Not sure what final incarnation will be- if I can dig it up, will share. -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Case, Brandon J Sent: Thursday, August 21, 2014 3:01 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Cisco WLCs and Client Exclusion
Thanks everyone for the feedback. We've had our timer set at the default of 60 seconds but it's sounding like that's best to change. In addition to tweaking some of the EAP timers I'm going to put that change into effect soon (classes start on Monday) and hope for the best! Lee--do you know what kind of change they're planning on making? Just bumping the threshold up or making it configurable? Thanks, Brandon -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Lee H Badman Sent: Thursday, August 21, 2014 2:54 PM To: [email protected] Subject: Re: [WIRELESS-LAN] Cisco WLCs and Client Exclusion One follow-up here- Cisco has been responsive to our request for a tweak to the "three strikes" threshold and it will be changed in 8.1 code. Lee -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Lee H Badman Sent: Thursday, August 21, 2014 10:22 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Cisco WLCs and Client Exclusion We HAD to enable it, because misconfigured/unconfigured/wonky clients were pounding our RADIUS servers at a rate that rises to DOS. At the same time, the exclusion setting is 3 strikes and you're in the penalty box- no adjustment yet available. For us, we only use it for failed 802.1x authentications, and we keep the exclusion timer low, like 5 seconds because legit clients WILL occasionally get caught. The short timer slows any DOS effects, and doesn't hurt the occasional good client getting caught for whatever reason. Lee Badman -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Case, Brandon J Sent: Thursday, August 21, 2014 10:11 AM To: [email protected] Subject: [WIRELESS-LAN] Cisco WLCs and Client Exclusion For the Cisco shops out there: does anyone use Client Exclusion on their 1x WLANs? Any adverse effects? We're tracking an issue being reported by our help desk and wondering if that setting could be the culprit. We've always had the setting enabled (5+ years on lightweight APs) and it's never appeared to cause a major problem. Any and all feedback is appreciated. Thanks, -- Brandon Case Network Engineer, ITaP Purdue University [email protected] Office: (765) 49-67096 Mobile: (765) 421-6259 Fax: (765) 49-46620 PGP Fingerprint: 99CB 02D6 983C 1E2A 015F 205C C7AA E985 A11A 1251 ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
