Hey All,
I have been fielding a number of complaints over the past few days wherein clients using macs and iPhone seem to see their SSID disappear and they get booted then they will search their list of SSID's and it will reappear and they'll be able to connect again.
In viewing logs etc... I found a specific mac address that is repeatedly triggering this log entry:
Maximum number of retries was attempted for station d8:30:62:4c:79:d7 9c:1c:12:c4:fe:50, deauthenticating the station
that mac address does not show up in the client list when searching the GUI. I then debugged on that mac address and observed this being repeated over and over again:
Assoc request @ 11:23:24.896995: d8:30:62:4c:79:d7 (SN 54): AP 10.3.10.133-9c:1c:12:c4:fe:50-SF-3-WAP2-c4:4f:e4
Oct 10 11:23:24 stm[13280]: <501100> <NOTI> |stm| Assoc success @ 11:23:24.899208: d8:30:62:4c:79:d7: AP 10.3.10.133-9c:1c:12:c4:fe:50-SF-3-WAP2-c4:4f:e4
Oct 10 11:23:24 stm[13737]: <501000> <DBUG> |stm| Station d8:30:62:4c:79:d7: Clearing state
Oct 10 11:23:24 stm[13737]: <501080> <NOTI> |stm| Deauth to sta: d8:30:62:4c:79:d7: Ageout AP 10.3.10.133-9c:1c:12:c4:fe:50-SF-3-WAP2-c4:4f:e4 APAE Disconnect
Oct 10 11:23:24 stm[13737]: <501106> <NOTI> |stm| Deauth to sta: d8:30:62:4c:79:d7: Ageout AP 10.3.10.133-9c:1c:12:c4:fe:50-SF-3-WAP2-c4:4f:e4 wifi_deauth_sta
This mac address appears to be in the "logon" role but that is only perceivalbe in Airwave:
Username:
Device Name:
Device Type: Apple
MAC Address: D8:30:62:4C:79:D7
Role: logon
Can this be a malicious attack? The mac address does not appear in the router's arp table (as it doesn't seem to obtain an address) although is does seem to get placed in the authenticated vlan:
MAC=d8:30:62:4c:79:d7 Station UP: BSSID=9c:1c:12:c4:fe:50 ESSID=ModSec VLAN=30 AP-name=SF-3-WAP2-c4:4f:e4
Oct 10 11:24:55 authmgr[13690]: <522036> <INFO> |authmgr| MAC=d8:30:62:4c:79:d7 Station DN: BSSID=9c:1c:12:c4:fe:50 ESSID=ModSec VLAN=30 AP-name=SF-3-WAP2-c4:4f:e4
any thoughts?
rif