The Cisco WLC (Wireless LAN Controller) is a powerful device. It’s no doubt users will feel frustrated if they can’t join your wireless network after several tries.
Within the Cisco WLC interface, we have the ability to see all our clients.
The data is very useful which includes:
- Client MAC & IP address
- SSID the client is associating to
- Protocol (802.11, 802.11)
- Status
When a user states they can not connect to the wifi network I automatically go to the Clients section and look for a Status of Excluded. Each WLAN has a Client Exclusion Policy setting of 60 seconds By default.
What is Client Exclusion?
The Cisco WLC will exclude clients when specific conditions are met:
Excessive 802.11 Association Failures after 6 consecutive failures. Excessive 802.11 Authentication Failures after 6 consecutive failures. 802.1X Authentication Failures after 4 consecutive failures. IP Theft / Reuse if the IP address, being obtained by the client, is already assigned to another device. Excessive Web Authentication Failures after three consecutive failures.
Now that we know what types of client exclusion exists, how is it configured?
Configuring Client Exclusion Policies
By default, it is enabled but you can disable it:
- Click on the Security navigation item.
- Expand Wireless Protection Policies on the left navigation menu.
- Click on Client Exclusion Policies
The actual exclusion value is configured on the WLAN. This is done per WLAN. By default it is set to 60 seconds.
- Click on WLANs
- Edit the WLAN
- Click on the Advanced tab
- Uncheck Enabled next to Client Exclusion to disable or modify the Timeout Value (in seconds).
Troubleshooting
Let’s get back to the client having issues interfacing to the wifi organize. Presently we know what client prohibition is. You’ll draw a few conclusions.. It is being prohibited from one of five reasons, over in What is Client Prohibition. But how do you discover out? Take a look at the Clients page which can show the client in address. Does it appear a status of Prohibited? It doesn’t truly tell you why though but presently you’ve got the MAC address and which SSID. From there you’ll be able expect the client written within the off-base pre-shared key or there’s something off-base with their client account (crippling them from interfacing to the wifi organize).
Why is a client excluded?
If you have access to the command line, issue this command:
(Cisco Controller) > show exclusionlist
Should I Disable Client Exclusion?
I would keep it enabled and focus on getting to the root cause of client issues. By disabling Client Exclusion, you remove a security feature of the Cisco WLC.
*References: