Understanding Client Blacklisting

When a client is blacklisted in the Aruba system, the client is not allowed to associate with any AP in the network for a specified amount of time. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force the client to disconnect. While blacklisted, the client cannot associate with another SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. in the network.

The managed device retains the client blacklist in the user database, so the information is not lost if the managed device reboots. When you import or export the managed device’s user database, the client blacklist will be exported or imported as well.

ArubaOS now forwards the client blacklist to the database of all the managed devices from the Mobility Master, when the blacklist is managed through the WebUI. Hence, the configuration and monitoring of client blacklist is centralized at the Mobility Master in the WebUI.

This section describes the following topics:

Methods of Blacklisting

There are several ways in which a client can be blacklisted in the Aruba system:

You can manually blacklist a specific client. See Blacklisting Manually for more information.

A client fails to successfully authenticate for a configured number of times for a specified authentication method. The client is automatically blacklisted. See Blacklisting by Authentication Failure for more information.

A DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. or man in the middle attack has been launched in the network. Detection of these attacks can cause the immediate blacklisting of a client. See Understanding Client Blacklisting for more information.

An external application or appliance that provides network services, such as virus protection or intrusion detection, can blacklist a client and send the blacklisting information to the Mobility Master via an XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. server. When the managed device receives the client blacklist request from the server, it blacklists the client, logs an event, and sends an SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap.

See External Services Interface for more information.

 

The External Services Interface feature requires the PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license installed in the managed device.

Blacklisting Manually

There are several reasons why you may choose to blacklist a client. For example, you can enable different Aruba IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. features that detect suspicious activities, such as DoS Denial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attacks. When these activities are detected, an event is logged and an SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent with the client information. To blacklist a client, you need to know its MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

ArubaOS now allows you to manage blacklisted clients in stand-alone controllers as well as in Mobility Masters and the following procedure describes how to manage blacklisted clients:

In the Managed Network node hierarchy, navigate to either the Dashboard > Security or Dashboard > Overview page:

1. (Optional) From the Dashboard > Security page:

a. Click the Blacklist icon or donut chart area in the Blacklist window to open the Blacklisted Clients table.

b. Select a client from the Wireless Clients table.

 

The Blacklist icon and donut chart area remain inactive when there are no blacklisted clients available. However, you can click the Detected Radios, Detected Clients, or Events icon to open a new window that displays the Blacklisted Clients table.

c. Click the + icon on the Action bar to open the Add to Blacklist pop-up window.

d. In the Add to Blacklist pop-up window, enter the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the client, and click Add.

2. (Optional) From the Dashboard > Overview page:

a. Click the Clients icon or donut chart area in the Clients window to open the Wireless Clients table.

b. Select a client from the Wireless Clients table.

c. Click the + icon on the Action bar to open the Add to Blacklist pop-up window.

d. In the Add to Blacklist pop-up window, click Add.

The client is blacklisted and is listed in the Blacklisted Clients table.

 

When you manually blacklist a client from the Mobility Master, the client gets blacklisted permanently.

For more information about blacklisted clients, see Dashboard Pages.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command manually blacklists a client:

(host) [md] #stm add-blacklist-client

 

The stm add-blacklist-client command configures the blacklist only on the local managed device and is not applicable to other managed devices.

Blacklisting by Authentication Failure

You can configure a maximum authentication failure threshold for each of the following authentication methods:

802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.

MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.

Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two.

When a client exceeds the configured threshold for one of the above methods, the client is automatically blacklisted by the managed device, an event is logged, and an SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent. By default, the maximum authentication failure threshold is set to 0 for the above authentication methods, which means that there is no limit to the number of times a client can attempt to authenticate.

With 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, you can also configure blacklisting of clients who fail machine authentication.

 

When clients are blacklisted because they exceed the authentication failure threshold, they are blacklisted indefinitely by default. You can configure the duration of the blacklisting; see Setting Blacklist Duration.

The following procedure describes how to set the authentication failure threshold:

1. In the Managed Network node hierarchy, navigate to Configuration > System > Profiles.

2. In All Profiles expand the Wireless LAN list, select the appropriate authentication profile, then select the profile instance.

3. Enter a value in the Max Authentication failures field.

4. Click Submit.

5. Click Pending Changes.

6. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands set the authentication failure threshold:

(host) [md] (config) #aaa authentication {captive-portal|dot1x|mac|vpn} <profile>

(host) [md] (<Auth-Profile> <profile-name>) # max-authentication-failures <number>

Setting Blacklist Duration

You can configure the duration that clients are blacklisted on a per-SSID basis via the virtual AP profile. There are two different blacklist duration settings:

For clients that are blacklisted due to authentication failure. By default, this is set to 0 (the client is blacklisted indefinitely).

For clients that are blacklisted due to other reasons, including manual blacklisting. By default, this is set to 3600 seconds (one hour). You can set this to 0 to blacklist clients indefinitely.

The following procedure describes how to configure the blacklist duration:

1. In the Managed Network node hierarchy, navigate to the Configuration >System > Profiles page.

2. In All Profiles, select Wireless LAN, then Virtual AP. Select the virtual AP instance.

a. To set a blacklist duration for authentication failure, expand the Advanced accordion and enter a value for Authentication Failure Blacklist Time.

b. To set a blacklist duration for other reasons, expand the Advanced accordion and enter a value for Blacklist Time.

3. Click Submit.

4. Click Pending Changes.

5. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the blacklist duration:

(host) [md] (config) #wlan virtual-ap default

(host) [md] (Virtual AP profile "default") #auth-failure-blacklist-time <seconds>

(host) [md] (Virtual AP profile "default") #blacklist-time <seconds>

Removing a Client from Blacklisting

The following procedure describes how to manually remove one or multiple blacklisted clients from a managed device:

1. In the Managed Network node hierarchy, navigate to the Dashboard > Security page.

2. Click the Blacklist icon or donut chart area in the Blacklist window.

The Blacklisted Clients table is displayed.

3. Hover your mouse over the wireless client that you want to remove from the blacklist, and select the corresponding check box.

4. (Optional) Hover your mouse over multiple wireless clients that you want to remove from the blacklist, and select the corresponding check boxes.

5. Click the Delete blacklisted client icon.

The Confirm Deletion pop-up window is displayed.

6. Click Delete to delete the client(s) from the Blacklisted Clients table.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command removes a client from blacklisting:

(host) [md] #stm remove-blacklist-client <macaddr>

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command clears the entire client blacklist:

(host) [md] #stm purge-blacklist-clients

 

These commands only remove the blacklisted clients from a particular managed device and not from the Mobility Master or other managed devices.