Header Only - DO NOT REMOVE - Extreme Networks

EWC ignore clients Deauth frames


Userlevel 6
At several customers EWC installations i am wondering that some clients are reported as active (Reports - All Active clients) although i know they are definitive offline.

To debug this i have connect a recent Windows 7 client to a WPA2 802.1x SSID. After that i disconnect the SSID via Windows normally.

Remote wireshark trace on that AP shows me a vaild Deauth frame:



But EWC report this MAC as active till idle timer after 30 minutes cut the session ...

Why does EWC ignore this above Deauth Frame ?
EWC = 10.31.07

Anybody who observe this behaviour too ?

11 replies

The same behaviour can be observed witht WPA2-PSK authentication. EWC: 9.21.19

Best regards

Michael
Userlevel 5
The default session timer is 30 minutes.
Userlevel 6
Craig Guilmette wrote:

The default session timer is 30 minutes.

Why is idle timer relevant if the clients sending a valid De-Auth Frame ?

Normally the controller should terminate the session immediatelly after receiving this typ of frame.

But EWC ignore it ...
Userlevel 4
Hi all,

FYI

The de-auth packets removes the MU for the AP itself.
#cget muInfo wifi0/1

But it will remain in the client reports for the default idle timers.
After this time the MU get cleared in the Reports.

For more Info see please
https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-adjust-the-client-timers-on-the-Identi...

Regards

Umut
Userlevel 5
Umut Aydin wrote:

Hi all,

FYI

The de-auth packets removes the MU for the AP itself.
#cget muInfo wifi0/1

But it will remain in the client reports for the default idle timers.
After this time the MU get cleared in the Reports.

For more Info see please
https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-adjust-the-client-timers-on-the-Identi...

Regards

Umut

Hello Umut.

what is the advantage of keeping the client session in the controller (caused by the idle timer (post)) if the client sends and an De-Auth?

A second question: is it correct in the mentioned KB "the user's session will end every 5 minutes, if it's idle or passing data traffic" that the session ends with data traffic, too. Or is here a "no" missing?

Or is the session timer like a reauth-timer?

Best regards
Stephan
Userlevel 4
Umut Aydin wrote:

Hi all,

FYI

The de-auth packets removes the MU for the AP itself.
#cget muInfo wifi0/1

But it will remain in the client reports for the default idle timers.
After this time the MU get cleared in the Reports.

For more Info see please
https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-adjust-the-client-timers-on-the-Identi...

Regards

Umut

Hi Stephan,

deauth frames cleared the session on the AP ( Hardware) but it doesn't get cleared on the Controller database. For example.. If you using 802.1x and you will be idle for period of time and will come back with your client the user doesn't need go through the whole authentication process because it's still known on the controller.( also Guest User )

Regarding the "Session timer - or passing data traffic.

This timer is the time where a user are authorized to talk / communicated.
If this time is passed you are not abel to communicate further. ( similar Guest User)
This means the User are only eligible for this period of time .
Therefore it set to " 0 " ( never exceed the timer - it's unlimited)

So the word " no" is not missing in the kb.

Yes you can see this also like a reauth-timer.

Regards

Umut Aydin
Userlevel 5
Umut Aydin wrote:

Hi all,

FYI

The de-auth packets removes the MU for the AP itself.
#cget muInfo wifi0/1

But it will remain in the client reports for the default idle timers.
After this time the MU get cleared in the Reports.

For more Info see please
https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-adjust-the-client-timers-on-the-Identi...

Regards

Umut

Hello Umut,

thank you very much for clarification.

Best regards
Stephan
Userlevel 7
Umut Aydin wrote:

Hi all,

FYI

The de-auth packets removes the MU for the AP itself.
#cget muInfo wifi0/1

But it will remain in the client reports for the default idle timers.
After this time the MU get cleared in the Reports.

For more Info see please
https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-adjust-the-client-timers-on-the-Identi...

Regards

Umut

Would it be possible to add info to the report that the client sent a de-auth frame? E.g. add "de-auth frame received" in parenthesis? I'd say that would avoid some needless confusion when trying to decipher the report.

Thanks,
Erik
Userlevel 6
Umut Aydin wrote:

Hi all,

FYI

The de-auth packets removes the MU for the AP itself.
#cget muInfo wifi0/1

But it will remain in the client reports for the default idle timers.
After this time the MU get cleared in the Reports.

For more Info see please
https://gtacknowledge.extremenetworks.com/articles/Q_A/How-to-adjust-the-client-timers-on-the-Identi...

Regards

Umut

Adding some Flag into Client Report that MU is disassociated will be really helpful.
Userlevel 4
Hi all,

I will speak with Engineering about this and will raise a Feature Request if needed.

Regards

Umut Aydin
Userlevel 6
Umut Aydin wrote:

Hi all,

I will speak with Engineering about this and will raise a Feature Request if needed.

Regards

Umut Aydin

From my point of view this special, headstrong behaviour should changed to improve the product.
Especially the XMC and Control will benefit with better / more reliable visualizations of disconnected clients - currently we need 30 min (in default) to see if a client is disconnected.

Reply