I would read this alert that the Access Point AK-AP17 which has the MAC address B8:5A...84 on 2.4GHz sees a packet in the air between the other two MAC addresses, which it did not send/receive themselves, but the client 7E:81...D3 has been connected to the AP in the past (which is definition of a valid client).
It's known that some IDS signatures have false positives, this may be one of those. If you need this further investigated, I would involve Aruba Support. And if this happens a lot, and you have the possibility to run a wireless packet capture, you may try to capture those frames and get a better clue where these originate from. The SNR of 17 indicates that the AP is not too close to the AP, but probably 10-20m away from the AP.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Dec 14, 2022 07:34 PM
From: Christoph Berthoud
Subject: Client Attack Detected - Gateway MAC
I'm seeing lots of 'client attack detected' alerts that look like this (i've colour coded it for better reference):
An AP (NAME AK-AP17 and MAC B8:3A:5A:C3:E6:84 on RADIO 1) detected a misassociation between valid client 7E:81:10:C9:34:D3 and access point (BSSID 70:4C:A5:86:9C:4C and SSID on CHANNEL 116) Association type is (Association To External AP) SNR of client is 17
The AP and client MAC addresses are always different, but the consistent entry in every alert is the BSSID MAC address (70:4C:A5:86:9C:4C) which is the MAC address of the default gateway (in this case my FortiGate firewall) that has no WiFi capability. The gateway is also used for DHCP, DNS and NTP.
Why am I getting these alerts? What exactly is the AP detecting to raise this alert?
FW: AOS 8.7.1.2_79305
Devices: AP-535