WLC exclusionlist

Configuring Client Exclusion

Configuring Client Exclusion Policies (GUI)

---

Step 1

Choose Security > Wireless Protection Policies > Client Exclusion Policies to open the Client Exclusion Policies page.

Step 2

Select any of these check boxes if you want the controller to exclude clients for the condition specified. The default value for each exclusion policy is enabled. Excessive 802.11 Association Failures—Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures. Excessive 802.11 Authentication Failures—Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures. Excessive 802.1X Authentication Failures—Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures. IP Theft or IP Reuse—Clients are excluded if the IP address is already assigned to another device. Excessive Web Authentication Failures—Clients are excluded on the fourth web authentication attempt, after three consecutive failures.

Issue the below command to see the time left when the client is excluded. default time is set to 60 sec. 

show exclusionlist  （我们可以通过show wps summary去查看开启了哪些exclusion policy）

Information similar to the following appears:

(Cisco Controller) >show exclusionlist
          
Dynamically Disabled Clients
----------------------------
  MAC Address             Exclusion Reason        Time Remaining (in secs)
  -----------             ----------------        ------------------------

00:40:96:b4:82:55         802.1X Failure          	51

(Cisco Controller) >show wps summary      

Auto-Immune
  Auto-Immune.................................... Disabled
  Auto-Immune by aWIPS Prevention................ Disabled

Client Exclusion Policy
  Excessive 802.11-association failures.......... Enabled
  Excessive 802.11-authentication failures....... Enabled
  Excessive 802.1x-authentication................ Enabled
  IP-theft....................................... Enabled
  Excessive Web authentication failure........... Enabled
  Maximum 802.1x-AAA failure attempts............ 3

Signature Policy
  Signature Processing........................... Enabled


Management Frame Protection
  Global Infrastructure MFP state................ DISABLED (*all infrastructure settings are overridden)
  AP Impersonation detection..................... Disabled
  Controller Time Source Valid................... False

                                    WLAN       Client
WLAN ID  WLAN Name                  Status     Protection
-------  -------------------------  ---------  ----------
1        Hello                      Disabled   Optional


详细的CLI链接配置：https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010110101.html