limit client connection attempts with radius

Hi,

I'm trying in lab to authenticate device with wpa2 and mac auth via radius. I'm using freeradius and it seems to work fine.

In my test I see that auth clients can connect and others don't.

But, analyzing freeradius logs, I see that clients that are not in the list of freeradius (rejectetd) are sendind access request lots of time (untill I turn of the radio on the client).

I set in cnmaestro, on AAA Servers page: Timeout = 3 and Attemps = 1.

Verifying freeradius logs I see the request of the AP (NAS) for the testing client and the response:

"Sendindg delayed response

Sent Access-Reject ID 7 from IP:1812 to AP_IP lenght 20

Waking up in 3.9 seconds."

The client hasn't access to wifi, but it seems that the AP are sendings the same request for the same client many time. In fact, it continue untill I turn of the wifi of the client.

So, is there a way to limit the number of request and to block a client rejected?

If not, is this subject to DOS attacks?

Thanks

hi,

At this point of time, there is no option on cnPilot AP to blacklist a client after excedding max defined authentication failure.

We can try below option if it is ok,

1. Do client MAC authentication with cnMaestro i.e. no MAC auth using external AAA

2. In cnMaestro definie default action as deny for MAC Association ACL 

3. Add list of MAC with the allow / permit action 

4. When client MAC fails, now AP will maintain this information as cache for next 1 hour

5. When same client connects back, AP rejects the connection by looking at local cache entry 

Thank you Channareddy,

I started with the idea of using cnmaestro, but there are too limits for what I need. For example max number of mac is 254 and I cannot manage groups of mac. So I'm trying a more scalable soluction. I'm testing mac address now, but I need so more in future.

This isn't a good news cause logs of radius will results filled of "dust" and will be quite illegible. And worst, it is a real problem for security, affecting a DOS.

By the way, in cnmaestro logs I see that:

"E600-0A1B52","Client","OPERATIONS","Device (cnPilot e600)","58:C1:7A:XX:XX:XX","10.X.X.68","N/A","CLIENT_EVENT_BLOCKED"," - Events (connection and disconnection) are blocked for few Wi-Fi clients for 600 second as event rate is very high (51 events in 300 sec).","MINOR","2020-01-17 07:53:06"

But this didn't stopped client attempt and nas sending requests to radius. This block for 600 second is not working.

Thank you!

MAC DB on AP is set 256 but on cnMaestro this list scale is 10K.

By the way, in cnmaestro logs I see that:

"E600-0A1B52","Client","OPERATIONS","Device (cnPilot e600)","58:C1:7A:XX:XX:XX","10.X.X.68","N/A","CLIENT_EVENT_BLOCKED"," - Events (connection and disconnection) are blocked for few Wi-Fi clients for 600 second as event rate is very high (51 events in 300 sec).","MINOR","2020-01-17 07:53:06"

This is event rate limit (no link to client connection functionality on AP), cnMaestro will ignore the client connection event coming from AP.

MAC DB on AP is set 256 but on cnMaestro this list scale is 10K.

Maybe I'm wrong. 

So I can have 10k records in cnmaestro and use it on a single wifi network?

I thought that what I set in cnmastro is replicated locally to the ap,  and the ap works with is limits: 256 mac.

So, what's happen if I set 10k in cnmastro and connect the ap? 

Is cnmaestro like an radius for access point?

Thanks

on WLAN we have below options for MAC Authentication,

Policy,

Deny Permit Radius cnMaestro,

when we select cnMaestro, MAC DB will be maintained at cnMaestro but on AP. This means AP and cnMaestro connectivity always needs to be maintained.

You can have 10K entries in cnMaestro and this will act like global DB and all APs can refer. You can use for single Wi-Fi network.

When we choose MAC authentication with cnMaestro option, cnMaestro will act like AAA server for MAC validation. 

this sounds good.

what about APs lost connection with cnmaestro? 

all new clients are rejected or admitted?

For this feature, APs connection to cnMaestro is required. 

When it is offline, none of the clients will be able to connect. 

Thank you for wxplanation.

These are reasons why we need local radius.