Ah- now I gotcha, Jerry. I've neither seen nor heard of that one. Have you dug around in the Cisco support community forums? Seems to be a lot of info there that doesn't otherwise make it to the light of day.
-Lee -----Original Message----- From: Jerry Bucklaew [mailto:[email protected]] Sent: Sunday, March 02, 2014 10:19 PM To: The EDUCAUSE Wireless Issues Constituent Group Listserv Cc: Lee H Badman Subject: Re: [WIRELESS-LAN] client exclude reason unknown Lee, Thanks for the reply. We do have 802.1x failed auth timers and have had for a very long time. We used to take the default 60 seconds but I moved it up a couple years ago to avoid load on our auth servers. But my issue is that this year we are seeing a "reason" of unknown with no timer so once excluded it never goes away. I am pretty sure this is a bug because in normal circumstances the system would know why it excluded the client. Also the system would have some timer associated with it, a default of some sort. On 3/2/2014 9:14 PM, Lee H Badman wrote: > Hi Jerry, > > In the controllers, you'll fund under Security the settings for Client > Exclusion options, these are global and come into play if enabled on a WLAN > under advanced settings. If Client Exclusion is enabled on a WLAN, it will > follow the settings under the global settings. There are like 6 of of them, > and they can cause all kinds of trouble. There is no adjustment to any sort > of threshold- it's literally three strikes against whatever exclusion > parameter is being hit and then client is excluded for whatever time is > specified under advanced settings of the WLAN (again, if enabled on the WLAN). > > On 802.1x networks, I'd recommend excluding on failed 802.1x authentications > but putting the timer at like 5 seconds. This will slow down DOS effects on > RADIUS servers from misconfigured/unconfigured clients, but not shut out > legit clients that sputter a bit in authing for whatever reason. > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
