AP 1200 - Constant Cyclic Authentication failure - LEAP

marcbutler · ‎10-30-2003

Scenario:

We have deployed around 40 AP 1220s, mostly with both .11a and .11b modules. We have implemented LEAP authentication, querying against ACSv3.1, which itself queries the 2000 Active Directory.

Problem:

Apart from the normal issues with 2000 Active Directory and NT trusts disappearing for no apparent reason (therefore preventing normal log on), an error has appeared in both the AP and Acs logs. The AP log reads as follows:

Admin Authentication for User "public" has been denied from server.

The ACS has similar information in it's "Failed Attempts" log. It says that the userID "public" cannot be verified, with the Authen-Failure-Code being "External DB User Invalid or Bad Password". But now that the trusts have been re-established (although no idea how long that will last!), valid users can log on OK.

At first, this error appeared once a day, for a 14 second interval at a similar time each day (apart from one of these days), Now, 26 of the APs seem to be sending this message in intervals of 6 and 24 seconds alternately (although I have not checked all the APs to verify this time interval) all the time.

Has anyone seen this problem? How did you solve it? Is it a/multiple rogue wireless host/s using an in-built profile with this name? Or is it a Cisco in-built and hidden user within the APs?

Any help would be greatly appreciated!

marcbutler · ‎10-31-2003

OK. Extra info.

On closer examination (and thanks to a typo), I have managed to indentiy that if I try to log onto the APs directly via HTML and put in incorrect username or password info, then exactly the same error occurs:

Admin Authentication for User "adminitrator" has been denied from server.

I am guessing that the server that the AP is referring to is itself. It seems to indicate that these errors are not specifically over wireless at all (although they could be using that medium). It appears that this is some rogue element trying to log onto these 26 APs in sequence to view/change their config.

The next question is:

Without a protocol analyser, can you adjust the event logs on the APs to show the originating IP address or MAC address of the authentication request/failure?

scottmac · ‎10-31-2003

IS there any chance that someone / something has attempted to login and the repeated failures have caused a lockdown of that acccount?

Check the accounts in the AD and see if they're still active.

Also is there any chance that the addition of recent Service Packs have somehow fubar'd the EAP / cert / user rights, etc?

Just a shot in the dark ...

Scott

marcbutler · ‎11-05-2003

Thanks for that Scott

I am assured by the client that they have not got any user in their AD that goes by the username "public". The trouble is, their environment is not a standard nt/2000 setup. These are special builds by a supplier, and they have updates supplied by that manufacturer, so I have absolutely no clue what is going on inside that part of their object cache. Anything could be running, and without a protocol analyser, I guess it will be impossible to see where it is coming from.

My personal guess is that, as this is a school, one of the little "trainee hackers" has done a protocol sweep, seen the APs, and written a little crack that sweeps these devices periodically (every 6 and 24 seconds!!)

But thanks for the advice. I will inquire about the service pack updates!!