Cannot remove automatically added MAC address from the Blacklist?

  • 0
  • 2
  • Problem
  • Updated 10 months ago
  • Solved
I have a client that cannot join my wireless network and they appear to be on the Blacklist. I didn't put them there, and I cannot seem to remove them because they were "automatically added"? What would have automatically added them?

I am assuming that this was a false detection by RADAR? But how can I get them off this list if it's grayed out on me?

Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb

Posted 10 months ago

  • 0
  • 2
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,024 Points 20k badge 2x thumb
Hi Steve,

I've never seen that before but you could be right with RADAR.

Could you check the prevention settings, the only thing that would fit to the issue is "Remove network access from clients originating DoS and password-cracking attacks" - if it's enabled then disable it and check again.



-Ron
Photo of Bin

Bin, Employee

  • 5,350 Points 5k badge 2x thumb
Hi Steve

In-Service Scan Profiles Support for automatic blacklisting, which automatically removes network access from devices performing certain types of wireless attacks.

Best regards,
Bin
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
It appears that disabling the settings in your In-Service Scan Profile do *not* remove hosts that have been automatically added.

I noticed the entry disappeared from the list shortly after I cleared the active alarm in Extreme NMS (Netsight) - but I don't think there is an interaction there. I think it just happened to timeout and drop off on it's own around the same time I cleared the alarm. Maybe an engineer can clarify?

Can I put in a product suggestion that there should be a way to clear hosts that are automatically added to the blacklist? I can see that there are going to be false detections with these attack signatures and I don't want to tell our users that they have to wait it out.  :-(
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,476 Points 5k badge 2x thumb
Hi Steve

The report Radar>Blacklisted clients gives some info of start and end time of the blacklisting along with a reason, as far as I know there is know way to decrease or force the de-listing of a blacklisted client, that could be done as a feature request via your local SE.

What was the reason for the blacklisting, do you have that info as it probably should be investigated?

-Gareth 
Photo of Steve Ballantyne

Steve Ballantyne

  • 5,566 Points 5k badge 2x thumb
Hello Gareth, in this case it was for "surveillance" or "excessive null probes from client". I have seen false detections with this attack on other systems as well (Cisco wireless). My only guess is that it's a client that is misbehaving. Possibly trying to join an AP that is too far away, or maybe it roamed and is failing to reconnect at the new AP?

In no cases has it ever been an attack of any sort (at least in my experience). Just a domain joined laptop running Windows 7 which recently 'stopped working' without warning.

I found what you are referring to. Just to clarify, that is under Reports > Radar > Blacklisted Clients. I didn't think to look there. But now I can see that it does show when a client will leave this blacklist on its own. And that is good to know! 



Looks like I have a new victim there currently that I have not heard from.