11-26-2014 01:54 PM
I have a user account that keeps getting locked out in our domain and I am finding the failed logon attemps from our aruba instant environment (this is at a location where the user does not work) within the domain controller for the site. I see the following messages in event viewer:
Event IDs: 6273; 4625; 4776 ( I will attach screen shots of content )
All these events happen at the same moment and the only source I see is the ip address of our virtual controller. Aruba IAP environment consist of IAP-225's running 220.127.116.11-18.104.22.168_45063. I noticed in the event id 6273 it references a "called station" and "calling station". The called station is showing the mac address of one of my AP's but the calling station is just showing as a samsung device. I have blacklisted this mac address but I can still see this event happening in the logs.
Any help would be appreciated in hunting down this device. The lack of reporting on the instant environment is proving dificult but I am sure there is a trick I am missing to hunt this down.
11-26-2014 02:49 PM
The output of "show ap bss-table" on the commandline of the Virtual Controller should show you the list of called-station-ids that are in a virtual controller. You should be able to compare that to the called-station-id in the radius authentication request to figure out what AP is being authenticated to:
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
12-01-2014 01:02 PM
So I have blacklisted the mac address of the device causing the lockouts within the aruba configuration but the lockout is still occuring. How is this possible?