Packet6

San Francisco Bay Area Wi-Fi Professional Services

wireless lan controller

Should You Disable Cisco WLC Client Exclusion Policies (HINT: Nope)

by 1 Comment

The Cisco Wireless LAN Controller is a powerful device. It’s no doubt users will feel frustrated if they can’t join your wireless network after several tries.

But why do clients have issues associating to a wifi network, or access point?

Monitoring Clients

Within the Cisco WLC interface, we have the ability to see all our clients.

The data presented is very useful which includes:

  • Client MAC address
  • Client IP address
  • AP the client is associating to
  • SSID the client is associating to
  • Protocol (802.11abg, 802.11bn)
  • Status

All great information to have when troubleshooting.

When a user states they can’t connect to the wifi network I automatically go to the Clients section and look for a Status of Excluded.

Cisco WLC Client Status

By default, each WLAN has a Client Exclusion Policy setting of 60 seconds.

What is Client Exclusion?

The Cisco WLC will exclude clients when specific conditions are met:

Excessive 802.11 Association Failures after five consecutive failures.

Excessive 802.11 Authentication Failures after five consecutive failures.

802.1X Authentication Failures after three consecutive failures.

IP Theft or IP Reuse if the IP address, being obtained by the client, is already assigned to another device.

Excessive Web Authentication Failures after three consecutive failures.

Now that we know what types of client exclusion exists, how is it configured?

Configuring Client Exclusion Policies

By default, it is enabled but you can disable it:

  1. Click on the Security navigation item.
  2. Expand Wireless Protection Policies on the left navigation menu.
  3. Click on Client Exclusion Policies

Enable/Disable Client Exclusion Policies

The actual exclusion value is configured on the WLAN. This is done per WLAN. By default it is set to 60 seconds.

  1. Click on WLANs
  2. Edit the WLAN
  3. Click on the Advanced tab
  4. Uncheck Enabled next to Client Exclusion to disable or modify the Timeout Value (in seconds).

Important: Modifying the timeout to zero (0) means the client will be excluded indefinitely until it is manually removed from the exclusion list.

Configuring Client Exclusion Time Out per WLAN

[Read more…] about Should You Disable Cisco WLC Client Exclusion Policies (HINT: Nope)

Fast Roaming – 802.11r – Cisco Wireless LAN Controller

by Leave a Comment

Just last week I updated my Cisco 2504 to the latest software version, 7.6.100.0.

One of the updates that stuck out to me was under the security configuration of a wireless LAN, Fast Transition.

What is Fast Transition

Fast Transition is Cisco’s lingo for IEEE 802.11r. 802.11r is an amendment to IEEE 802.11 and was ratified in 2008. The standard defines fast roaming between APs.

How Does it Work

The concept of fast roaming is that the device creates a handshake with another AP even before the client roams to the new AP. This allows the client to roam to another AP without re-authenticating.

Caveats and Restrictions

A wireless client not compatible with 802.11r will not be able to join a WLAN with Fast Transition (802.11r) enabled. You will have to create another WLAN with a different SSID that has Fast Transition disabled.

Fast Transition will only work with open and WPA2.

Fast Transition is not supported with:

  • APs in standalone mode
  • EAP LEAP method
  • Legacy clients without an 802.11r enabled driver

[Read more…] about Fast Roaming – 802.11r – Cisco Wireless LAN Controller