Configuring Client Exclusion

Configuring Client Exclusion Policies (GUI)

---

Step 1

Choose Security > Wireless Protection Policies > Client Exclusion Policies to open the Client Exclusion Policies page.

Step 2

Select any of these check boxes if you want the controller to exclude clients for the condition specified. The default value for each exclusion policy is enabled. Excessive 802.11 Association Failures—Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures. Excessive 802.11 Authentication Failures—Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures. Excessive 802.1X Authentication Failures—Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures. IP Theft or IP Reuse—Clients are excluded if the IP address is already assigned to another device. Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication attempt, after three consecutive failures.

Issue the below command to see the time left when the client is excluded. default time is set to 60 sec. 

show exclusionlist  （我们可以通过show wps summary去查看开启了哪些exclusion policy）

Information similar to the following appears:

(Cisco Controller) >show exclusionlist          Dynamically Disabled Clients----------------------------  MAC Address             Exclusion Reason        Time Remaining (in secs)  -----------             ----------------        ------------------------00:40:96:b4:82:55         802.1X Failure          	51 (Cisco Controller) >show wps summary       Auto-Immune   Auto-Immune.................................... Disabled   Auto-Immune by aWIPS Prevention................ Disabled Client Exclusion Policy   Excessive 802.11-association failures.......... Enabled   Excessive 802.11-authentication failures....... Enabled   Excessive 802.1x-authentication................ Enabled   IP-theft....................................... Enabled   Excessive Web authentication failure........... Enabled   Maximum 802.1x-AAA failure attempts............ 3 Signature Policy   Signature Processing........................... Enabled Management Frame Protection   Global Infrastructure MFP state................ DISABLED (*all infrastructure settings are overridden)   AP Impersonation detection..................... Disabled   Controller Time Source Valid................... False                                     WLAN       Client WLAN ID  WLAN Name                  Status     Protection -------  -------------------------  ---------  ---------- 1        Hello                      Disabled   Optional 详细的CLI链接配置：https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010110101.html