Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Determining IP address from MAC

27Fri Jun 29 10:30:40 2012IDS Signature attack detected. Signature Type: Standard, Name: Auth flood, Description: Authentication Request flood, Track: per-Mac, Detecting AP Name: ACCESS-AP-KSHO-F3-WEST, Radio Type: 802.11b/g, Preced: 5, Hits: 300, Channel: 1, srcMac: 00:21:6A:AD:43:96

These messages just started popping up starting yesterday.  Any ideas on how to track down an IP for this guy?  From what I can see of the client logs it has never successfully connected, but at the same time this is what our syslog looks like

10:19:56 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:17:48 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:16:11 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:15:11 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:14:11 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:13:10 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:12:07 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:11:05 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:09:26 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:07:47 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:06:47 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:04:42 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:03:35 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:02:29 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
10:00:46 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
09:59:38 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
09:58:31 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
09:57:27 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96
09:55:46 access-wlc-ksho-int-1 %DOT1X-3-MAX_EAP_RETRIES: 1x_auth_pae.c:3062 Max EAP identity request retries (3) exceeded for client 00:21:6a:ad:43:96

And it keeps going non stop.  It is the same MAC address so I am wondering if this is a misconfiguration of some sort, or truly an attack. 

  • Security and Network Management
Everyone's tags (2)
5 REPLIES
Hall of Fame Super Silver

Re: Determining IP address from MAC

Andrew,

Since the device is not authenticating, the device will not have or obtain a dhcp address. Not knowing what authentication your using, it can be just a bad configuration on the client.

Sent from Cisco Technical Support iPad App

Thanks, Scott *****Help out other by using the rating system and marking answered questions as "Answered"*****

Re: Determining IP address from MAC

your device is doing too many authentication attempts.

it is clear that it is a device issue because the device does not respond to the wlc request in timely manner.

better to check device configuration and make sure it is correct. if all is fine try upgrading driver for the client.

HTH

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
New Member

Ok, instead of finding out

Ok, instead of finding out what the IP address is how can we determine what AP it is sourced from?  I have the same issue.

-Jeff

Jeff,you can do that on WLC

Jeff,

you can do that on WLC by filtering the clients for specific mac on GUI or Show client detail [mac address] on CLI. The output will show the AP to which the client is connecting or trying to connect.

Rating useful replies is more useful than saying "Thank you"
Bronze

Hi,With help of ARP table on

Hi,

With help of ARP table on your WLC OR directly connected system , you can find the IP address of against this MAC address.

( arp -a ) run this command from directly connected system.

1338
Views
0
Helpful
5
Replies