The Cisco Wireless LAN Controller is a powerful device. It’s no doubt users will feel frustrated if they can’t join your wireless network after several tries.
But why do clients have issues associating to a wifi network, or access point?
Within the Cisco WLC interface, we have the ability to see all our clients.
The data presented is very useful which includes:
- Client MAC address
- Client IP address
- AP the client is associating to
- SSID the client is associating to
- Protocol (802.11abg, 802.11bn)
All great information to have when troubleshooting.
When a user states they can’t connect to the wifi network I automatically go to the Clients section and look for a Status of Excluded.
By default, each WLAN has a Client Exclusion Policy setting of 60 seconds.
What is Client Exclusion?
The Cisco WLC will exclude clients when specific conditions are met:
Excessive 802.11 Association Failures after five consecutive failures.
Excessive 802.11 Authentication Failures after five consecutive failures.
802.1X Authentication Failures after three consecutive failures.
IP Theft or IP Reuse if the IP address, being obtained by the client, is already assigned to another device.
Excessive Web Authentication Failures after three consecutive failures.
Now that we know what types of client exclusion exists, how is it configured?
Configuring Client Exclusion Policies
By default, it is enabled but you can disable it:
- Click on the Security navigation item.
- Expand Wireless Protection Policies on the left navigation menu.
- Click on Client Exclusion Policies
The actual exclusion value is configured on the WLAN. This is done per WLAN. By default it is set to 60 seconds.
- Click on WLANs
- Edit the WLAN
- Click on the Advanced tab
- Uncheck Enabled next to Client Exclusion to disable or modify the Timeout Value (in seconds).
Important: Modifying the timeout to zero (0) means the client will be excluded indefinitely until it is manually removed from the exclusion list.