08-15-2013 06:21 AM
I've come across an issue with our IDS settings that is confounding me a bit. I had the ids general-profile set to the "ids-general-transitional-high-setting", which enables "wired-containment" and "wired-containment-ap-adj-mac". Which this is active, I have at least two clients that get tagged for wired containment and are unable to access the network. Checking the logs, I can see where the clients authenticate successfully, and proceed to have other access points hit them with "|ids-ap| AM: Wireless containment: Sending type Deauth from AP" a few times, followed by nearly continuous "|ids-ap| AM: Wired Containment: MAC:". I've changed the ids general-profile back to "default" to disable the wired containment, as a temporary solution. Has anyone seen this behavior with clients that successfully associate to the wireless?
08-15-2013 11:50 AM
After a bit of digging, I found some infrastructure events where the controller reported the MAC of the client to be spoofing it's DHCP address. I deleted those events and reenabled the wired containment. All was good for 3-4 hours before it started up again. We tried swapping the laptop, thinking that there might be something with the wireless driver, but that one got flagged too. The client(s) aren't marked for manual containment, and the APs that they are connecting to are authorized.