Lots of deauth messages where station MAC and from MAC are both the BSSID of the wifi sub-interface

  • 2
  • Question
  • Updated 3 years ago
Remote site where users are complaining where they cannot going one of our "guest" SSIDs. Everything is setup on the network for it, they claim they try to connect and it fails. I see lots of messages in the log like this, happening every 10mins within a second. They continue to happen over the weekend.

ap01.company.com    [ Mgt0 MAC address ]   09/06/2015 10:54:40 PM    Station [ MAC address of wifi0.1 ] is deauthenticated from [ MAC address of wifi0.1 ] thru SSID [ guest ]

Some things to mention:

  • All of our access points use the same network policy and all other sites are working for all SSIDs
  • This site and most sites are using an AP330 device
  • The SSID in question does have "guest" in the name. Our internal/corporate SSID is different and no reported issues there
  • The "guest" SSID is only on the wifi0.1 interface
  • The space is a shared office location, 4 floors. One of those places where companies rent a small office suite so I see lots of "rogue" APs. The property has it's own wifi and from what I can tell, most tenants do as well (like us)
  •  We have WIPs enabled, but not rogue mitigation

What's interesting is that the AP is seeing lots of de-auth frames both to and from it's local BSSID for that MAC address - the actual MAC address of that interface.

If I didn't know any better, I would say that someone has rogue mitigation enabled where it targets either our specific guest SSID or any SSIDs that have guest in the name.

Anyone have any ideas as to what is going on?
Photo of JimmyBoJingle

JimmyBoJingle

  • 9 Posts
  • 3 Reply Likes

Posted 3 years ago

  • 2
Photo of Bill W.

Bill W.

  • 222 Posts
  • 35 Reply Likes
Try using Client Monitor on one of the clients to help determine what is going on.
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
I would do the client monitor, but it does sound like you might have something deauthing your clients, spoofing the BSSID. You could also try getting a remote packet capture on the wifi0.1 interface in promiscuous mode and see what you can see at the packet level.