Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
The client denylisting denies connection to the denylisted clients. When a client is denylisted, it is not allowed to associate with an Instant Access Point (IAP) in the network. If a client is connected to the network when it is denylisted, a deauthentication message is sent to force client disconnection.
Denylisting Clients Manually
Manual denylisting adds the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of a client to the denylist. These clients are added into a permanent denylist. These clients are not allowed to connect to the network unless they are removed from the denylist.
To add a client to the denylist manually, complete the following steps:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under , click > .
A list of APs is displayed in the view.
- Click the icon.
The tabs to configure the APs are displayed.
- Click .
- Click the tab.
The Security page is displayed.
- Click the accordion.
- Under Manual Denylisting, click and enter the MAC address of the client to be denylisted.
- Click OK.
- Click .
To delete a client from the manual denylist, select the MAC Address of the client under the Manual Denylisting, and then click the delete icon.
For the denylisting to take effect, you must enable the denylisting option when you create or edit the WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. profile. Go to > > and enable the option. For more information, see Configuring Wireless Network Profiles on IAPs.
Denylisting Clients Dynamically
The clients can be denylisted dynamically when they exceed the authentication failure threshold or when a denylisting rule is triggered as part of the authentication process.
When a client takes time to authenticate and exceeds the configured failure threshold, it is automatically denylisted by an IAP.
In session firewall Firewall is a network security system used for preventing unauthorized access to or from a private network. based denylisting, an ACL Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. rule automates denylisting. When the ACL rule is triggered, it sends out denylist information and the client is denylisted.
To configure the denylisting duration, complete the following steps:
- In the WebUI, set the filter to a group containing at least one AP.
The dashboard context for the group is displayed.
- Under , click > .
A list of APs is displayed in the view.
- Click the icon.
The tabs to configure the APs are displayed.
- Click .
- Click the tab.
The Security page is displayed.
- Click the accordion.
- Under , enter the following information:
- For Auth Failure Denylist Time, enter the duration after which the clients that exceed the authentication failure threshold must be denylisted.
- For Policy Enforcement Firewall Rule Denylist Time, enter the duration after which the clients can be denylisted due to an ACL rule trigger.
- Click .
- You can configure a maximum number of authentication failures by the clients, after which a client must be denylisted. For more information on configuring maximum authentication failure attempts, see Configuring Wireless Network Profiles on IAPs.
- To enable session-firewall-based denylisting, select the check box in the page during the WLAN SSID profile creation. For more information, see Configuring Network Service ACLs.
