Our wireless authentication system came with a default that would lock out clients that failed 10 authentication attempts in a row for an hour. It caused some pretty heavy helpdesk hate. If the lockout doesn't come with some way of notifying the user that they're locked out and how long the lockout lasts, I'd recommend keeping the lockout time fairly short. We moved ours to 10 minutes and it doesn't cause very much trouble for us now. Making sure the 1st line of support (helpdesk) knows how it works is critical to easing aggravation levels from customers.
David Hales Network Systems Administrator Information Technology Services 1010 N. Peachtree Clement Hall 117 Cookeville, TN 38505 P 931-372-3983 F 931-372-6130 E [email protected]<mailto:[email protected]> www.tntech.edu/its<http://www.tntech.edu/its> [Tennessee Tech Logo]<https://www.tntech.edu/> [TTU Facebook] <https://www.facebook.com/tennesseetech/> [TTU Twitter] <https://twitter.com/tennesseetech> [TTU Instagram] <https://www.instagram.com/tntechuniversity/> [TTU Youtube] <https://www.youtube.com/user/ttunews> [TTU Pintrest] <https://www.pinterest.com/tennesseetech/> From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Joseph M. Karam Sent: Wednesday, November 20, 2019 11:17 AM To: [email protected] Subject: [WIRELESS-LAN] rules for mis-behaving wireless clients External Email Warning This email originated from outside the university. Please use caution when opening attachments, clicking links, or responding to requests. ________________________________ Hello Everyone, Are there any general recommendations/best practices on rules for misconfigured wireless devices for connecting to your wireless infrastructure? For example, we have many mis-configured eduroam clients that are just continually sending authentication requests. We would like to define a rule in our wireless infrastructure that says something like, "if the device failed authentication 20 times in 1 minute, do not allow it to authenticate again for 10 minutes". Has anyone had good or bad experiences with defining these types of policies? Thank you, Joe ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
