501| Wireless Intrusion Prevention AOS-W 6.5.3.x| User Guide
Understanding Client Blacklisting
When a client is blacklisted in the Alcatel-Lucent system, the client is not allowed to associate with any AP in the
network for a specified amount of time. If a client is connected to the network when it is blacklisted, a
deauthentication message is sent to force the client to disconnect. While blacklisted, the client cannot associate
with another SSID in the network.
The switch retains the client blacklist in the user database, so the information is not lost if the switch reboots.
When you import or export the switch’s user database, the client blacklist will be exported or imported as well.
Methods of Blacklisting
There are several ways in which a client can be blacklisted in the Alcatel-Lucent system:
n You can manually blacklist a specific client. See Blacklisting Manually on page 501 for more information.
n A client fails to successfully authenticate for a configured number of times for a specified authentication
method. The client is automatically blacklisted. See Blacklisting by Authentication Failure on page 502 for
more information.
n A DoS or man in the middle (MITM) attack has been launched in the network. Detection of these attacks can
cause the immediate blacklisting of a client. See Enabling Attack Blacklisting on page 502 for more
information.
n An external application or appliance that provides network services, such as virus protection or intrusion
detection, can blacklist a client and send the blacklisting information to the switch via an XML API server.
When the switch receives the client blacklist request from the server, it blacklists the client, logs an event,
and sends an SNMP trap.
See External Services Interface on page 1046 for more information.
The External Services Interface feature require the Policy Enforcement Firewall Next Generation (PEFNG) license
installed in the switch.
Blacklisting Manually
There are several reasons why you may choose to blacklist a client. For example, you can enable different
Alcatel-Lucent intrusion detection system (IDS) features that detect suspicious activities, such as MAC address
spoofing or DoS attacks. When these activities are detected, an event is logged and an SNMP trap is sent with
the client information. To blacklist a client, you need to know its MAC address.
To manually blacklist a client via the WebUI:
1. Navigate to the Monitoring > Switch > Clients page.
2. Select the client to be blacklisted, then click the Blacklist button.
To clear the entire client blacklist using the WebUI:
1. Navigate to the Monitoring > Switch > Clients page.
2. Click Remove All from Blacklist.
To manually blacklist a client via the command-line interface, access the CLI in config mode and issue the
following command:
stm add-blacklist-client <macaddr>
To clear the entire client blacklist using the command-line interface, access the CLI in config mode and issue the
following command:
stm purge-blacklist-client
To Next Page
Loading...