EWC ignore clients Deauth frames

  • 1
  • 3
  • Question
  • Updated 1 week ago
  • Answered
At several customers EWC installations i am wondering that some clients are reported as active (Reports - All Active clients) although i know they are definitive offline.

To debug this i have connect a recent Windows 7 client to a WPA2 802.1x SSID. After that i disconnect the SSID via Windows normally.

Remote wireshark trace on that AP shows me a vaild Deauth frame:



But EWC report this MAC as active till idle timer after 30 minutes cut the session ...

Why does EWC ignore this above Deauth Frame ?
EWC = 10.31.07

Anybody who observe this behaviour too ?
Photo of M.Nees

M.Nees, Embassador

  • 8,478 Points 5k badge 2x thumb

Posted 4 weeks ago

  • 1
  • 3
Photo of Michael Rinner

Michael Rinner

  • 72 Points

The same behaviour can be observed witht WPA2-PSK authentication. EWC: 9.21.19

Best regards


Michael


Photo of Craig Guilmette

Craig Guilmette, Employee

  • 2,008 Points 2k badge 2x thumb
The default session timer is 30 minutes. 
Photo of M.Nees

M.Nees, Embassador

  • 8,166 Points 5k badge 2x thumb
Why is idle timer relevant if the clients sending a valid De-Auth Frame ?

Normally the controller should terminate the session immediatelly after receiving this typ of frame.

But EWC ignore it ...
Photo of Umut Aydin

Umut Aydin, Escalation Support Engineer

  • 1,790 Points 1k badge 2x thumb
Hi all,

FYI

The de-auth packets removes the MU for the AP itself.
#cget muInfo wifi0/1

But it will remain in the client reports for the default idle timers.
After this time the MU get cleared in the Reports.

For more Info see please
https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-adjust-the-client-timers-on-the-Identi...

Regards

Umut
Photo of SH

SH

  • 1,566 Points 1k badge 2x thumb
Hello Umut.

what is the advantage of keeping the client session in the controller (caused by the idle timer (post)) if the client sends and an De-Auth?


A second question: is it correct in the mentioned KB "the user's session will end every 5 minutes, if it's idle or passing data traffic" that the session ends with data traffic, too. Or is here a "no" missing?

Or is the session timer like a reauth-timer?

Best regards
Stephan
(Edited)
Photo of Umut Aydin

Umut Aydin, Escalation Support Engineer

  • 1,790 Points 1k badge 2x thumb
Hi Stephan,

deauth frames cleared the session on the AP ( Hardware) but it doesn't get cleared on the Controller database. For example.. If you using 802.1x and you will be idle for period of time and will come back with your client the user doesn't need go through the whole authentication process because it's still known on the controller.( also Guest User  )


Regarding the "Session timer - or passing data traffic.

This timer is the time where a user are authorized  to talk / communicated.
If this time is passed you are not abel to communicate further. ( similar Guest User)
This means the User are only eligible for this period of time .
Therefore it set to " 0 " ( never exceed the timer - it's unlimited)

So the word " no" is not missing in the kb.

Yes you can see this also like a reauth-timer.

Regards

Umut Aydin
Photo of SH

SH

  • 1,566 Points 1k badge 2x thumb
Hello Umut,

thank you very much for clarification.

Best regards
Stephan
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,596 Points 10k badge 2x thumb
Would it be possible to add info to the report that the client sent a de-auth frame? E.g. add "de-auth frame received" in parenthesis? I'd say that would avoid some needless confusion when trying to decipher the report.

Thanks,
Erik
Photo of M.Nees

M.Nees, Embassador

  • 8,278 Points 5k badge 2x thumb
Adding some Flag into Client Report that MU is disassociated will be really helpful.
Photo of Umut Aydin

Umut Aydin, Escalation Support Engineer

  • 1,790 Points 1k badge 2x thumb
Hi all,

I will speak with Engineering about this and will raise a Feature Request if needed.

Regards

Umut Aydin
Photo of M.Nees

M.Nees, Embassador

  • 8,278 Points 5k badge 2x thumb
From my point of view this special, headstrong behaviour should changed to improve the product.
Especially the XMC and Control will benefit with better / more reliable visualizations of disconnected clients - currently we need 30 min (in default) to see if a client is disconnected.