Manual Client Blacklisting in an Aruba AOS 8 Cluster

Manually blacklisting a client in an Aruba AOS 8 cluster involves a somewhat un-obvious configuration. Normally configuration for a cluster managed by a mobility master is done at the mobility master and then pushed out to the relevant controllers based on the level of the hierarchy. In addition changes are usually  done in configuration mode on the mobility master. However, when blacklisting a client device this is done on an individual controller CLI in enable mode.

To blacklist a client, login to any controller in the cluster:

(MY-CONTROLLER-01) #stm add-blacklist-client 8CF5A3CCD483

This will push this config out to all controllers in the cluster so it doesn't appear to matter which controller this command is executed on.

This is the corresponding user trace when a client is blacklisted:
 Feb 10 12:07:01 :501103:  <3677> <WARN> |stm|  Blacklist add: 8c:f5:a3:cc:d4:83: Reason: user-defined
 Feb 10 12:07:01 :501000:  <3677> <DBUG> |stm|  Station 8c:f5:a3:cc:d4:83: Clearing state
 Feb 10 12:07:01 :522004:  <5025> <DBUG> |authmgr|  auth_cluster_ipuser_dormant_entry_delete:  ip(172.21.193.56) entry for mac 8c:f5:a3:cc:d4:83 flags 0xb
 Feb 10 12:07:01 :522004:  <5025> <DBUG> |authmgr|  AUTH GSM Macuser  Dormant Del (8c:f5:a3:cc:d4:83)
 Feb 10 12:07:01 :522004:  <5025> <DBUG> |authmgr|  ac_macuser_dormant_entry_delete: deleted dormant mac(8c:f5:a3:cc:d4:83) entry

To check which clients are currently blacklisted:

 (MY-CONTROLLER-01) #show ap blacklist-clients

 Blacklisted Clients
 -------------------
 STA                reason        block-time(sec)  remaining time(sec)
 ---                ------        ---------------  -------------------
 8c:f5:a3:cc:d4:83  user-defined  245              3355
 5c:c5:d4:de:8e:10  user-defined  2915             685
 34:02:86:b7:3d:42  user-defined  925              2675

To remove a single client from the blacklist execute the following command:
 stm remove-blacklist-client 8c:f5:a3:cc:d4:83
To remove all clients from the blacklist execute the following command:
 stm purge-blacklist-client

NB. The purge and remove commands, unlike add are not pushed out to the other controllers in the cluster so need to be run on all controllers in the cluster.