Thanks Michael- I did find out that others have asked for a configurable value on the number of failed auth attempts. An enhancement bug can be followed here:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCto15912 three failures may be too aggressive for some environments. I'd like to see it configured for a few hundred failed auth attempts, then permanent exclusion. -Lee Lee H. Badman Network Architect/Wireless TME Information Technology and Services (ITS) Syracuse University 315 443-3003 From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Dorshimer, Michael Sent: Monday, October 22, 2012 8:48 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Auth failure options? Reference the following link for Layer 1 Security Solutions on your controllers. Client Exclusion Policies should be enabled by default but you may want to try increasing their per-WLAN timeout value. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807f42e9.shtml#diag Michael Dorshimer Network Administrator Shippensburg University From: Lee H Badman <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv <[email protected]<mailto:[email protected]>> Date: Saturday, October 20, 2012 7:42 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [WIRELESS-LAN] Auth failure options? Just posted this on Cisco discussion forum, curious if anyone else has pondered it: I have around 16k wireless clients at peek on my WLAN, all doing 802.1x with latest ACS and things are generally fine. But also have hundreds of misconfigured smartphones where WiFi is on, but users don't really care if they hit my wireless network from them and these can frequently overwhelm ACS with hundreds of thousands of auth failures that have to be processed. Is there any way between controllers and ACS to say after X failed auth attempts that a client is moved to another vlan ( dead end) or auth attempts get suspended for a while, or that client device is forcibly blocked at L2, or anything that could tame the condition automatically? On wired 802.1x, you can do an auth failure vlan that a client lands in after x failed attempts at auth. Not quite seeing it on wireless yet in docs, but would be handy for the misconfigured handhelds that are clobbering ACS with as many as 50K+ plus failed attempts, each, daily. Or even alerting out of ACS would good if some device exceeded an insane auth failure threshold so they could be manually blocked, but not optimal ( or possible, probably) Lee Badman ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
