AP Client blocked by Access Control w/o ACL in EAP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

AP Client blocked by Access Control w/o ACL in EAP

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
AP Client blocked by Access Control w/o ACL in EAP
AP Client blocked by Access Control w/o ACL in EAP
2022-10-11 06:26:05 - last edited 2022-11-10 04:52:23
Model: EAP653  
Hardware Version: V1
Firmware Version: 1.0.1

Hi

 

I am new to the Omada world and SDN. I have setup a small network (ER605, 2x SG2008P, 2x EAP653, OC200) and I am happy so far.

 

This morning I was checking logs and found >2400 entries of one of the clients:

 

[Failed]iPadProXXX failed to connected to EAP653 AZ with SSID "YYY" on channel 48 because the user is blocked by Access Control.(15 times in a minute)

 

I had similar log statements some days ago with another iPad, but just ~50 statements like above and with the same AP. Strangely they do not appear in the blocked client list in the insights of the Omada Controller interface. 

 

All devices are up-to-date, the ER605 is having the beta firmware from July (2.0.2 Build 20220727 Rel.51535).

 

I have 4 SSIDs that route into each of their own VLAN, The error apper on all SSID, WPA is "WPA2-PSK/WPA3-SAE / AES" and both iPads have been authenticated with WPA3.

 

I also have frequent WPA auth failures but they do not worry me much:

 

[Failed]ABC failed to connected to EAP653 WZ with SSID "ZZZ" on channel 1 because WPA Authentication times out/failed.(1 time in a minute)

 

Any ideas?

  0      
  0      
#1
Options
1 Accepted Solution
Re:AP Client blocked by Access Control w/o ACL in EAP-Solution
2022-10-28 05:33:30 - last edited 2022-11-10 04:52:23
Hi @HanSlo I have found out what it was, at least in my setup. I have chosen to block communication between VLANs on network/VLAN level on switch level and the iPad seem to do a lot of Multicast. This seems to have caused the messages. Per se nothing "dangerous" but annoying. I have switched to a default ACL that blocks on IP level (all private networks) and the messages disappeared.
Recommended Solution
  0  
  0  
#5
Options
5 Reply
Re:AP Client blocked by Access Control w/o ACL in EAP
2022-10-12 09:15:12

  @modebm 

 

It is recommended to check the settings on the controller, most likely the EAP ACL entry is set, or you can go to the switch ACL and see if there is a relevant entry.

Just striving to develop myself while helping others.
  0  
  0  
#2
Options
Re:AP Client blocked by Access Control w/o ACL in EAP
2022-10-12 09:46:08
Hi Virgo there is non alike. I have no ACL set for the EAP and no ACL that pertains the Clients in the switches. Strangely logging out and in of the clients stoped the spamming in the logs without changing any settings in the controller.
  1  
  1  
#3
Options
Re:AP Client blocked by Access Control w/o ACL in EAP
2022-10-24 21:45:09

  @modebm 

 

I've got same event note for one of three active SSIDs on my EAP670...

 

[Failed]Danfoss_1et failed to connected to WiFi_UD with SSID "FFFFF" on channel 11 because the user is blocked by Access Control.(35 times in a minute)

 

No ACL, 3 SSIDs for 3 VLANs

  0  
  0  
#4
Options
Re:AP Client blocked by Access Control w/o ACL in EAP-Solution
2022-10-28 05:33:30 - last edited 2022-11-10 04:52:23
Hi @HanSlo I have found out what it was, at least in my setup. I have chosen to block communication between VLANs on network/VLAN level on switch level and the iPad seem to do a lot of Multicast. This seems to have caused the messages. Per se nothing "dangerous" but annoying. I have switched to a default ACL that blocks on IP level (all private networks) and the messages disappeared.
Recommended Solution
  0  
  0  
#5
Options
Re:AP Client blocked by Access Control w/o ACL in EAP
2022-11-09 04:43:49

Hi!

 

I'm having the same problem. It happens to two devices owned by the same user. 

[Failed][Host] failed to connected to EAP653 Living Room with SSID "-WiFi" on channel 149 because the user is blocked by Access Control.(6 times in a minute)

 

Anyone found the solution to this? Thanks!

  0  
  0  
#6
Options