confined to the
following areas:

*New enabling technologies
- Internet technologies
- Wireless applications
- Mobile Applications
- Multimedia Applications
- Protocols and Standards
- Ubiquitous Computing
- Virtual Reality
- Human Computer Interaction
- Geographic information systems
- e-Manufacturing
*Intelligent data management
- Intelligent Agents
- Intelligent Systems
- Intelligent Organisations
- Content Development
- Data Mining
- e-Publishing and Digital Libraries
- Information Search and Retrieval
- Knowledge Management
- e-Intelligence
- Knowledge networks
*Secure Technologies
- Internet security
- Web services and performance
- Secure transactions
- Cryptography
- Payment systems
- Secure Protocols
- e-Privacy
- e-Trust
- e-Risk
- Cyber law
- Forensics
- Information assurance
- Mobile social networks
- Peer-to-peer social networks
- Sensor networks and social sensing
*e-Learning
- Collaborative Learning
- Curriculum Content Design and Development
- Delivery Systems and Environments
- Educational Systems Design
- e-Learning Organisational Issues
- Evaluation and Assessment
- Virtual Learning Environments and Issues
- Web-based Learning Communities
- e-Learning Tools
- e-Education
*e-Society
- Global Trends
- Social Inclusion
- Intellectual Property Rights
- Social Infonomics
- Computer-Mediated Communication
- Social and Organisational Aspects
- Globalisation and developmental IT
- Social Software
*e-Health
- Data Security Issues
- e-Health Policy and Practice
- e-Healthcare Strategies and Provision
- Medical Research Ethics
- Patient Privacy and Confidentiality
- e-Medicine
*e-Governance
- Democracy and the Citizen
- e-Administration
- Policy Issues
- Virtual Communities
*e-Business
- Digital Economies
- Knowledge economy
- eProcurement
- National and International Economies
- e-Business Ontologies and Models
- Digital Goods and Services
- e-Commerce Application Fields
- e-Commerce Economics
- e-Commerce Services
- Electronic Service Delivery
- e-Marketing
- Online Auctions and Technologies
- Virtual Organisations
- Teleworking
- Applied e-Business
- Electronic Data Interchange (EDI)
*e-Art
- Legal Issues
- Patents
- Enabling technologies and tools
*e-Science
- Natural sciences in digital society
- Biometrics
- Bioinformatics
- Collaborative research
*Industrial developments
- Trends in learning
- Applied research
- Cutting-edge technologies
* Research in progress
- Ongoing research from undergraduates, graduates/postgraduates and 
professionals
Poster or Demo submission:
You can submit your poster online at 
http://www.i-society.eu/#!paper-submission/l4ghv
or email it to post...@i-society.eu

For more details, please contact i...@i-society.eu or 
visit http://www.i-society.eu/#!blank/w0xcx
** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

RE: [WIRELESS-LAN] Nyansa Voyance - thoughts?

[Norton, Thomas (IT Operations Admin)]

Hey Jeff,

Nyansa addressed security and privacy satisfactorily for us from the 
discussions and documentation provided. Being a POC it met the basic criteri,a 
Moving forward we will be vetting it further as we aim to complete a full 
deployment, we will want to validate we are still in compliance.  With that 
said I have listed some key bullet points below based on our discussions with 
them.

Some of the key highlights around security:

  *   Voyance doesn't send any packets to the cloud - They also document and 
share with customers, what exact metrics are sent to the cloud
  *   Data sent to the cloud is encrypted end to end over TLS
  *   Daily penetration testing by a third party - it's not the free service :)
  *   The company has strict and documented controls on who can access the data 
– From what we have seen and were told they employ digital certificates, two 
factor auth, have audit trails etc.
  *   The solution is hosted within AWS virtual private cloud (VPC)
  *   On the application security front they perform tests around things like 
SQL injection, cross-site scripting etc.
Here's a few bullets on privacy:

  *   All the raw data Nyansa collects and analyze belongs to our customers
  *   The company doesn't track or store access to non-business critical 
applications.
  *   If you discontinue use of the Voyance service; all data will be deleted 
after 30 days - you can also request to have this done sooner.


T.J. Norton
Sr. Wireless Network Engineer - Team Lead
Network Services - Wireless

(434) 592-6552

[http://www.liberty.edu/media/1616/40themail/wordmark-for-email.jpg]

Liberty University  |  Training Champions for Christ since 1971

From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Jeffrey D. Sessler
Sent: Thursday, May 26, 2016 2:38 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Nyansa Voyance - thoughts?

Bruce,

How did your campus address the privacy concerns with your community? Was the 
service already in compliance with existing policy, or did you have to engage 
Faculty/Staff/Students and get them to sign off?

Jeff

From: 
"wireless-lan@listserv.educause.edu" 
> 
on behalf of "bosbo...@liberty.edu" 
>
Reply-To: 
"wireless-lan@listserv.educause.edu" 
>
Date: Thursday, May 26, 2016 at 4:22 AM
To: 
"wireless-lan@listserv.educause.edu" 
>
Subject: Re: [WIRELESS-LAN] Nyansa Voyance - thoughts?

I would have expected the cost to be a stopping point for management here as 
well.

When management saw the benefits Voyance can provide, we now have plans to 
deploy on all our wireless network instead of the limited PoC we have now.

​

Bruce Osborne
Wireless Engineer
IT Network Services - Wireless

(434) 592-4229

LIBERTY UNIVERSITY
Training Champions for Christ since 1971

From: McClintic, Thomas [mailto:thomas.mcclin...@uth.tmc.edu]
Sent: Wednesday, May 25, 2016 9:29 AM
Subject: Re: Nyansa Voyance - thoughts?

Ryan,

Thank you for bringing this into the discussion. The cost turned us away from 
it quickly. Adding a yearly line item in the budget, knowing that it will grow 
is not easy to justify.

I hope they review the pricing model. I too am interested in any information 
early adopters will share about actual pricing.

TJ McClintic
Network Architect

UTHealth | The University of Texas Health Science Center at Houston
Houston’s Health University

Communications Technology | Network Operations
7000 Fannin | Suite M60 | Houston, TX  77030
713.486.9269 netops | 713.486.2271 office



From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Turner, Ryan H
Sent: Wednesday, May 25, 2016 8:23 AM
To: 
WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Nyansa Voyance - thoughts?

I’m curious for those early adopters, how they were on cost.  Right now, 
according to what they have told me, their pricing for education for 2,500 
access points is 75,000 PER YEAR.  Now, we are going to be at 10,000 access 
points.   You can do the math.  They have indicated a willingness to talk about 
price, but I’m finding it hard to believe most shops are going to be 
accommodating to that pricing level.  Please feel free to contact me off list 
if you wish to share anything about your pricing.


Ryan Turner
Manager of Network Operations
ITS Communication Technologies
The University of North Carolina at Chapel Hill

r...@unc.edu
+1 919 445 

Call for Posters and Demos: i-Society 2016 || October 10-13, 2016, Dublin, Ireland

[David Brown]

Apologies for cross-postings. Please send it to interested colleagues and students. Thanks!CALL FOR POSTERS AND DEMOS!**International Conference on Information Society (i-Society 2016)Technical Co-Sponsored by IEEE UK/RI Computer Chapter10-13 October, 2016Dublin, Irelandwww.i-society.eu* The i-Society 2016 encourages the submission of poster or demo proposals. All the accepted posters and demos will be included in the conference proceedings.Important Dates:* Poster/Demo Proposal Submission: June 20, 2016   * Notification of Poster/Demo Acceptance: July 01, 2016The topics in i-Society 2016 include but are not confined to the following areas: *New enabling technologies - Internet technologies - Wireless applications - Mobile Applications - Multimedia Applications - Protocols and Standards - Ubiquitous Computing - Virtual Reality - Human Computer Interaction - Geographic information systems - e-Manufacturing *Intelligent data management - Intelligent Agents - Intelligent Systems - Intelligent Organisations - Content Development - Data Mining - e-Publishing and Digital Libraries - Information Search and Retrieval - Knowledge Management - e-Intelligence - Knowledge networks *Secure Technologies - Internet security - Web services and performance - Secure transactions - Cryptography - Payment systems - Secure Protocols - e-Privacy - e-Trust - e-Risk - Cyber law - Forensics - Information assurance - Mobile social networks - Peer-to-peer social networks - Sensor networks and social sensing *e-Learning - Collaborative Learning - Curriculum Content Design and Development - Delivery Systems and Environments - Educational Systems Design - e-Learning Organisational Issues - Evaluation and Assessment - Virtual Learning Environments and Issues - Web-based Learning Communities - e-Learning Tools - e-Education *e-Society - Global Trends - Social Inclusion - Intellectual Property Rights - Social Infonomics - Computer-Mediated Communication - Social and Organisational Aspects - Globalisation and developmental IT - Social Software *e-Health - Data Security Issues - e-Health Policy and Practice - e-Healthcare Strategies and Provision - Medical Research Ethics - Patient Privacy and Confidentiality - e-Medicine *e-Governance - Democracy and the Citizen - e-Administration - Policy Issues - Virtual Communities *e-Business - Digital Economies - Knowledge economy - eProcurement - National and International Economies - e-Business Ontologies and Models - Digital Goods and Services - e-Commerce Application Fields - e-Commerce Economics - e-Commerce Services - Electronic Service Delivery - e-Marketing - Online Auctions and Technologies - Virtual Organisations - Teleworking - Applied e-Business - Electronic Data Interchange (EDI) *e-Art - Legal Issues - Patents - Enabling technologies and tools *e-Science - Natural sciences in digital society - Biometrics - Bioinformatics - Collaborative research *Industrial developments - Trends in learning - Applied research - Cutting-edge technologies * Research in progress - Ongoing research from undergraduates, graduates/postgraduates and professionals Poster or Demo submission: You can submit your poster online at http://www.i-society.eu/#!paper-submission/l4ghvor email it to post...@i-society.euFor more details, please contact i...@i-society.eu or visit http://www.i-society.eu/#!blank/w0xcx
**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Call for Papers: i-Society 2016 || October 10-13, 2016, Dublin, Ireland

[David Brown]

Apologies for cross-postings. Please send it to interested colleagues and students. Thanks!Call for Papers!**International Conference on Information Society (i-Society 2016)Technical Co-Sponsored by IEEE UK/RI Computer Chapter10-13 October, 2016Dublin, Irelandwww.i-society.eu*Important Dates:*Research Paper, Student Paper, Case Study, Report Submission Date: June 20, 2016 *Notification of Research Paper, Student Paper, Case Study, Report Acceptance / Rejection: July 10, 2016 *Camera Ready Paper Due: August 15, 2016 *Conference Dates: October 10-13, 2016 The i-Society 2016 is Technical Co-Sponsored by UK/RI ComputerChapter. The i-Society is a global knowledge-enriched collaborative effort that has its roots from both academia and industry. The conference covers a wide spectrum of topics that relate to information society, which includes technical and non-technical research areas. The mission of i-Society 2016 conference is to provide opportunities for collaboration of professionals and researchers to share existing and generate new knowledge in the field of information society. The conference encapsulates the concept of interdisciplinary science that studies the societal and technological dimensions of knowledge evolution in digital society. The i-Society bridges the gap between academia and industry with regards to research collaboration and awareness of current development in secure information management in the digital society. The topics in i-Society 2016 include but are not confined to the following areas: *New enabling technologies - Internet technologies - Wireless applications - Mobile Applications - Multimedia Applications - Protocols and Standards - Ubiquitous Computing - Virtual Reality - Human Computer Interaction - Geographic information systems - e-Manufacturing *Intelligent data management - Intelligent Agents - Intelligent Systems - Intelligent Organisations - Content Development - Data Mining - e-Publishing and Digital Libraries - Information Search and Retrieval - Knowledge Management - e-Intelligence - Knowledge networks *Secure Technologies - Internet security - Web services and performance - Secure transactions - Cryptography - Payment systems - Secure Protocols - e-Privacy - e-Trust - e-Risk - Cyber law - Forensics - Information assurance - Mobile social networks - Peer-to-peer social networks - Sensor networks and social sensing *e-Learning - Collaborative Learning - Curriculum Content Design and Development - Delivery Systems and Environments - Educational Systems Design - e-Learning Organisational Issues - Evaluation and Assessment - Virtual Learning Environments and Issues - Web-based Learning Communities - e-Learning Tools - e-Education *e-Society - Global Trends - Social Inclusion - Intellectual Property Rights - Social Infonomics - Computer-Mediated Communication - Social and Organisational Aspects - Globalisation and developmental IT - Social Software *e-Health - Data Security Issues - e-Health Policy and Practice - e-Healthcare Strategies and Provision - Medical Research Ethics - Patient Privacy and Confidentiality - e-Medicine *e-Governance - Democracy and the Citizen - e-Administration - Policy Issues - Virtual Communities *e-Business - Digital Economies - Knowledge economy - eProcurement - National and International Economies - e-Business Ontologies and Models - Digital Goods and Services - e-Commerce Application Fields - e-Commerce Economics - e-Commerce Services - Electronic Service Delivery - e-Marketing - Online Auctions and Technologies - Virtual Organisations - Teleworking - Applied e-Business - Electronic Data Interchange (EDI) *e-Art - Legal Issues - Patents - Enabling technologies and tools *e-Science - Natural sciences in digital society - Biometrics - Bioinformatics - Collaborative research *Industrial developments - Trends in learning - Applied research - Cutting-edge technologies * Research in progress - Ongoing research from undergraduates, graduates/postgraduates and professionals  For more details, please visit www.i-society.eu 
**
Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.