ArubaOS 8.6.0.0 Help Center
You are here: Home > Wireless Intrusion Prevention > Client Blacklisting

Understanding Client Blacklisting

When a client is blacklisted in the Aruba system, the client is not allowed to associate with any AP in the network for a specified amount of time. If a client is connected to the network when it is blacklisted, a deauthentication message is sent to force the client to disconnect. While blacklisted, the client cannot associate with another SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. in the network.

The managed device retains the client blacklist in the user database, so the information is not lost if the managed device reboots. When you import or export the managed device’s user database, the client blacklist will be exported or imported as well.

ArubaOS now forwards the client blacklist to the database of all the managed devices from the Mobility Master, when the blacklist is managed through the WebUI. Hence, the configuration and monitoring of client blacklist is centralized at the Mobility Master in the WebUI.

This section describes the following topics:

Methods of Blacklisting

There are several ways in which a client can be blacklisted in the Aruba system:

See External Services Interface for more information.

Blacklisting Manually

There are several reasons why you may choose to blacklist a client. For example, you can enable different Aruba IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. features that detect suspicious activities, such as DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attacks. When these activities are detected, an event is logged and an SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent with the client information. To blacklist a client, you need to know its MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

ArubaOS now allows you to manage blacklisted clients in stand-alone controllers as well as in Mobility Masters and the following procedure describes how to manage blacklisted clients:

In the Managed Network node hierarchy, navigate to either the Dashboard > Security or Dashboard > Overview page:

  1. (Optional) From the Dashboard > Security page:
    1. Click the Blacklist icon or donut chart area in the Blacklist window to open the Blacklisted Clients table.
    2. Select a client from the Wireless Clients table.

      The Blacklist icon and donut chart area remain inactive when there are no blacklisted clients available. However, you can click the Detected Radios, Detected Clients, or Events icon to open a new window that displays the Blacklisted Clients table.

    3. Click the + icon on the Action bar to open the Add to Blacklist pop-up window.
    4. In the Add to Blacklist pop-up window, enter the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the client, and click Add.
  2. (Optional) From the Dashboard > Overview page:
    1. Click the Clients icon or donut chart area in the Clients window to open the Wireless Clients table.
    2. Select a client from the Wireless Clients table.
    3. Click the + icon on the Action bar to open the Add to Blacklist pop-up window.
    4. In the Add to Blacklist pop-up window, click Add.

The client is blacklisted and is listed in the Blacklisted Clients table.

When you manually blacklist a client from the Mobility Master, the client gets blacklisted permanently.

For more information about blacklisted clients, see Dashboard Monitoring.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command manually blacklists a client:

(host) [md] #stm add-blacklist-client

The stm add-blacklist-client command configures the blacklist only on the local managed device and is not applicable to other managed devices.

Blacklisting by Authentication Failure

You can configure a maximum authentication failure threshold for each of the following authentication methods:

When a client exceeds the configured threshold for one of the above methods, the client is automatically blacklisted by the managed device, an event is logged, and an SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap is sent. By default, the maximum authentication failure threshold is set to 0 for the above authentication methods, which means that there is no limit to the number of times a client can attempt to authenticate.

With 802.1X802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority. authentication, you can also configure blacklisting of clients who fail machine authentication.

When clients are blacklisted because they exceed the authentication failure threshold, they are blacklisted indefinitely by default. You can configure the duration of the blacklisting; see Setting Blacklist Duration.

The following procedure describes how to set the authentication failure threshold:

  1. In the Managed Network node hierarchy, navigate to Configuration > System > Profiles.
  2. In All Profiles expand the Wireless LAN list, select the appropriate authentication profile, then select the profile instance.
  3. Enter a value in the Max Authentication failures field.
  4. Click Submit.
  5. Click Pending Changes.
  6. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands set the authentication failure threshold:

(host) [md] (config) #aaa authentication {captive-portal|dot1x|mac|vpn} <profile>

(host) [md] (<Auth-Profile> <profile-name>) # max-authentication-failures <number>

Setting Blacklist Duration

You can configure the duration that clients are blacklisted on a per-SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. basis via the virtual AP profile. There are two different blacklist duration settings:

  • For clients that are blacklisted due to authentication failure. By default, this is set to 0 (the client is blacklisted indefinitely).
  • For clients that are blacklisted due to other reasons, including manual blacklisting. By default, this is set to 3600 seconds (one hour). You can set this to 0 to blacklist clients indefinitely.

The following procedure describes how to configure the blacklist duration:

  1. In the Managed Network node hierarchy, navigate to the Configuration >System > Profiles page.
  2. In All Profiles, select Wireless LAN, then Virtual AP. Select the virtual AP instance.
  3. To set a blacklist duration for authentication failure, expand the Advanced accordion and enter a value for Authentication Failure Blacklist Time.
  4. To set a blacklist duration for other reasons, expand the Advanced accordion and enter a value for Blacklist Time.
  5. Click Submit.
  6. Click Pending Changes.
  7. In the Pending Changes window, select the check box and click Deploy changes.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure the blacklist duration:

(host) [md] (config) #wlan virtual-ap default

(host) [md] (Virtual AP profile "default") #auth-failure-blacklist-time <seconds>

(host) [md] (Virtual AP profile "default") #blacklist-time <seconds>

Removing a Client from Blacklisting

The following procedure describes how to manually remove one or multiple blacklisted clients from a managed device:

  1. In the Managed Network node hierarchy, navigate to the Dashboard > Security page.
  2. Click the Blacklist icon or donut chart area in the Blacklist window.
  3. The Blacklisted Clients table is displayed.
  4. Hover your mouse over the wireless client that you want to remove from the blacklist, and select the corresponding check box.
  5. (Optional) Hover your mouse over multiple wireless clients that you want to remove from the blacklist, and select the corresponding check boxes.
  6. Click the Delete blacklisted client icon.
  7. The Confirm Deletion pop-up window is displayed.
  8. Click Delete to delete the client(s) from the Blacklisted Clients table.

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command removes a client from blacklisting:

(host) [md] #stm remove-blacklist-client <macaddr>

The following CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. command clears the entire client blacklist:

(host) [md] #stm purge-blacklist-clients

These commands only remove the blacklisted clients from a particular managed device and not from the Mobility Master or other managed devices.

/*]]>*/