Skip to main content

388 Messages

 • 

5.9K Points

Thu, Dec 26, 2019 3:10 AM

Answered

ZD1200 : a question about temporary block wireless client with repeated authen for xx second.

Hello.

We want to know about temporary block wireless client with repeated authentication for XX second.



Q1. How long is the interval and what number of hit is it?
ex. if it repeated x times in y mins, block for Z sec.

Q2. If someone was blocked for 30 seconds, does it show under block client list like below? 


I couldn't find documents about it anywhere.

Please let me know about it.

Thanks in advance.

Responses

6 Messages

 • 

192 Points

10 months ago

Hi Jeronimo,

If this capability is activated, any clients that repeatedly fail in attempting authentication will be temporarily blocked for a period of time (10~1200 seconds, default is 30). Clients temporarily blocked by the Intrusion Prevention feature are not added to the Blocked Clients list on the Services & Profiles > Access Control page, Blocked Clients section.

For repeated authentication failure blocking feature, if ZD detects station authentication failures more than 5 times, there will be an event log entry. If it is more than 10 times and if the temp block is enabled, this station will be blocked for 30 seconds. After the block is lifted, the counter is reset. Auth failure includes failed shared key auth failure, 802.1x/WPA auth failures.

This info is available in ZD User Guide and in Knowledgebase article
User Guide:https://support.ruckuswireless.com/documents/2906-zonedirector-10-3-ga-user-guide
KB Article: https://support.ruckuswireless.com/articles/000003500

Regards,
Pradeep

388 Messages

 • 

5.9K Points

10 months ago

Hello Pradeep.

Thanks for prompt reply very much.

I didn't still have an answer about a interval form your reply.

But from a document, it seems that interval is 300sec.
 

Is it right?

Regards.





6 Messages

 • 

192 Points

Yes.

388 Messages

 • 

5.9K Points

Thanks.

Your answer is very helpful for me.

246 Messages

 • 

4.2K Points

10 months ago

Hi Jeronimo,

With this option enabled, any clients that repeatedly fail in attempting authentication will be temporarily blocked for a period of time (10~1200 seconds, default is 30).

Q1. How long is the interval and what number of hit is it?
ex. if it repeated x times in y mins, block for Z sec.

Answer : If ZD detects station authentication failures more than 5 times, there will be an event log entry. If it is more than 10 times and if temp block is enabled, this station will be blocked for 30 seconds. After the block is lifted, the counter is reset. 

Interval and hits :
Request received within 5 minutes;
a. For 802.1x/MAC auth, bad authentication requests exceed 2 times will trigger this feature.
    I guess this can be configured on the "Max Number of Retries" under the ZD Radius settings.
b. For Open PSK(WPA2/AES) auth, it is 10 times.
c. For web authentication, it is 10 times.

Q2. If someone was blocked for 30 seconds, does it show under block client list like below? 

Answer : Clients temporarily blocked by the Intrusion Prevention feature are not added to the Blocked Clients list on the Configure > Access Control page, Blocked Clients section.
Which is why you are not able to see the client in the Blocked list.

-----------------------------------------------------------------------------------------------------------------

If you want to manually block the Client based on the repeated authentication failure event logs on the ZD, go to Monitor >> Wireless Clients >> Active Clients (they may me authorized or unauthorized client) >> Click the Block button in the Action column in a specific user row.