Security

Reply
Contributor I
Posts: 80
Registered: ‎04-29-2013

Getting Deauth'ed when connecting to protected ESSID

I have a 3400 and 7205 running parallel in my environment, as I test to transition all APs from the 3400 to the 7205. I have created a 'TestGUEST' SSID on the 7205, and assigned it to the one AP homed to that controller. That SSID is opmode opensystem, as I am trying to send it to a captive portal for guests. When I try to connect to that SSID, I am getting Deauth'ed. I have made TestGUEST a valid-and-protected-ssid in both the 7205 AND the 3400. I also created a rule in AirWave to see the MAC of the AP and the SSID as valid. I have a different SSID dropping users into the same vlan correctly, so I know the network is good. I have tried adding a preshared key and using wpa2-psk-aes, but the real goal is to make this an open SSID so people don't have to log in to the SSID, and only interact with the captive portal page. I have to believe that there is a security setting that is killing the open SSID, but I can't find it,  Why am I still getting deauth'ed?

 

Thanks,

Russell

Here are logs of it killing my connection:

Nov 16 16:51:37 sapd[1131]: <127102> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:00): AP Deauth Containment: An AP attempted to contain an access point (BSSID ac:a3:1e:b3:f7:03) by disconnecting its client (MAC fc:db:b3:46:24:7d) on channel 11.
Nov 16 16:51:38 sapd[1131]: <127102> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:10): AP Deauth Containment: An AP attempted to contain an access point (BSSID ac:a3:1e:b3:f7:13) by disconnecting its client (MAC fc:db:b3:46:24:7d) on channel 36.
Nov 16 16:51:39 sapd[1131]: <127065> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:00): Valid Client Not Using Encryption: An AP detected an unencrypted frame between a valid client (fc:db:b3:46:24:7d) and access point (BSSID 00:1c:12:a3:22:f5), with source fc:db:b3:46:24:7d and receiver 33:33:ff:46:24:7d. SNR value is 36.
Nov 16 16:51:39 sapd[1131]: <127075> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:00): Valid Client Misassociation: An AP detected a misassociation between valid client fc:db:b3:46:24:7d and access point (BSSID 00:1c:12:a3:22:f5 and SSID TestGUEST on CHANNEL 11). Association type is (Association To External AP), SNR of client is 0.
Nov 16 16:51:39 sapd[1131]: <127075> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:00): Valid Client Misassociation: An AP detected a misassociation between valid client fc:db:b3:46:24:7d and access point (BSSID 00:1c:12:a3:22:f5 and SSID TestGUEST on CHANNEL 11). Association type is (Association To Honeypot AP), SNR of client is 0.
Nov 16 16:51:40 sapd[1131]: <127035> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:00): Disconnect Station Attack: An AP detected a disconnect attack of client fc:db:b3:46:24:7d and access point (BSSID 00:1c:12:a3:22:f5 and SSID TestGUEST on CHANNEL 11). SNR of client is 33. Additional Info: Avg-AssocResp-PktRate(pps):0.5; Interval(sec):10.
Nov 16 16:51:43 sapd[1131]: <127102> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:10): AP Deauth Containment: An AP attempted to contain an access point (BSSID ac:a3:1e:b3:f7:13) by disconnecting its client (MAC fc:db:b3:46:24:7d) on channel 36.

 

MVP
Posts: 762
Registered: ‎04-13-2009

Re: Getting Deauth'ed when connecting to protected ESSID

Do you have IDS configured on your controller? You might need to set the test ssid as valid on the controller it's not configured on.


#AirheadsMobile
Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Contributor I
Posts: 80
Registered: ‎04-29-2013

Re: Getting Deauth'ed when connecting to protected ESSID

I have the SSID set as a valid-and-protected-ssid in both controllers.

I was thinking there might be a setting - or more than one that work in conjunction - that doesn't like it because it is open. If I add a psk to it, I can connect.

Russell

 

MVP
Posts: 762
Registered: ‎04-13-2009

Re: Getting Deauth'ed when connecting to protected ESSID

If your controllers are not associated with each other in a master-local type of configuration then setting SSIDs as valid-and-protected-ssid can cause deauths. I'm assuming you have the same SSIDs on both controllers protected.

 

-----------

What Does Protect SSID Setting Accomplish?

 

Behavior When Protect SSID Setting is Enabled

If enabled, this tells the APs/Controller to not let any 3rd party AP (or interfering AP) to broadcast the SSID that is configured in the "valid-and-protected-ssid" of the IDS unauthorized device profile.  This means that an Aruba AP with SSID test (as configured above) will attempt to contain any non-valid AP that is advertising SSID test.

The AP does the containment by sending deauths to anything trying to associate to it (by spoofing the AP's bssid) and it should be sending deauths to the AP (by spoofing the wireless client mac address that was trying to associate to it).

Note:  This setting should be used very carefully as it prevents station associations

Cheers
James

-------------------------------------------------------
-------------------@whereisjrw-------------------
------------------------blog-------------------------
ACCX #540 | ACMX #353 | ACDX #216
-----------Mobility First Expert #11----------
-------------------------------------------------------

If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users via search.
Search Airheads
Showing results for 
Search instead for 
Did you mean: