Understanding Client Blacklisting
When a client is blacklisted in the Aruba system, the client is not allowed to associate with any AP in the network for a specified amount of time. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force the client to disconnect. While blacklisted, the client cannot associate with another SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. in the network.
The managed device retains the client blacklist in the user database, so the information is not lost if the managed device reboots. When you import or export the managed device’s user database, the client blacklist will be exported or imported as well.
ArubaOS now forwards the client blacklist to the database of all the managed devices from the Mobility Master, when the blacklist is managed through the WebUI. Hence, the configuration and monitoring of client blacklist is centralized at the Mobility Master in the WebUI.
This section describes the following topics:
Methods of Blacklisting
There are several ways in which a client can be blacklisted in the Aruba system:
You can manually blacklist a specific client. See Blacklisting Manually for more information.
A client fails to successfully authenticate for a configured number of times for a specified authentication method. The client is automatically blacklisted. See Blacklisting by Authentication Failure for more information.
A DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. or man in the middle attack has been launched in the network. Detection of these attacks can cause the immediate blacklisting of a client. See Understanding Client Blacklisting for more information.
An external application or appliance that provides network services, such as virus protection or intrusion detection, can blacklist a client and send the blacklisting information to the Mobility Master via an XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. server. When the managed device receives the client blacklist request from the server, it blacklists the client, logs an event, and sends an SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. trap.
See External Services Interface for more information.
Blacklisting Manually
There are several reasons why you may choose to blacklist a client. For example, you can enable different Aruba IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. features that detect suspicious activities, such as DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attacks. When these activities are detected, an event is logged and an SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. trap is sent with the client information. To blacklist a client, you need to know its MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.
ArubaOS now allows you to manage blacklisted clients in stand-alone controllers as well as in Mobility Masters and the following procedure describes how to manage blacklisted clients:
In the
node hierarchy, navigate to either the or page:1. (Optional) From the page:
a. Click the icon or donut chart area in the window to open the Blacklisted Clients table.
b. Select a client from the table.
|
The icon and donut chart area remain inactive when there are no blacklisted clients available. However, you can click the , , or icon to open a new window that displays the Blacklisted Clients table. |
c. Click the icon on the Action bar to open the pop-up window.
d. In the pop-up window, enter the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the client, and click .
2. (Optional) From the page:
a. Click the icon or donut chart area in the window to open the Wireless Clients table.
b. Select a client from the table.
c. Click the icon on the Action bar to open the pop-up window.
d. In the pop-up window, click .
The client is blacklisted and is listed in the Blacklisted Clients table.
|
When you manually blacklist a client from the Mobility Master, the client gets blacklisted permanently. |
For more information about blacklisted clients, see Dashboard Pages.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command manually blacklists a client:
(host) [md] #stm add-blacklist-client
|
The managed device and is not applicable to other managed devices. command configures the blacklist only on the local |
Blacklisting by Authentication Failure
You can configure a maximum authentication failure threshold for each of the following authentication methods:
When a client exceeds the configured threshold for one of the above methods, the client is automatically blacklisted by the managed device, an event is logged, and an SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention. trap is sent. By default, the maximum authentication failure threshold is set to 0 for the above authentication methods, which means that there is no limit to the number of times a client can attempt to authenticate.
With 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, you can also configure blacklisting of clients who fail machine authentication.
|
When clients are blacklisted because they exceed the authentication failure threshold, they are blacklisted indefinitely by default. You can configure the duration of the blacklisting; see Setting Blacklist Duration. |
The following procedure describes how to set the authentication failure threshold:
1. In the node hierarchy, navigate to .
2. In expand the list, select the appropriate authentication profile, then select the profile instance.
3. Enter a value in the field.
4. Click .
5. Click .
6. In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands set the authentication failure threshold:
(host) [md] (config) #aaa authentication {captive-portal|dot1x|mac|vpn} <profile>
(host) [md] (<Auth-Profile> <profile-name>) # max-authentication-failures <number>
Setting Blacklist Duration
You can configure the duration that clients are blacklisted on a per-SSID basis via the virtual AP profile. There are two different blacklist duration settings:
For clients that are blacklisted due to authentication failure. By default, this is set to 0 (the client is blacklisted indefinitely).
For clients that are blacklisted due to other reasons, including manual blacklisting. By default, this is set to 3600 seconds (one hour). You can set this to 0 to blacklist clients indefinitely.
The following procedure describes how to configure the blacklist duration:
1. In the node hierarchy, navigate to the page.
2. In , select , then . Select the virtual AP instance.
a. To set a blacklist duration for authentication failure, expand the accordion and enter a value for .
b. To set a blacklist duration for other reasons, expand the accordion and enter a value for .
3. Click .
4. Click .
5. In the window, select the check box and click .
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the blacklist duration:
(host) [md] (config) #wlan virtual-ap default
(host) [md] (Virtual AP profile "default") #auth-failure-blacklist-time <seconds>
(host) [md] (Virtual AP profile "default") #blacklist-time <seconds>
Removing a Client from Blacklisting
The following procedure describes how to manually remove one or multiple blacklisted clients from a managed device:
1. In the node hierarchy, navigate to the page.
2. Click the icon or donut chart area in the window.
The Blacklisted Clients table is displayed.
3. Hover your mouse over the wireless client that you want to remove from the blacklist, and select the corresponding check box.
4. (Optional) Hover your mouse over multiple wireless clients that you want to remove from the blacklist, and select the corresponding check boxes.
5. Click the icon.
The
pop-up window is displayed.6. Click to delete the client(s) from the Blacklisted Clients table.
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command removes a client from blacklisting:
(host) [md] #stm remove-blacklist-client <macaddr>
The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command clears the entire client blacklist:
(host) [md] #stm purge-blacklist-clients
|
These commands only remove the blacklisted clients from a particular managed device and not from the Mobility Master or other managed devices. |