M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

Possible DoS attack

 
SOLVED
Go to solution
Highlighted
david-rivas
Occasional Advisor

Possible DoS attack

Hello, I am having problems with user authentication. The configuration has been running for a months with no problems but since three days ago, I am having problems with authentication, I have to authenticate several times before get login. I have seen some strange logs in the controller, 4 MAC address that are continuously requesting Radius authentication, exceeding the maximum request queued on the controller.

 

Dec 20 10:25:30 warning iprulesmgr Discarding RADIUS Request (id='25') from RADIUS Client (ip-address='169.254.0.12',port='32772') as the maximum simultaneous number of RADIUS Requests waiting for answer have been reached (2900).

Dec 20 10:25:30 warning iprulesmgr Discarding RADIUS Request (id='130') from RADIUS Client (ip-address='169.254.0.12',port='32772') as the maximum simultaneous number of RADIUS Requests waiting for answer have been reached (2900).

Dec 20 10:25:30 warning iprulesmgr Discarding RADIUS Request (id='162') from RADIUS Client (ip-address='169.254.0.12',port='32772') as the maximum simultaneous number of RADIUS Requests waiting for answer have been reached (2900).

Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='102',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').

Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='35',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').

Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='208',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').

Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='253',acct-status-type='2') for user (calling-station-id='50:CC:F8:57:90:C7',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').

Dec 20 10:25:30 debug iprulesmgr Received RADIUS Accounting Request (id='229',acct-status-type='2') for user (calling-station-id='64:A7:69:84:3B:67',virtual-ap-index='4') from RADIUS Client (ip-address='169.254.0.12',port='32772',called-station-id='00:24:A8:B0:1B:40').

 

I tried to block this devices with MAC filter, device wireless association is blocked, but Radius authentication are not. The called-station-id is not an AP of my controller

 

Any idea?

 

Regards

3 REPLIES 3
Highlighted
cenk sasmaztin
Honored Contributor

Re: Possible DoS attack

this is not DoS attack

 

check client certificate and ssid profile 

some wireless client can't authentication  and can't get ip address on your system (169.254 address is apipa address)

 

 

if you see more than mac address  create new eap certificate on radius server for authentication

 

 

 

 

cenk

Highlighted
david-rivas
Occasional Advisor

Re: Possible DoS attack

Hello Cenk,

 

I think the IP pipa belongs to the AP that has received the request form the user... also the MAC address of the AP does not correspond to any AP configured on the controller. Even the MAC address is not located on the LAN (I used show mac-address ... on the Core switch and it does not exists)

 

There is no acces problem. Most of the users are connected, but they have packet loses. Other users require to authenticate several times to have access. I have only one Radius server and I have not seen errors on the event viwer.

 

We have found the four devices that are sending Radius requests. We have turn wifi off, but request still present.

 

I will reboot the Controller.

 

Thank you.

Highlighted
david-rivas
Occasional Advisor
Solution

Re: Possible DoS attack

After reboot the messages has been desappeared. :)