The Cisco Wireless LAN Controller is a powerful device. It’s no doubt users will feel frustrated if they can’t join your wireless network after several tries.
But why do clients have issues associating to a wifi network, or access point?
Within the Cisco WLC interface, we have the ability to see all our clients.
The data presented is very useful which includes:
- Client MAC address
- Client IP address
- AP the client is associating to
- SSID the client is associating to
- Protocol (802.11abg, 802.11bn)
All great information to have when troubleshooting.
When a user states they can’t connect to the wifi network I automatically go to the Clients section and look for a Status of Excluded.
By default, each WLAN has a Client Exclusion Policy setting of 60 seconds.
What is Client Exclusion?
The Cisco WLC will exclude clients when specific conditions are met:
Excessive 802.11 Association Failures after five consecutive failures.
Excessive 802.11 Authentication Failures after five consecutive failures.
802.1X Authentication Failures after three consecutive failures.
IP Theft or IP Reuse if the IP address, being obtained by the client, is already assigned to another device.
Excessive Web Authentication Failures after three consecutive failures.
Now that we know what types of client exclusion exists, how is it configured?
Configuring Client Exclusion Policies
By default, it is enabled but you can disable it:
- Click on the Security navigation item.
- Expand Wireless Protection Policies on the left navigation menu.
- Click on Client Exclusion Policies
The actual exclusion value is configured on the WLAN. This is done per WLAN. By default it is set to 60 seconds.
- Click on WLANs
- Edit the WLAN
- Click on the Advanced tab
- Uncheck Enabled next to Client Exclusion to disable or modify the Timeout Value (in seconds).
Important: Modifying the timeout to zero (0) means the client will be excluded indefinitely until it is manually removed from the exclusion list.
Let’s get back to the client having issues connecting to the wifi network. Now we know what client exclusion is. You can draw some conclusions.. It is being excluded from one of five reasons, above in What is Client Exclusion. But how do you find out?
Take a look at the Clients page which will display the client in question. Does it show a status of Excluded? It doesn’t really tell you why though but now you have the MAC address and which SSID.
From there you can assume the user typed in the wrong pre-shared key or there is something wrong with their user account (disabling them from connecting to the wifi network).
Removing a client from the Exclusion List
To remove the client from the exclusion list (effectively a blacklist), right click on the blue dropdown for the client and click on Remove.
Why is a client excluded?
If you have access to the command line, issue this command:
(Cisco Controller) > show exclusionlist
You’ll get the following output with the Exclusion Reason:
Should You Disable Client Exclusion?
I would keep it enabled and focus on getting to the root cause of client issues. By disabling Client Exclusion, you remove a security feature of the Cisco Wireless LAN Controller.