In the CLI
To blacklist a client:
(Instant AP)(config)# blacklist-client <MAC-Address>
(Instant AP)(config)# end
(Instant AP)# commit apply
To enable blacklisting in the SSID profile:
(Instant AP)(config)# wlan ssid-profile <name>
(Instant AP)(SSID Profile <name>)# blacklisting
(Instant AP)(SSID Profile <name>)# end
(Instant AP)# commit apply
To view the blacklisted clients:
(Instant AP)# show blacklist-client
Blacklisted Clients
-------------------
MAC
Reason
Timestamp
Remaining time(sec)
AP name
---
------
---------
-------------------
-------
00:1c:b3:09:85:15
user-defined
17:21:29
Permanent
-
Blacklisting Users Dynamically
The clients can be blacklisted dynamically when they exceed the authentication failure threshold or when a
blacklisting rule is triggered as part of the authentication process.
Authentication Failure Blacklisting
When a client takes time to authenticate and exceeds the configured failure threshold, it is automatically
blacklisted by an IAP.
Session Firewall-Based Blacklisting
In session firewall-based blacklisting, an ACL rule is used to enable the option for dynamic blacklisting. When
the ACL rule is triggered, it sends out blacklist information and the client is blacklisted.
Configuring Blacklist Duration
You can set the blacklist duration using the Instant UI or the CLI.
In the Instant UI
To set a blacklist duration:
1. Click the
Security
link located directly above the Search bar in the Instant main window.
2. Click the
Blacklisting
tab.
3. Under
Dynamic Blacklisting
:
4. For
Auth failure blacklist time
, the duration in seconds after which the clients that exceed the
authentication failure threshold must be blacklisted.
5. For
PEF rule blacklisted time
, enter the duration in seconds after which the clients can be blacklisted due
to an ACL rule trigger.
You can configure a maximum number of authentication failures by the clients, after which a client must be
blacklisted. For more information on configuring maximum authentication failure attempts, see
Security Settings for a WLAN SSID Profile on page 90
To enable session-firewall-based blacklisting, click
New
and navigate to
WLAN Settings > VLAN > Security
> Access
window, and enable the
Blacklist
option of the corresponding ACL rule.
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide
Authentication and User Management |
177