Denylisting AP Clients

When a client is denylisted in the HPE Aruba Networking system, the client is not allowed to associate with any AP in the network for a specified amount of time. If a client is connected to the network when it is denylisted, a deauthentication message is sent to force the client to disconnect. While denylisted, the client cannot associate with another SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. in the network.

The AP retains the client denylist in the user database, so the information is not lost if the AP reboots. When you import or export the AP’s user database, the client denylist will be exported or imported as well.

This section includes the following topics:

• Methods of Denylisting

• Denylisting Clients Manually

• Denylisting by Authentication Failure

• Setting Denylist Duration

Methods of Denylisting

There are several ways in which a client can be denylisted in the system:

• You can manually denylist a specific client. See Denylisting Clients Manually for more information.

• A client fails to successfully authenticate for a configured number of times for a specified authentication method. The client is automatically denylisted. See Denylisting by Authentication Failurefor more information.

• An external application or appliance that provides network services, such as virus protection or intrusion detection, can denylist a client and send the denylisting information to the conductor AP through an XML Extensible Markup Language. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. API Application Programming Interface. Refers to a set of functions, procedures, protocols, and tools that enable users to build application software. server. When the member AP receives the client denylist request from the server, it denylists the client, logs an event, and sends an SNMP Simple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap.

Denylisting Clients Manually

Manual denylisting adds the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of a client to the denylist. These clients are added into a permanent denylist. These clients are not allowed to connect to the network unless they are removed from the denylist.

To add a client to the denylist manually, complete the following steps:

1. In the WebUI, set the filter to a group that contains at least one AP.
   The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points.
   A list of access points is displayed in the List view.
3. Click the Config icon.
   The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab.
   The Security details page is displayed.
5. Click the Denylisting accordion.
6. Under Manual Denylisting, click + and enter the MAC address of the client to be denylisted.
7. Click OK.
8. Click Save Settings.

To delete a client from the manual denylist, select the MAC Address of the client under the Manual Denylisting, and then click the delete icon.

Denylisting by Authentication Failure

You can configure a maximum authentication failure threshold for each of the following authentication methods:

• 802.1X 802.1X is an IEEE standard for port-based network access control designed to enhance 802.11 WLAN security. 802.1X provides an authentication framework that allows a user to be authenticated by a central authority.

• MAC

• Captive portal A captive portal is a web page that allows the users to authenticate and sign in before connecting to a public-access network. Captive portals are typically used by business centers, airports, hotel lobbies, coffee shops, and other venues that offer free Wi-Fi hotspots for the guest users.

When a client exceeds the configured threshold for one of the above methods, the client is automatically denylisted by the AP, an event is logged, and an SNMP trap is sent. By default, the maximum authentication failure threshold is set to 0 for the above authentication methods, which means that there is no limit to the number of times a client can attempt to authenticate.

With 802.1X authentication, you can also configure denylisting of clients who fail machine authentication.

The following procedure describes how to set the authentication failure threshold:

1. To access the WLAN SSID configuration wizard for an SSID profile, see Configuring a WLAN SSID Profile in Bridge Mode or Configuring a WLAN SSID Profile in Tunnel and Mixed Mode.

2. In the WLAN SSID configuration wizard, click the WLANs tab.

3. The Wireless SSIDs table is displayed listing the existing SSID profiles.

4. To edit an existing SSID profile, click the row, and then click the edit icon.

   The Networks page is displayed for editing an existing SSID.

5. Under Security > Advanced Settings, enter the threshold value in the Max Authentication Failures box.

6. Click Save Settings.

Setting Denylist Duration

The clients can be denylisted dynamically when they exceed the authentication failure threshold or when a denylisting rule is triggered as part of the authentication process.

In session firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. based denylisting, an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. rule automates denylisting. When the ACL rule is triggered, it sends out denylist information and the client is denylisted.

You can configure the duration that clients are denylisted on a per-SSID basis through the AP profile. There are two different denylist duration settings:

• For clients that are denylisted due to authentication failure. By default, this is set to 0 (the client is denylisted indefinitely).

• For clients that are denylisted due to other reasons, including manual denylisting. By default, this is set to 3600 seconds (one hour). You can set this to 0 to denylist clients indefinitely.

To configure the denylisting duration, complete the following steps:

1. In the WebUI, set the filter to a group that contains at least one AP.
   The dashboard context for the group is displayed.
2. Under Manage, click Devices > Access Points.
   A list of access points is displayed in the List view.
3. Click the Config icon.
   The tabs to configure the access points are displayed.
4. Click Show Advanced, and click the Security tab.
   The Security details page is displayed.
5. Click the Denylisting accordion.
6. Under Dynamic Denylisting, enter the following information:
   1. For Auth Failure Denylist Time, enter the duration after which the clients that exceed the authentication failure threshold must be denylisted.
   2. For Policy Enforcement Firewall Rule Denylist Time, enter the duration after which the clients can be denylisted due to an ACL rule trigger.
7. Click Save Settings.