Hello Airheads, Had a weird issue the other day. My users were kicked off of the SSID and then prompted to re-connect. When they attempted to re-connect they were denied due to "Incorrect Passphrase" but the passphrase hadn't been changed. What might have caused this?
Is it still going on? Maybe check to see if there is a rogue detected on nearby APs?
No it's not going on anymore. Changing the passphrase and using the new passphrase did the trick. I checked the logs and there were a lot of "Interfering AP" messages during that time. Do you think it was an attack?
I have a lot of detection of rogue APs. I also have what appears to be logins and commands being executed.
May 9 12:03:53 2023 cli: USER: admin has logged in from X.X.X.X.
May 9 12:03:53 2023 cli: USER: admin connected from X.X.X.X has logged out.
May 9 12:03:53 2023 cli: USER:admin@X.X.X.X NODE:"/mm/mynode" COMMAND:<no paging > -- command executed successfully.
May 9 12:03:53 2023 cli: USER:admin@X.X.X.X NODE:"/mm/mynode" COMMAND:<encrypt disable > -- command executed successfully.Im seeing this string of output all through my logs. Any suggestions?
That looks like Airwave or another management system logging in to get your configuration.
Those look like airwave may be logging in to grab backups. You may have had someone deploy a 3rd party router/AP somewhere using the same SSID as your's, set with another PSK would be my guess.
Please check posture profile if you enter any user it will give you the reson so follow the steps and if posture is good try to check antivirus selection as well in systems.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.