Filter
Top Products
To clear the entire client blacklist using the command-line interface, access the CLI in config mode and issue the
following command:
stm purge-blacklist-client
Blacklisting by Authentication Failure
You can configure a maximum authentication failure threshold for each of the following authentication methods:
l 802.1x
l MAC
l Captive portal
l VPN
When a client exceeds the configured threshold for one of the above methods, the client is automatically blacklisted
by the controller, an event is logged, and an SNMP trap is sent. By default, the maximum authentication failure
threshold is set to 0 for the above authentication methods, which means that there is no limit to the number of
times a client can attempt to authenticate.
With 802.1x authentication, you can also configure blacklisting of clients who fail machine authentication.
NOTE: When clients are blacklisted because they exceed the authentication failure threshold, they are blacklisted indefinitely by
default. You can configure the duration of the blacklisting; see "Setting Blacklist Duration" on page 387.
To set the authentication failure threshold via the WebUI:
1. Navigate to the Configuration > Security > Authentication > Profiles page.
2. In the Profiles list, select the appropriate authentication profile, then select the profile instance.
3. Enter a value in the Max Authentication failures field.
4. Click Apply.
To set the authentication failure threshold via the command-line interface, access the CLI in config mode and issue
the following commands:
aaa authentication {captive-portal|dot1x|mac|vpn} <profile>
max-authentication-failures <number>
Enabling Attack Blacklisting
There are two type of automatic client blacklisting that can be enabled: blacklisting due to spoofed
deauthentication, or blacklisting due to other types of DoS attacks.
Automatic blacklisting for DoS attacks other than spoofed deauthentication is enabled by default. You can disable
this blacklisting on a per-SSID basis in the virtual AP profile.
Man in the middle (MITM) attacks begin with an intruder impersonating a valid enterprise AP. If an AP needs to
reboot, it sends deauthentication packets to connected clients to enable them to disconnect and reassociate with
another AP. An intruder or attacker can spoof deauthentication packets, forcing clients to disconnect from the
network and reassociate with the attacker’s AP. A valid enterprise client associates to the intruder’s AP, while the
intruder then associates to the enterprise AP. Communication between the network and the client flows through the
intruder (the man in the middle), thus allowing the intruder the ability to add, delete, or modify data. When this
type of attack is identified by the Dell system, the client can be blacklisted, blocking the MITM attack. Enable this
blacklisting ability in the IDS DoS profile (this is disabled by default).
To enable spoofed deauth detection and blacklisting via the WebUI:
1. Navigate to the Configuration > Wireless > AP Configuration page.
2. Select either AP Group or AP Specific tab. Click Edit for the AP group or AP name.
DellPowerConnectW-SeriesArubaOS6.2 | User Guide WirelessIntrusion Prevention | 386