Any Idea to stop this kind of scanning or snooping?
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Hi guys,
I don't know if this can be fix in EAP or it need to be fix in my router which is ubiquity. As I've been suspicious with some of my clients and leveled up my security in away like using VLAN, I've encounter this problems, a certain client been changing Mac address which I can't ban because he can just change his MAC address. Another client can slip into a scheduled SSIDs while it is RADIO OFF.
And as I know that clients which does not authenticate with Voucher portal gets disconnected within a certain amount of time but this client been connected for more than 3 hrs and its from different MAC Address, but only 1 at a time, here is the one currently connected in my WIFI.
2020-03-30 log with 5hrs 48 mins with only 1.96 M/ 5.07 M and I've checked the past guest authorization and no authorization happening there.
As I've implemented the VLAN with EAP and my edgerouter, I found in the router with its traffic analysis this kind.
Different IPs connecting? Is it like snooping or scanning for backdoor?
Any suggestions or help regarding this intrusion and activities? in the AP or EAP side?
Regards and thanks in advance.
I'm using voucher type, so the authentication would be none but because of the voucher portal they need to authenticate there. And as I've observer after I've updated my EAPs and OC200, because of that I rarely have this kind of suspicious clients but there is a few clients that is connected to the EAP even without authenticating with the voucher portal.
Here are some lates screenshots,
As for today I only have 1 authentication with voucher but I have a few client who only used a 13mb/1.5mb maybe because of the curfew so they need to go inside their house and can't get the EAP signal like the 3rd client.
But I got a few clients who always connects to the EAP, maybe because they have set it for auto-connect to known wifi, but if you look at their history they got no authentication with the voucher portal but got connected also 2hrs (thats april 9 and only the 2nd page of the connection history).
I don't if they are scanning or snooping but everytime I saw them in the network, It got my ubnt router flooded with different IPs with traffic analysis.
Regarding the MAC filter, as I'm using a voucher type and bulk selling vouchers to re-distributors near my signal, I can't add mac address everytime a new client want to use my services, but Its noted if things get to tough here. I got 2 additional competitors here using vendo machine wifi, so I'm thinking they are trying to make my connection slow or something, I hope not.
I'm looking to buy 1 or 3 more 225-outdoor but because of this lockdown, delivery is impossible and that model is already out of stock.
trying to find ways and will eventually try to be a WISP. Starting little by little, so any inputs and help will do.
Do you only have one SSID for the voucher portal authentication? If use the voucher portal, only the wireless clients who have the voucher code can pass the authentication. Maybe you can check if you have set "Free Authentication Policy" for some devices. With the "Free Authentication Policy", clients will access the Internet without the authentication.
Hi @jonas
I'm using 3 kinds of portal authentication at the moment and using 5 SSIDs with vlan. I wanted to use the facebook portal but every time a create a facebook portal, all other portal can access facebook even without authentication. the No Authentication SSIDs are offline at the moment because I have a client who can change their Mac address and can use this to exploit this and its has another and I saw a client authenticate with No authenticatioin even after it was scheduled radio ON only so I'm using radio OFF and for indefinitely. Back to the problem.
I don't have any Free Authentication Policy, and haven't used any of it.
I for got to screenshot the traffic analytic in my router, it has 138 pages of random ip address, but while I'm replying to this I got 64 pages again.
the 1st page are the ips of those legitimate clients and the rest are like this. Thats why I was asking if this is snooping or something because my DCHP are using 10.x.x.x and 172.x.x.x only and I can see ip adds not within the starting ip, like they manually set it as static IP and connected to the EAP.
I really like your product and here are some glitches I found and if possible any help will do. I'm willing to learn and now I got lots of time because of this pandemic.
Regards,
JessieG wrote
Hi @jonas
I'm using 3 kinds of portal authentication at the moment and using 5 SSIDs with vlan. I wanted to use the facebook portal but every time a create a facebook portal, all other portal can access facebook even without authentication. the No Authentication SSIDs are offline at the moment because I have a client who can change their Mac address and can use this to exploit this and its has another and I saw a client authenticate with No authenticatioin even after it was scheduled radio ON only so I'm using radio OFF and for indefinitely. Back to the problem.
I don't have any Free Authentication Policy, and haven't used any of it.
I for got to screenshot the traffic analytic in my router, it has 138 pages of random ip address, but while I'm replying to this I got 64 pages again.
the 1st page are the ips of those legitimate clients and the rest are like this. Thats why I was asking if this is snooping or something because my DCHP are using 10.x.x.x and 172.x.x.x only and I can see ip adds not within the starting ip, like they manually set it as static IP and connected to the EAP.
I really like your product and here are some glitches I found and if possible any help will do. I'm willing to learn and now I got lots of time because of this pandemic.
Regards,
I have checked the IP address 103.126.243.13, 13.226.254.123, it is the public IP address, maybe locate in HongKong China and US. I think you can check why it will show the public IP address in the traffic analyzing list in the router, maybe it is the server which clients have accessed?
BTY, you can check the historical wireless clients list in the "Insight" list of Omada Controller, check if some wireless clients have these kind of "IP address". And you can SSH in the EAP, use command "cliclientd wltool sta" to list the real-time wireless clients that connect with the EAP, check if there have some " suspicious" clients.
