Hi,
Im running an Aruba W3400 on AOS 6.1.3.1.
Recently, or at least we noticed recently, we are seeing traffic from our guest VLAN (200) showing up as new user requests on the authmgr. This seems to be generated by the internet browsing of users on the wifi on that VLAN. Internet pages accessed show up as new IP connections from the firewall mac address on which the guest VLAN is physically connected.
We don't use any Wired access on this controller, only Wireless. The huge inflood of users is clogging the authmgr process and making the controller unstable. The fact that they register as wired clients is really confusing.
A dump from the clients list:
User Name Device Type MAC address Client IP User Role Auth Type ESSID AP Name Phy Type Age Roaming Status Forward Mode
00:90:7f:d0:9b:64 8.8.8.8 logon tunnel 1 3 mins Wired tunnel
00:90:7f:d0:9b:64 85.205.221.241 logon tunnel 1 2 mins Wired tunnel
00:90:7f:d0:9b:64 104.16.96.65 logon tunnel 1 2 mins Wired tunnel
00:90:7f:d0:9b:64 17.248.145.138 logon tunnel 1 1 mins Wired tunnel
00:90:7f:d0:9b:64 193.105.33.16 logon tunnel 1 3 mins Wired tunnel
Android 80:22:75:1c:16:ac 172.16.4.4 gasten@eduvier-cp_prof gasten@eduvier apaurum002 802.11g-HT 2 hrs Wireless tunnel
c.sen Android c0:ee:fb:35:75:4c 10.150.162.194 guest-logon Captive Portal gasten@eduvier APAURUM006 802.11a-HT 1 hrs 12 mins Wireless tunnel
The traffic from mac 00:90:7f:d0:9b:64 on Wired is the unexpected internet traffic showing up as users.
Excerpt from the process log showing the incoming sessions:
Apr 1 10:27:01 authmgr[1583]: <522026> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64 IP=104.70.5.52 User miss: ingress=0x1081, VLAN=200
Apr 1 10:27:01 authmgr[1583]: <522006> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64 IP=104.70.5.52 User entry added: reason=Sibtye
Apr 1 10:27:01 authmgr[1583]: <522049> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64,IP=104.70.5.52 User role updated, existing Role=none/logon, new Role=none/logon, reason=User not authenticated for inheriting attributes
Apr 1 10:27:01 authmgr[1583]: <522050> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64,IP=104.70.5.52 User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=New user IP processing
Apr 1 10:27:01 authmgr[1583]: <522026> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64 IP=88.221.144.136 User miss: ingress=0x1081, VLAN=200
Apr 1 10:27:01 authmgr[1583]: <522006> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64 IP=88.221.144.136 User entry added: reason=Sibtye
Apr 1 10:27:01 authmgr[1583]: <522049> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64,IP=88.221.144.136 User role updated, existing Role=none/logon, new Role=none/logon, reason=User not authenticated for inheriting attributes
Apr 1 10:27:01 authmgr[1583]: <522050> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64,IP=88.221.144.136 User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=New user IP processing
Apr 1 10:27:01 authmgr[1583]: <522026> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64 IP=88.221.144.136 User miss: ingress=0x1081, VLAN=200
Apr 1 10:27:01 authmgr[1583]: <522050> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64,IP=88.221.144.136 User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=New user IP processing
Apr 1 10:27:01 authmgr[1583]: <522026> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64 IP=95.101.78.209 User miss: ingress=0x1081, VLAN=200
Apr 1 10:27:01 authmgr[1583]: <522006> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64 IP=95.101.78.209 User entry added: reason=Sibtye
Apr 1 10:27:01 authmgr[1583]: <522049> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64,IP=95.101.78.209 User role updated, existing Role=none/logon, new Role=none/logon, reason=User not authenticated for inheriting attributes
Apr 1 10:27:01 authmgr[1583]: <522050> <INFO> |authmgr| MAC=00:90:7f:d0:9b:64,IP=95.101.78.209 User data downloaded to datapath, new Role=logon/1, bw Contract=0/0,reason=New user IP processing
For now I have set the logon lifetime to max 2 minutes to help minimize the amount of registered clients. I have also disabled the associated SSID's on most of the locations, except in the IT office for testing purposes.
How would I go about preventing this traffic from generating client connections, instead of trying to patch it with a limited logon lifetime?
kind regards,
Raymond Brettschneider