I have a user account that keeps getting locked out in our domain and I am finding the failed logon attemps from our aruba instant environment (this is at a location where the user does not work) within the domain controller for the site. I see the following messages in event viewer:
Event IDs: 6273; 4625; 4776 ( I will attach screen shots of content )
All these events happen at the same moment and the only source I see is the ip address of our virtual controller. Aruba IAP environment consist of IAP-225's running 6.4.0.3-4.1.0.1_45063. I noticed in the event id 6273 it references a "called station" and "calling station". The called station is showing the mac address of one of my AP's but the calling station is just showing as a samsung device. I have blacklisted this mac address but I can still see this event happening in the logs.
Any help would be appreciated in hunting down this device. The lack of reporting on the instant environment is proving dificult but I am sure there is a trick I am missing to hunt this down.
#AP225