Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
292
Views
0
Helpful
3
Replies

Failed Radius requests increase possible?

patoberli
VIP Alumni
VIP Alumni

‎05-28-2015 07:53 AM - edited ‎07-05-2021 03:18 AM

Hello

We have a Cisco WLC 7.0.240.0 based infrastructure with Radius servers and a Windows domain. Some clients are joined, some are BYOD. Our SSID is protected with WPA2-Enterprise PEAP-MSCHAPv2 username/password authentication. No certificate and no machine authentication.

Now Windows default behavior, for devices joined to some domain, is to send the machine name as username when connecting the first few tries and only later the logged in username/password.

My WLC will block the client because of excessive, wrong authentication tries for a few seconds. This makes it impossible to join the client automatically, without manually creating the wifi-profile and disabling the "automatic machine or user authentication" option.

It looks like the WLC will block the client after 3 unsuccessful authentication tries.

Is there a way to increase those 3 to maybe 5 or 10? I have the hope that this is enough for Windows to change to the username/password combo instead of machine name.

Thanks

Patrick

Labels:
0 Helpful
3 Replies 3

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎05-28-2015 08:24 AM

You can adjust the number of attempts a client makes before it gets excluded...

 

Excluded Clients

 


HTH,
Steve

 

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Stephen Rodriguez

‎05-28-2015 10:40 PM

Hmm based on your link:

Step 4  Configure the controller to exclude clients that reaches the maximum failure 802.1X authentication attempt with the RADIUS server by entering this command: config wps client-exclusion 802.1x-auth max-1x-aaa-fail-attempts

You can configure the maximum failure 802.1X authentication attempt from 1 to 3 and the default value is 3.

So the maximum seems to be only 3 :( 

Oh and that command is not available for 7.0.

0 Helpful

abwahid
Level 4
Level 4
In response to patoberli

‎06-09-2015 01:55 AM

Hi,

Yes config wps client-exclusion 802.1x-auth max-1x-aaa-fail-attempts is not available in 7.0 code.

 

Using the GUI to Configure Client Exclusion Policies

To configure client exclusion policies using the controller GUI, follow these steps:

Step 1 Choose Security > Wireless Protection Policies > Client Exclusion Policies

 

Step 2 Select any of these check boxes if you want the controller to exclude clients for the condition specified. The default value for each exclusion policy is enabled.

Excessive 802.11 Association Failures—Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures.

Excessive 802.11 Authentication Failures—Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures.

Excessive 802.1X Authentication Failures—Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures.

IP Theft or IP Reuse—Clients are excluded if the IP address is already assigned to another device.

Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication attempt, after three consecutive failures.

Step 3 Click Apply to commit your changes.

Step 4 Click Save Configuration to save your changes.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card