User fails authentication too many times in a row when joining WLAN

  • 1
  • Question
  • Updated 6 days ago
  • Answered

Hello,

In the ZoneDirector I get multiple messages of clients who fails to authenticate too many times in a row when joining a WLAN. We configured multiple Open WLAN networks and it happens by all of them. In the Syslog Guide the action is to check the user credentials, but it's an open network with no encryption.

We use firmware version 9.10.0.0 build 218, but these messages where already their in firmware 9.8.1.0.101

Access-points type mostly T300 and ZF7762.

Has anybody experienced this before?

Photo of Wouter Beens

Wouter Beens

  • 5 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 49 Reply Likes
Think support would be better suited for this than this forum, but here's a few thoughts.

Have you checked if the cable is OK, that there isn't some big interference there, captured some packets to see if authentication and association go through or if a failure happens there already?
Photo of Michael Brado

Michael Brado, Official Rep

  • 2570 Posts
  • 351 Reply Likes
Curious too, if you check the OUI of the client MACs who are failing to authenticate, is it any one manufacturer, or many?
Photo of Wouter Beens

Wouter Beens

  • 5 Posts
  • 0 Reply Likes

@PrimoZ: Checked the cables are OK. It is possible for me to sniff with a macbook and pcap the authentication process. I shall contact support for this too

@Michael: Clients who are failing are from multiple manufacturers, it isn't only one manufacturer.

Photo of Brian Hoyt

Brian Hoyt

  • 51 Posts
  • 3 Reply Likes
I was having this problem on R700 with 9.8 branch on 5 GHz radios. I eventually disabled 5 GHz on those until I can do more testing due to negative impact on users.
Photo of Primož Marinšek

Primož Marinšek, AlphaDog

  • 413 Posts
  • 49 Reply Likes
Do you know where it fails? There was an error reported (not on this forum) about clients not connecting, but the problem was that it failed at the DHCP stage not at the radio stage. So the auth/asoc phase went through, but when trying to get the IP it suddenly decided the connection was poor. It was an android Lollipop 5.1. Other clients worked fine.

Can you check if there is any DHCP discovery for that client before it fails?
Photo of Michael Brado

Michael Brado, Official Rep

  • 2570 Posts
  • 351 Reply Likes
And more 802.11ac AP features are enabled in 9.9.1 (soon), or 9.10 (now) if you can upgrade for further evaluation too. I'm sure tech support would like to know your findings.
Photo of DSE

DSE

  • 66 Posts
  • 3 Reply Likes
i'm having a similar problem also in an total open wlan. Wouter Beens did you get any conclusion?
Photo of Scott Edwards

Scott Edwards

  • 6 Posts
  • 1 Reply Like
Seems to be T300, I have a H500 close by and it connects no issue: Latest build .219, ZD1200

2016/07/02  20:07:41 High User[AA:MM:AA:CC:AD] fails authentication too many times in a row when joining WLAN[SHOTGUN] at AP[T300SHOTGUN]. User[AA:MM:AA:CC:AD] is temporarily blocked from the system for [10 minutes].2016/07/02  20:06:33 Medium User[AA:MM:AA:CC:AD] repeatedly fails authentication when joining WLAN[SHOTGUN] at AP[T300SHOTGUN].
2016/07/02  19:55:16 High User[AA:MM:AA:CC:AD] fails authentication too many times in a row when joining WLAN[SHOTGUN] at AP[T300SHOTGUN]. User[AA:MM:AA:CC:AD] is temporarily blocked from the system for [10 minutes].
2016/07/02  19:54:12 Medium User[AA:MM:AA:CC:AD] repeatedly fails authentication when joining WLAN[SHOTGUN] at AP[T300SHOTGUN].
2016/07/02  19:43:10 High User[AA:MM:AA:CC:AD] fails authentication too many times in a row when joining WLAN[SHOTGUN] at AP[T300SHOTGUN]. User[AA:MM:AA:CC:AD] is temporarily blocked from the system for [10 minutes].
2016/07/02  19:42:05 Medium User[AA:MM:AA:CC:AD] repeatedly fails authentication when joining WLAN[SHOTGUN] at AP[T300SHOTGUN].
2016/07/02  19:31:09 High User[AA:MM:AA:CC:AD] fails authentication too many times in a row when joining WLAN[SHOTGUN] at AP[T300SHOTGUN]. User[AA:MM:AA:CC:AD] is temporarily blocked from the system for [10 minutes].
2016/07/02  19:30:03 Medium User[AA:MM:AA:CC:AD] repeatedly fails authentication when joining WLAN[SHOTGUN] at AP[T300SHOTGUN].
2016/07/02  19:17:08 Medium User[08:66:98:62:9d:b0] repeatedly fails authentication when joining WLAN[SHOTGUN] at AP[T300SHOTGUN].
2016/07/02  18:54:29 Medium User[90:b6:86:3c:8c:08] repeatedly fails authentication when joining WLAN[SHOTGUN] at AP[T300SHOTGUN].
2016/07/02  15:30:13 Medium User[90:b6:86:3c:8c:08] repeatedly fails authentication when joining WLAN[SHOTGUN] at AP[T300SHOTGUN].
2016/07/02  15:05:55 High User[AA:MM:AA:CC:AD] fails authentication too many times in a row when joining WLAN[SHOTGUN] at AP[T300SHOTGUN]. User[AA:MM:AA:CC:AD] is temporarily blocked from the system for [10 minutes].
2016/07/02  15:04:09 Medium User[AA:MM:AA:CC:AD] repeatedly fails authentication when joining WLAN[SHOTGUN] at AP[T300SHOTGUN].
2016/07/02  14:53:18 High User[AA:MM:AA:CC:AD] fails authentication too many times in a row when joining WLAN[SHOTGUN] at AP[T300SHOTGUN]. User[AA:MM:AA:CC:AD] is temporarily blocked from the system for [10 minutes].
2016/07/02  14:51:52 Medium User[AA:MM:AA:CC:AD] repeatedly fails authentication when joining WLAN[SHOTGUN] at AP[T300SHOTGUN].
Photo of Michael Brado

Michael Brado, Official Rep

  • 2565 Posts
  • 351 Reply Likes
Hi Scott,
  Glad to get your update, thanks.  Did you have 9.12.2.0.219 (MR2 Refresh), and downgraded one
release to 9.12.2.0.101 (MR2) as the only difference?  And restored your previous .101 backup, right?
No issue on an indoor H500 on either version, and only on the T300 with latest showed these errors? 

DSE, you saw similar on outdoor 7782, and on what version of ZD?
Photo of Scott Edwards

Scott Edwards

  • 6 Posts
  • 1 Reply Like
Yes to all of my post, thanks, Michael.
(Edited)
Photo of DSE

DSE

  • 66 Posts
  • 3 Reply Likes
Hello Michael, i have 7782N and S and my version is 9.12.2.0 build 219
Photo of Scott Edwards

Scott Edwards

  • 6 Posts
  • 1 Reply Like
Upgraded to 9.13.0.0 build 232, no issues.
Photo of Michael Brado

Michael Brado, Official Rep

  • 2565 Posts
  • 351 Reply Likes
Thanks!
Photo of thomas fankhauser

thomas fankhauser

  • 57 Posts
  • 14 Reply Likes
I experience this on ZD-1100 9.10.2.0 build 53 on zf7982 and on a zf7363 in Mesh.
the network (ssid) is open without any authentication.
i dont understand why we get an "fails authentication" if we dont have any authentication at all.
Photo of caruncles

caruncles

  • 3 Posts
  • 0 Reply Likes
I know this is an old post, but I couldn't find anything related to my question.  I want to block users who have tried to authenticate too many times and were then blocked.  Does anyone know how to do that?  We are a seasonal business and during the busy season we have dozens of cell phones trying to authenticate.  I just want to block them permanently.    Thanx!
Photo of EightOhTwoEleven

EightOhTwoEleven

  • 48 Posts
  • 14 Reply Likes
I would imagine that the ZoneDirector has some sort of blacklist, the SmartZone does.
Photo of caruncles

caruncles

  • 3 Posts
  • 0 Reply Likes
You are right and I have set one up.  Much easier than I Thought.  Instructions are below. I set up a deny list this morning.  I can cut and paste mac addresses of users (cell phones) that continually bang on the door but do not get authenticated.  It has been working since this morning and no one has screamed yet. So, i must have set it up correctly.   Thanx!

Using the Access Controls configuration options, you define Layer2/MAC address ACLs, which can then be applied to one or more WLANs (upon WLAN creation or edit). ACLs are either allow-only or deny-only; that is, an ACL can be set up to allow only specified clients or to deny only specified clients.   MAC addresses that are in the deny list are blocked at the AP, not at the ZoneDirector.


To configure an L2/MAC ACL:

1.  Go to Configure > Access Control.

2.  In L2/MAC Access Control, click Create New.

     a.  Type a Name for the ACL.
     b.  Type a Description of the ACL.
     c.   Select the Restriction mode as either allow or deny.
     d.   Type a MAC address in the MAC Address text box, 
           and then click Create New to save the address.

The new MAC address that you added appears next to the Stations field.
You can enter up to 128 MAC addresses.

3.  Click OK to save the L2/MAC based ACL.

You can create up to 32 L2/MAC ACL rules and each rule can contain up to 128 MAC addresses.

You can apply the ACL for a specific WLAN in Configure>WLAN>Create New or Edit a WLAN>Advanced Options>Access Control.
 

We can apply only 1 ACL per WLAN.