HPE Community
M and MSM Series
1753873 Members
7414 Online
108809 Solutions
New Discussion

Re: Possible DoS attack

 
SOLVED
Go to solution
david-rivas
Occasional Advisor

‎12-20-2012 03:06 AM

‎12-20-2012 03:06 AM

Possible DoS attack

Hello, I am having problems with user authentication. The configuration has been running for a months with no problems but since three days ago, I am having problems with authentication, I have to authenticate several times before get login. I have seen some strange logs in the controller, 4 MAC address that are continuously requesting Radius authentication, exceeding the maximum request queued on the controller.

 

Dec 20 10:25:30 warning iprulesmgr Discarding RADIUS Request (id='25') from RADIUS Client (ip-address='169.254.0.12',port='32772') as the maximum simultaneous number of RADIUS Requests waiting for answer have been reached (2900).

Dec 20 10:25:30 warning iprulesmgr Discarding RADIUS Request (id='130') from RADIUS Client (ip-address='169.254.0.12',port='32772') as the maximum simultaneous number of RADIUS Requests waiting for answer have been reached (2900).

Dec 20 10:25:30 warning iprulesmgr Discarding RADIUS Request (id='162') from RADIUS Client (ip-address='169.254.0.12',port='32772') as the maximum simultaneous number of RADIUS Requests waiting for answer have been reached (2900).

Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='102',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').

Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='35',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').

Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='208',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').

Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='253',acct-status-type='2') for user (calling-station-id='50:CC:F8:57:90:C7',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').

Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='229',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').

 

I tried to block this devices with MAC filter, device wireless association is blocked, but Radius authentication are not. The called-station-id is not an AP of my controller

 

Any idea?

 

Regards

0 Kudos
3 REPLIES 3
cenk sasmaztin
Honored Contributor

‎12-20-2012 06:52 AM

‎12-20-2012 06:52 AM

Re: Possible DoS attack

this is not DoS attack

 

check client certificate and ssid profile 

some wireless client can't authentication  and can't get ip address on your system (169.254 address is apipa address)

 

 

if you see more than mac address  create new eap certificate on radius server for authentication

 

 

 

 

cenk

0 Kudos
david-rivas
Occasional Advisor

‎12-20-2012 08:16 AM

‎12-20-2012 08:16 AM

Re: Possible DoS attack

Hello Cenk,

 

I think the IP pipa belongs to the AP that has received the request form the user... also the MAC address of the AP does not correspond to any AP configured on the controller. Even the MAC address is not located on the LAN (I used show mac-address ... on the Core switch and it does not exists)

 

There is no acces problem. Most of the users are connected, but they have packet loses. Other users require to authenticate several times to have access. I have only one Radius server and I have not seen errors on the event viwer.

 

We have found the four devices that are sending Radius requests. We have turn wifi off, but request still present.

 

I will reboot the Controller.

 

Thank you.

0 Kudos
david-rivas
Occasional Advisor

‎12-20-2012 08:59 AM

‎12-20-2012 08:59 AM

Solution

Re: Possible DoS attack

After reboot the messages has been desappeared. :)
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.