ZD1200 : a question about temporary block wireless client with repeated authen for xx second.

  • 1
  • Question
  • Updated 6 months ago
  • Answered
Hello.

We want to know about temporary block wireless client with repeated authentication for XX second.



Q1. How long is the interval and what number of hit is it?
ex. if it repeated x times in y mins, block for Z sec.

Q2. If someone was blocked for 30 seconds, does it show under block client list like below? 


I couldn't find documents about it anywhere.

Please let me know about it.

Thanks in advance.

Photo of Jeronimo

Jeronimo

  • 379 Posts
  • 48 Reply Likes

Posted 6 months ago

  • 1
Photo of Pradeep Kumar

Pradeep Kumar, Employee

  • 6 Posts
  • 4 Reply Likes
Hi Jeronimo,

If this capability is activated, any clients that repeatedly fail in attempting authentication will be temporarily blocked for a period of time (10~1200 seconds, default is 30). Clients temporarily blocked by the Intrusion Prevention feature are not added to the Blocked Clients list on the Services & Profiles > Access Control page, Blocked Clients section.

For repeated authentication failure blocking feature, if ZD detects station authentication failures more than 5 times, there will be an event log entry. If it is more than 10 times and if the temp block is enabled, this station will be blocked for 30 seconds. After the block is lifted, the counter is reset. Auth failure includes failed shared key auth failure, 802.1x/WPA auth failures.

This info is available in ZD User Guide and in Knowledgebase article
User Guide:https://support.ruckuswireless.com/documents/2906-zonedirector-10-3-ga-user-guide
KB Article: https://support.ruckuswireless.com/articles/000003500

Regards,
Pradeep
Photo of Jeronimo

Jeronimo

  • 379 Posts
  • 48 Reply Likes
Hello Pradeep.

Thanks for prompt reply very much.

I didn't still have an answer about a interval form your reply.

But from a document, it seems that interval is 300sec.
 

Is it right?

Regards.





Photo of Pradeep Kumar

Pradeep Kumar, Employee

  • 6 Posts
  • 4 Reply Likes
Yes.
Photo of Jeronimo

Jeronimo

  • 379 Posts
  • 48 Reply Likes
Thanks.

Your answer is very helpful for me.
Photo of Sanjay Kumar

Sanjay Kumar, Employee

  • 171 Posts
  • 67 Reply Likes
Hi Jeronimo,

With this option enabled, any clients that repeatedly fail in attempting authentication will be temporarily blocked for a period of time (10~1200 seconds, default is 30).

Q1. How long is the interval and what number of hit is it?
ex. if it repeated x times in y mins, block for Z sec.

Answer : If ZD detects station authentication failures more than 5 times, there will be an event log entry. If it is more than 10 times and if temp block is enabled, this station will be blocked for 30 seconds. After the block is lifted, the counter is reset. 

Interval and hits :
Request received within 5 minutes;
a. For 802.1x/MAC auth, bad authentication requests exceed 2 times will trigger this feature.
    I guess this can be configured on the "Max Number of Retries" under the ZD Radius settings.
b. For Open PSK(WPA2/AES) auth, it is 10 times.
c. For web authentication, it is 10 times.

Q2. If someone was blocked for 30 seconds, does it show under block client list like below? 

Answer : Clients temporarily blocked by the Intrusion Prevention feature are not added to the Blocked Clients list on the Configure > Access Control page, Blocked Clients section.
Which is why you are not able to see the client in the Blocked list.

-----------------------------------------------------------------------------------------------------------------

If you want to manually block the Client based on the repeated authentication failure event logs on the ZD, go to Monitor >> Wireless Clients >> Active Clients (they may me authorized or unauthorized client) >> Click the Block button in the Action column in a specific user row.