RE: rules for mis-behaving wireless clients

[Enfield, Chuck]

We're an Aruba shop.  We "blacklist" client devices that fail three consecutive 
auths for a period of 15 seconds.  The thinking is that if you fail three times 
you need to do "something" to fix it and that something will take longer than 
15 seconds.  We think this approach is transparent to the user.  It doesn't 
eliminate all the bad traffic, but when you consider that a client with a saved 
bad credential can fail authentication between three and ten times a second you 
can see that it significantly reduces it.

We used to blacklist for 60 seconds.  Our reasoning was the same, but what we 
figured out was that some users fixed their problem in less than 60 seconds and 
were still blacklisted when they tried again.  This led them to believe, 
falsely, that their fix didn't work.  We've seen no adverse consequences to the 
15 second blacklist since making that change.

Chuck

From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Hales, David
Sent: Wednesday, November 20, 2019 12:21 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] rules for mis-behaving wireless clients

Our wireless authentication system came with a default that would lock out 
clients that failed 10 authentication attempts in a row for an hour.  It caused 
some pretty heavy helpdesk hate.  If the lockout doesn't come with some way of 
notifying the user that they're locked out and how long the lockout lasts, I'd 
recommend keeping the lockout time fairly short.  We moved ours to 10 minutes 
and it doesn't cause very much trouble for us now.  Making sure the 1st line of 
support (helpdesk) knows how it works is critical to easing aggravation levels 
from customers.

David Hales
Network Systems Administrator
Information Technology Services
1010 N. Peachtree
Clement Hall 117
Cookeville, TN 38505
P 931-372-3983
F 931-372-6130
E dha...@tntech.edu
www.tntech.edu/its
[Tennessee Tech 
Logo]
[TTU Facebook] 

 [TTU Twitter]  

 [TTU Instagram]  

 [TTU Youtube]  

 [TTU Pintrest] 


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Joseph M. Karam
Sent: Wednesday, November 20, 2019 11:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] rules for mis-behaving wireless clients


External Email Warning

This email originated from outside the university. Please use caution when 
opening attachments, clicking links, or responding to requests.


Hello Everyone,

Are there any general recommendations/best practices on rules for misconfigured 
wireless devices for connecting to your wireless infrastructure?  For example, 
we have many mis-configured eduroam clients that are just continually sending 
authentication requests.We would like to define a rule in our wireless 
infrastructure that says something like, "if the device failed authentication 
20 times in 1 minute, do not allow it to authenticate again for 10 minutes".
 Has anyone had good or bad experiences with defining these types of policies?

Thank you,

Joe

RE: rules for mis-behaving wireless clients

[Hales, David]

Our wireless authentication system came with a default that would lock out 
clients that failed 10 authentication attempts in a row for an hour.  It caused 
some pretty heavy helpdesk hate.  If the lockout doesn't come with some way of 
notifying the user that they're locked out and how long the lockout lasts, I'd 
recommend keeping the lockout time fairly short.  We moved ours to 10 minutes 
and it doesn't cause very much trouble for us now.  Making sure the 1st line of 
support (helpdesk) knows how it works is critical to easing aggravation levels 
from customers.

David Hales
Network Systems Administrator
Information Technology Services
1010 N. Peachtree
Clement Hall 117
Cookeville, TN 38505
P 931-372-3983
F 931-372-6130
E dha...@tntech.edu
www.tntech.edu/its
[Tennessee Tech Logo]
[TTU Facebook]  [TTU Twitter]  
 [TTU Instagram]  
 [TTU Youtube]  
 [TTU Pintrest] 


From: The EDUCAUSE Wireless Issues Community Group Listserv 
 On Behalf Of Joseph M. Karam
Sent: Wednesday, November 20, 2019 11:17 AM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: [WIRELESS-LAN] rules for mis-behaving wireless clients


External Email Warning

This email originated from outside the university. Please use caution when 
opening attachments, clicking links, or responding to requests.


Hello Everyone,

Are there any general recommendations/best practices on rules for misconfigured 
wireless devices for connecting to your wireless infrastructure?  For example, 
we have many mis-configured eduroam clients that are just continually sending 
authentication requests.We would like to define a rule in our wireless 
infrastructure that says something like, "if the device failed authentication 
20 times in 1 minute, do not allow it to authenticate again for 10 minutes".
 Has anyone had good or bad experiences with defining these types of policies?

Thank you,

Joe



**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**
Replies to EDUCAUSE Community Group emails are sent to the entire community 
list. If you want to reply only to the person who sent the message, copy and 
paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community