Finding user attempting to connect, but authentication fails too many times in a row
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2023 09:09 AM
Hi,
Our Unleashed logs are littered with entries similar to this:
User[70:b3:06:xx:xx:xx] fails authentication too many times in a row when joining WLAN[ZYX-GA] at AP[AP-2-00-GA-1295@24:79:2a:xx:xx:xx]. User[70:b3:06:xx:xx:xx] is temporarily blocked from the system for [30 seconds].
From the timestamps, it appears to be an individual's phone that may have at one point known a Wi-Fi password, or somehow access the WLAN maybe when we were on a ZoneDirector prior to moving to Unleashed a few weeks ago. Since the user is not a device we manage, and isn't successfully accessing, I can't find an IP for it, or any other information ... I just know it's an Apple device from a MAC address lookup.
Any idea how to find info on this device? or how to keep it from destroying the effectiveness of logs since it's continually trying to log into the Wi-Fi network?
Thanks!
Neil
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2023 09:50 AM
Hello @neil_ticktin_io
Please confirm the WLAN authentication type ? Is is hotspot service ?
Hotspot has a separate Intrusion Prevention mechanism which is not controlled by the WIPS cfg.
You can disable it from unleashed WebUI>>Admin&Service>>Hostspot service>>Edit>>Uncheck Intrusion Prevention option.
If you are not using hotspot based WLAN, unleashed Web ui>>Admin&Service>>WIPS>Uncheck the option "Temporarily block wireless clients with repeated authentication failures"
To block the client permanently please refer the below link:-\
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-25-2023 10:17 AM
Hi Ayush, and thanks.
It's definitely NOT a Hotspot, as we don't have any. Will uncheck the temp block checkbox.
As for the permanent block, I don't see how that will work as they are never successfully connecting! 🙂 Is there a way to actually let them connect, so we can get more device info, even if they have the wrong password?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-29-2023 03:08 AM
hello @neil_ticktin_io
could you please configure the below option and check that particular client is able to connect or not.
unleashed Web ui>>Admin&Service>>WIPS>Uncheck the option "Temporarily block wireless clients with repeated authentication failures