Controllerless Networks

Has anyone been able to get Denylisting working using Access Rules for a particular SSID? I can easily block access to virtually everything, but checking the Denylist box seems to do nothing and we end up with extremely high client association numbers. This is in a K-12 environment with around 1000 to 2000 students at each of 40 locations. Currently running 8.11.2.2 on 555s at the school I'm testing with. Denylisting based on auth failures seems to work fine but none of the clients that show the appropriate role that should trigger denylisting are showing in the Dynamic Denylist and they still show as associated with the APs.

-------------------------------------------

there are two places where you can make use of denylist. 

one is under Security tab when you are configuring a WLAN and that works base don number of auth failures.

the other is under access tab, in which i think you are referring to. Here I have a rule that will deny-list the client if they try to access linkedin.

So now when the client tries to go to hat domain. it gets deny-listed and gets displayed here.

the access to that FQDN is denied and logged but the user can have access to other sites and will not get disconnected. so there are different things you can do based on your use case.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

sorry a correction, when the client gets denylisted, they get disconnected and they can not associated to that WLAN anymore.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Sep 27, 2025 09:16 PM
From: ariyap
Subject: Access Rule Denylisting on Instant Cluster

there are two places where you can make use of denylist. 

one is under Security tab when you are configuring a WLAN and that works base don number of auth failures.

the other is under access tab, in which i think you are referring to. Here I have a rule that will deny-list the client if they try to access linkedin.

So now when the client tries to go to hat domain. it gets deny-listed and gets displayed here.

the access to that FQDN is denied and logged but the user can have access to other sites and will not get disconnected. so there are different things you can do based on your use case.

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------