Re: [WIRELESS-LAN] Wireless 802.1X client exclusions timeout issues
On 06/06/2016 10:24 PM, Kanan E Simpson wrote: > > We have it enabled and are using the default settings as well. In our > environment, it keeps the forgotten ipad or wireless device over in > the corner from locking out the user AD account. We have situations > where a password will expire and/or the user will change their AD > password and forget to change it on other wireless devices. This > normally will lock out their AD account and then they are not able to > connect via other devices. It also stops the constant spamming. > > Kanan Simpson > > Valdosta State University > > I've used a similar strategy on Aruba, I have failed logins set lower then the AD failed login limit and the blacklist timer is just longer then the AD account lockout timer. This lets the wireless system shun the offending devices before triggering a lockout. I have noticed that BlackBerry gets this right and will stop trying to associate and indicate to the user that the password on the SSID profile needs to be updated. i see a lot of Android just continue to bang away constantly and get re-banned. -James ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless 802.1X client exclusions timeout issues
We have Cisco WISM2 controllers with client exclusion enabled at 30 seconds. From time to time, I do see some users in the blacklist but we never need to remove them manually. And I don't recall anyone ever called us for being blacklisted. Dennis Xu, MASc, CCIE #13056 Analyst 3, Network Infrastructure Computing and Communications Services(CCS) University of Guelph 519-824-4120 Ext 56217 d...@uoguelph.ca www.uoguelph.ca/ccs - Original Message - From: "Mike Atkins" <matk...@nd.edu> To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Sent: Thursday, June 2, 2016 6:57:03 AM Subject: Re: [WIRELESS-LAN] Wireless 802.1X client exclusions timeout issues We have Cisco 8510 controllers with client exclusion enabled at the default 60 seconds. We are using Microsoft NPS for authentication. When students are on campus I only see a couple devices in the excluded clients list for each controller. We left client exclusion on our open guest SSID as well. Mike Atkins Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU ] On Behalf Of Jess Walczak Sent: Thursday, June 02, 2016 12:17 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless 802.1X client exclusions timeout issues We are experiencing the following issue and I am wondering what other folks are doing regarding expired password client exclusion blacklisting on their 802.1X WLANs. This is specifically about a Cisco environment, but others may have knowledge about it (albeit with different vendor-specific language). Client(supplicant) connects to our 802.1X WLAN(SSID) and it fails authentication 3 times because of an expired password. It is now blacklisted (for 60 seconds), during which time the client will usually then try to associate with our open WLAN, but cannot join and then retries associating with the secure WLAN once again, failing once again. I think we are mainly seeing this when a user's Active Directory password expires without their knowledge. Here is our environment: Cisco 8510 WLCs running 8.0.121.0 code Cisco ISE Version 1.4.0.253, Patch 3,5,6 There are some settings involved: 1.)"Client Exclusion Policy" (which under Security-->Wireless Protection Policy) has 6 elements, all on by default; one of these is "Maximum 802.1x-AAA Failure Attempts" which is set to "3" by default, and gives a range of "1-3". 2.)"Client Exclusion" (under WLANs-->Advanced) is set to "enabled" with a timeout of 60 seconds. The Client Exclusion Policy is a global setting, and you can enable it for each WLAN or not, and pick the timeout in seconds (or 0 seconds, which means it must be manually cleared by an admin). My questions are whether other folks are leaving this feature on, or have they shortened the timeout, or have they disabled it altogether? We have this enabled on both WLANs, even on the open one--and this wouldn't seem to matter here, and perhaps is causing the client to be unable to connect to this one as well, erroneously. The timeout of 60 seconds seems like an eternity for a wireless client, and I imagine this feature intends to prevent a massive DoS or spoofing attack, except for we've seen iPhones that can register 100's of thousands of failed login attempts in less than an hour before our wireless overhaul, and our AD servers never even broke a sweat. Is it then perhaps for the safety of the wireless controller? We've resolved this in some instances, even today, by "forgetting this network" on the client and powering it off, then finding its session in both ISE and the WLC and deleting them each, before powering the client back up. Then, it works flawlessly, once again. Because of this, it seems like this setting might be more of a nuisance than anything. Any thoughts would be appreciated. Thanks!--JW Jess Walczak Senior Network Analyst Information Technology Services jwwalc...@stthomas.edu University of St. Thomas | stthomas.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/ . ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless 802.1X client exclusions timeout issues
We have Cisco 8510 controllers with client exclusion enabled at the default 60 seconds. We are using Microsoft NPS for authentication. When students are on campus I only see a couple devices in the excluded clients list for each controller. We left client exclusion on our open guest SSID as well. *Mike Atkins * Network Engineer Office of Information Technology University of Notre Dame Phone: 574-631-7210 .__o - _-\_<, --- (*)/'(*) *From:* The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Jess Walczak *Sent:* Thursday, June 02, 2016 12:17 AM *To:* WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU *Subject:* [WIRELESS-LAN] Wireless 802.1X client exclusions timeout issues We are experiencing the following issue and I am wondering what other folks are doing regarding expired password client exclusion blacklisting on their 802.1X WLANs. This is specifically about a Cisco environment, but others may have knowledge about it (albeit with different vendor-specific language). Client(supplicant) connects to our 802.1X WLAN(SSID) and it fails authentication 3 times because of an expired password. It is now blacklisted (for 60 seconds), during which time the client will usually then try to associate with our open WLAN, but cannot join and then retries associating with the secure WLAN once again, failing once again. I think we are mainly seeing this when a user's Active Directory password expires without their knowledge. Here is our environment: Cisco 8510 WLCs running 8.0.121.0 code Cisco ISE Version 1.4.0.253, Patch 3,5,6 There are some settings involved: 1.)"Client Exclusion Policy" (which under Security-->Wireless Protection Policy) has 6 elements, all on by default; one of these is "Maximum 802.1x-AAA Failure Attempts" which is set to "3" by default, and gives a range of "1-3". 2.)"Client Exclusion" (under WLANs-->Advanced) is set to "enabled" with a timeout of 60 seconds. The Client Exclusion Policy is a global setting, and you can enable it for each WLAN or not, and pick the timeout in seconds (or 0 seconds, which means it must be manually cleared by an admin). My questions are whether other folks are leaving this feature on, or have they shortened the timeout, or have they disabled it altogether? We have this enabled on both WLANs, even on the open one--and this wouldn't seem to matter here, and perhaps is causing the client to be unable to connect to this one as well, erroneously. The timeout of 60 seconds seems like an eternity for a wireless client, and I imagine this feature intends to prevent a massive DoS or spoofing attack, except for we've seen iPhones that can register 100's of thousands of failed login attempts in less than an hour before our wireless overhaul, and our AD servers never even broke a sweat. Is it then perhaps for the safety of the wireless controller? We've resolved this in some instances, even today, by "forgetting this network" on the client and powering it off, then finding its session in both ISE and the WLC and deleting them each, before powering the client back up. Then, it works flawlessly, once again. Because of this, it seems like this setting might be more of a nuisance than anything. Any thoughts would be appreciated. Thanks!--JW Jess Walczak Senior Network Analyst Information Technology Services jwwalc...@stthomas.edu University of St. Thomas | stthomas.edu ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
