This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Cannot remove automatically added MAC address from the Blacklist?

Cannot remove automatically added MAC address from the Blacklist?

Steve_Ballantyn
Contributor

‎08-15-2017 01:46 PM

I have a client that cannot join my wireless network and they appear to be on the Blacklist. I didn't put them there, and I cannot seem to remove them because they were "automatically added"? What would have automatically added them?

I am assuming that this was a false detection by RADAR? But how can I get them off this list if it's grayed out on me?

d6038f8c1d0d4876bbb3d89bbf24bcf0_RackMultipart20170815-72231-fygow5-blacklist_inline.jpg



5 REPLIES 5

Steve_Ballantyn
Contributor

‎08-16-2017 09:07 AM

It appears that disabling the settings in your In-Service Scan Profile do *not* remove hosts that have been automatically added.

I noticed the entry disappeared from the list shortly after I cleared the active alarm in Extreme NMS (Netsight) - but I don't think there is an interaction there. I think it just happened to timeout and drop off on it's own around the same time I cleared the alarm. Maybe an engineer can clarify?

Can I put in a product suggestion that there should be a way to clear hosts that are automatically added to the blacklist? I can see that there are going to be false detections with these attack signatures and I don't want to tell our users that they have to wait it out. 😞

0 Kudos

Steve_Ballantyn
Contributor
In response to Steve_Ballantyn

‎08-16-2017 09:07 AM

Hello Gareth, in this case it was for "surveillance" or "excessive null probes from client". I have seen false detections with this attack on other systems as well (Cisco wireless). My only guess is that it's a client that is misbehaving. Possibly trying to join an AP that is too far away, or maybe it roamed and is failing to reconnect at the new AP?

In no cases has it ever been an attack of any sort (at least in my experience). Just a domain joined laptop running Windows 7 which recently 'stopped working' without warning.

I found what you are referring to. Just to clarify, that is under Reports > Radar > Blacklisted Clients. I didn't think to look there. But now I can see that it does show when a client will leave this blacklist on its own. And that is good to know!

13f14f8d2e2b408aa06f83c8b96c4a57_RackMultipart20170816-104853-9ipwsh-blacklist2_inline.jpg



Looks like I have a new victim there currently that I have not heard from.

0 Kudos

Gareth_Mitchell
Extreme Employee
In response to Steve_Ballantyn

‎08-16-2017 09:07 AM

Hi Steve

The report Radar>Blacklisted clients gives some info of start and end time of the blacklisting along with a reason, as far as I know there is know way to decrease or force the de-listing of a blacklisted client, that could be done as a feature request via your local SE.

What was the reason for the blacklisting, do you have that info as it probably should be investigated?

-Gareth
0 Kudos

Bin
Extreme Employee

‎08-15-2017 09:53 PM

Hi Steve

In-Service Scan Profiles Support for automatic blacklisting, which automatically removes network access from devices performing certain types of wireless attacks.

Best regards,
Bin
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN