https://community.hpe.com/t5/m-and-msm-series/possible-dos-attack/m-p/5905919#M1664 After reboot the messages has been desappeared. :) Thu, 20 Dec 2012 16:59:15 GMT david-rivas 2012-12-20T16:59:15Z https://community.hpe.com/t5/m-and-msm-series/possible-dos-attack/m-p/5905593#M1657 <P>Hello, I am having problems with user authentication. The configuration has been running for a months with no problems but since three days ago, I am having problems with authentication, I have to authenticate several times before get login. I have seen some strange logs in the controller, 4 MAC address that are continuously requesting Radius authentication, exceeding the maximum request queued on the controller.</P><P>&nbsp;</P><P>Dec 20 10:25:30 warning iprulesmgr Discarding RADIUS Request (id='25') from RADIUS Client (ip-address='169.254.0.12',port='32772') as the maximum simultaneous number of RADIUS Requests waiting for answer have been reached (2900).</P><P>Dec 20 10:25:30 warning iprulesmgr Discarding RADIUS Request (id='130') from RADIUS Client (ip-address='169.254.0.12',port='32772') as the maximum simultaneous number of RADIUS Requests waiting for answer have been reached (2900).</P><P>Dec 20 10:25:30 warning iprulesmgr Discarding RADIUS Request (id='162') from RADIUS Client (ip-address='169.254.0.12',port='32772') as the maximum simultaneous number of RADIUS Requests waiting for answer have been reached (2900).</P><P>Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='102',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').</P><P>Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='35',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').</P><P>Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='208',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').</P><P>Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='253',acct-status-type='2') for user (calling-station-id='50:CC:F8:57:90:C7',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').</P><P>Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='229',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').</P><P>&nbsp;</P><P>I tried to block this devices with MAC filter, device wireless association is blocked, but Radius authentication are not. The called-station-id is not an AP of my controller</P><P>&nbsp;</P><P>Any idea?</P><P>&nbsp;</P><P>Regards</P> Thu, 20 Dec 2012 11:06:11 GMT https://community.hpe.com/t5/m-and-msm-series/possible-dos-attack/m-p/5905593#M1657 david-rivas 2012-12-20T11:06:11Z https://community.hpe.com/t5/m-and-msm-series/possible-dos-attack/m-p/5905785#M1660 <P>this is not DoS attack</P><P>&nbsp;</P><P>check client certificate and ssid profile&nbsp;</P><P>some wireless client can't authentication&nbsp; and can't get ip address on your system (169.254 address is apipa address)</P><P>&nbsp;</P><P>&nbsp;</P><P>if you see more than mac address&nbsp; create new eap certificate on radius server for authentication</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 20 Dec 2012 14:52:01 GMT https://community.hpe.com/t5/m-and-msm-series/possible-dos-attack/m-p/5905785#M1660 cenk sasmaztin 2012-12-20T14:52:01Z https://community.hpe.com/t5/m-and-msm-series/possible-dos-attack/m-p/5905891#M1662 <P>Hello Cenk,</P><P>&nbsp;</P><P>I think the IP pipa belongs to the AP that has received the request form the user... also the MAC address of the AP does not correspond to any AP configured on the controller. Even the MAC address is not located on the LAN (I used show mac-address ... on the Core switch and it does not exists)</P><P>&nbsp;</P><P>There is no acces problem. Most of the users are connected, but they have packet loses. Other users require to authenticate several times to have access. I have only one Radius server and I have not seen errors on the event viwer.</P><P>&nbsp;</P><P>We have found the four devices that are sending Radius requests. We have turn wifi off, but request still present.</P><P>&nbsp;</P><P>I will reboot the Controller.</P><P>&nbsp;</P><P>Thank you.</P> Thu, 20 Dec 2012 16:16:18 GMT https://community.hpe.com/t5/m-and-msm-series/possible-dos-attack/m-p/5905891#M1662 david-rivas 2012-12-20T16:16:18Z https://community.hpe.com/t5/m-and-msm-series/possible-dos-attack/m-p/5905919#M1664 After reboot the messages has been desappeared. :) Thu, 20 Dec 2012 16:59:15 GMT https://community.hpe.com/t5/m-and-msm-series/possible-dos-attack/m-p/5905919#M1664 david-rivas 2012-12-20T16:59:15Z