Wireless Access

Reply
Frequent Contributor II

Malicious Association Request attack?

Hey All,

 

I have been fielding a number of complaints over the past few days wherein clients using macs and iPhone seem to see their SSID disappear and they get booted then they will search their list of SSID's and it will reappear and they'll be able to connect again.  

In viewing logs etc... I found a specific mac address that is repeatedly triggering this log entry:

 

Maximum number of retries was attempted for station  d8:30:62:4c:79:d7 9c:1c:12:c4:fe:50, deauthenticating the station

 

that mac address does not show up in the client list when searching the GUI.  I then debugged on that mac address and observed this being repeated over and over again:

 

Assoc request @ 11:23:24.896995: d8:30:62:4c:79:d7 (SN 54): AP 10.3.10.133-9c:1c:12:c4:fe:50-SF-3-WAP2-c4:4f:e4
Oct 10 11:23:24 stm[13280]: <501100> <NOTI> |stm| Assoc success @ 11:23:24.899208: d8:30:62:4c:79:d7: AP 10.3.10.133-9c:1c:12:c4:fe:50-SF-3-WAP2-c4:4f:e4
Oct 10 11:23:24 stm[13737]: <501000> <DBUG> |stm| Station d8:30:62:4c:79:d7: Clearing state
Oct 10 11:23:24 stm[13737]: <501080> <NOTI> |stm| Deauth to sta: d8:30:62:4c:79:d7: Ageout AP 10.3.10.133-9c:1c:12:c4:fe:50-SF-3-WAP2-c4:4f:e4 APAE Disconnect
Oct 10 11:23:24 stm[13737]: <501106> <NOTI> |stm| Deauth to sta: d8:30:62:4c:79:d7: Ageout AP 10.3.10.133-9c:1c:12:c4:fe:50-SF-3-WAP2-c4:4f:e4 wifi_deauth_sta

 

This mac address appears to be in the "logon" role but that is only perceivalbe in Airwave:

Username:
Device Name:
Device Type: Apple
MAC Address: D8:30:62:4C:79:D7
Role: logon

 

Can this be a malicious attack?  The mac address does not appear in the router's arp table (as it doesn't seem to obtain an address) although is does seem to get placed in the authenticated vlan:

 

MAC=d8:30:62:4c:79:d7 Station UP: BSSID=9c:1c:12:c4:fe:50 ESSID=ModSec VLAN=30 AP-name=SF-3-WAP2-c4:4f:e4
Oct 10 11:24:55 authmgr[13690]: <522036> <INFO> |authmgr| MAC=d8:30:62:4c:79:d7 Station DN: BSSID=9c:1c:12:c4:fe:50 ESSID=ModSec VLAN=30 AP-name=SF-3-WAP2-c4:4f:e4

 

any thoughts?

 

rif

 

Guru Elite

Re: Malicious Association Request attack?

Is that SSID encrypted?



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Malicious Association Request attack?

Yes, WPA2-AES

 

rif

Guru Elite

Re: Malicious Association Request attack?

Okay.  If it is in the station table, that means it is trying to attach.  If it is in the user table that means it got an ip address.  If it does not make it to the user table, its preshared key probably does not match and it still has to try, because that is what supplicants to.  If you still feel that it is mailicious, you should blacklist it.

 APAE disconnect is when the controller disconnects the device either because of too many failures or if we receive an EAP Logoff from the client.  Either way, this client is not successfully getting onto your network for some reason.  If you are debugging the client, I would type "show auth-tracebuf mac <mac address of client>" to get more details.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Malicious Association Request attack?

The ssid is not using psk it is a .1x network. The client does not obtain
an ip. Also, i cannot blacklist it (at least not through the gui) because
the client is not present in the list of clients. Is there a way to tell
the controlller to ingnore association request from this client via its mac
address?

Rif


--
Sent from Gmail Mobile
Guru Elite

Re: Malicious Association Request attack?

http://community.arubanetworks.com/t5/Wireless-Access/Blacklist-by-MAC-address/m-p/165748



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: