Lee,
Thanks for the reply. We do have 802.1x failed auth timers and have
had for a very long time. We used to take the default 60 seconds but I
moved it up a couple years ago to avoid load on our auth servers.
But my issue is that this year we are seeing a "reason" of unknown with
no timer so once excluded it never goes away. I am pretty sure this is
a bug because in normal circumstances the system would know why it
excluded the client. Also the system would have some timer associated
with it, a default of some sort.
On 3/2/2014 9:14 PM, Lee H Badman wrote:
Hi Jerry,
In the controllers, you'll fund under Security the settings for Client
Exclusion options, these are global and come into play if enabled on a WLAN
under advanced settings. If Client Exclusion is enabled on a WLAN, it will
follow the settings under the global settings. There are like 6 of of them, and
they can cause all kinds of trouble. There is no adjustment to any sort of
threshold- it's literally three strikes against whatever exclusion parameter is
being hit and then client is excluded for whatever time is specified under
advanced settings of the WLAN (again, if enabled on the WLAN).
On 802.1x networks, I'd recommend excluding on failed 802.1x authentications
but putting the timer at like 5 seconds. This will slow down DOS effects on
RADIUS servers from misconfigured/unconfigured clients, but not shut out legit
clients that sputter a bit in authing for whatever reason.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
