I'm trying in lab to authenticate device with wpa2 and mac auth via radius. I'm using freeradius and it seems to work fine.
In my test I see that auth clients can connect and others don't.
But, analyzing freeradius logs, I see that clients that are not in the list of freeradius (rejectetd) are sendind access request lots of time (untill I turn of the radio on the client).
I set in cnmaestro, on AAA Servers page: Timeout = 3 and Attemps = 1.
Verifying freeradius logs I see the request of the AP (NAS) for the testing client and the response:
"Sendindg delayed response
Sent Access-Reject ID 7 from IP:1812 to AP_IP lenght 20
Waking up in 3.9 seconds."
The client hasn't access to wifi, but it seems that the AP are sendings the same request for the same client many time. In fact, it continue untill I turn of the wifi of the client.
So, is there a way to limit the number of request and to block a client rejected?
I started with the idea of using cnmaestro, but there are too limits for what I need. For example max number of mac is 254 and I cannot manage groups of mac. So I'm trying a more scalable soluction. I'm testing mac address now, but I need so more in future.
This isn't a good news cause logs of radius will results filled of "dust" and will be quite illegible. And worst, it is a real problem for security, affecting a DOS.
By the way, in cnmaestro logs I see that:
"E600-0A1B52","Client","OPERATIONS","Device (cnPilot e600)","58:C1:7A:XX:XX:XX","10.X.X.68","N/A","CLIENT_EVENT_BLOCKED"," - Events (connection and disconnection) are blocked for few Wi-Fi clients for 600 second as event rate is very high (51 events in 300 sec).","MINOR","2020-01-17 07:53:06"
But this didn't stopped client attempt and nas sending requests to radius. This block for 600 second is not working.
MAC DB on AP is set 256 but on cnMaestro this list scale is 10K.
By the way, in cnmaestro logs I see that:
"E600-0A1B52","Client","OPERATIONS","Device (cnPilot e600)","58:C1:7A:XX:XX:XX","10.X.X.68","N/A","CLIENT_EVENT_BLOCKED"," - Events (connection and disconnection) are blocked for few Wi-Fi clients for 600 second as event rate is very high (51 events in 300 sec).","MINOR","2020-01-17 07:53:06"
This is event rate limit (no link to client connection functionality on AP), cnMaestro will ignore the client connection event coming from AP.