Cloud Managed Networks

 View Only
last person joined: 17 hours ago 

Forum to discuss all things related to HPE Aruba Networking Central and UXI Network Management, including deployment of managed networks, configuration, best practices, APIs, Cloud Guest, AIOps, Presence Analytics, and other included Applications
Back to discussions
Expand all | Collapse all

Client Attack Detected - Gateway MAC

This thread has been viewed 7 times

  • 1.  Client Attack Detected - Gateway MAC

    Posted Dec 15, 2022 11:30 AM
    I'm seeing lots of 'client attack detected' alerts that look like this (i've colour coded it for better reference):

    An AP (NAME AK-AP17 and MAC B8:3A:5A:C3:E6:84 on RADIO 1) detected a misassociation between valid client 7E:81:10:C9:34:D3 and access point (BSSID 70:4C:A5:86:9C:4C and SSID on CHANNEL 116) Association type is (Association To External AP) SNR of client is 17

    The AP and client MAC addresses are always different, but the consistent entry in every alert is the BSSID MAC address (70:4C:A5:86:9C:4C) which is the MAC address of the default gateway (in this case my FortiGate firewall) that has no WiFi capability. The gateway is also used for DHCP, DNS and NTP.

    Why am I getting these alerts? What exactly is the AP detecting to raise this alert?

    FW: AOS 8.7.1.2_79305
    Devices: AP-535


  • 2.  RE: Client Attack Detected - Gateway MAC

    EMPLOYEE
    Posted Dec 16, 2022 07:11 AM
    I would read this alert that the Access Point AK-AP17 which has the MAC address B8:5A...84 on 2.4GHz sees a packet in the air between the other two MAC addresses, which it did not send/receive themselves, but the client 7E:81...D3 has been connected to the AP in the past (which is definition of a valid client).

    It's known that some IDS signatures have false positives, this may be one of those. If you need this further investigated, I would involve Aruba Support. And if this happens a lot, and you have the possibility to run a wireless packet capture, you may try to capture those frames and get a better clue where these originate from. The SNR of 17 indicates that the AP is not too close to the AP, but probably 10-20m away from the AP.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message