topic RE: Radar detection of "WEP or WPA-PSK active encryption attack" in ExtremeWireless (Identifi)

Radar detection of "WEP or WPA-PSK active encryption attack"

hsachse — Wed, 24 Aug 2016 19:07:00 GMT

I have enabled the the in-service scan on one AP3825i access point to
test the Radar feature. Since I've enabled it at the morning the Radar reports "WEP or WPA-PSK active encryption attack" in the log.

Based on my knowledge this could be caused by excessive FCS errors and other reasons. I discovered the same behavior during severals other tests at different locations. For me it looks like a false positive. The Wireless Statistic Report of the access point shows a large FCS Error Count on Radio 1 (5 GHz):

Anyone else has the same alarms?

RE: Radar detection of "WEP or WPA-PSK active encryption attack"

Steve_Ballantyn — Wed, 24 Aug 2016 19:31:00 GMT

Hello Hartmut,

What version of Netsight are you using? I am running 7.0.4.29. When I look at this particular alarm in my console, it says "Cracking: Possible attack on WEP or WPA - Excessive frame receive errors". So it seems like it's an admission that it could be a lot of frame errors and not necessarily an attack.

I too get this alarm fairly often. Some sites more than others. I haven't yet investigated as to why. It might be an indication that the laptops wireless NIC's are lousy. Or that my coverage is lousy / congested.

RE: Radar detection of "WEP or WPA-PSK active encryption attack"

hsachse — Wed, 24 Aug 2016 19:31:00 GMT

Sorry i forgot this infos. The V2110 running latest 9.21.11. Same behavior with older 9.21.x releases. Netsight version ist 6.3.0.182.

I think the problem goes in the direction you mention, but its big coincidence to see this on every AP3825i i tried Radar. If i find the time i will do a wireless trace to check for CRC errors and retry count.

RE: Radar detection of "WEP or WPA-PSK active encryption attack"

Ronald_Dvorak — Thu, 25 Aug 2016 16:15:00 GMT

Is there any document/user manual available that describe the RADAR functionality in more detail.

The HiGuard manual was very good so I'd like to see something similar for RADAR - it's hard to sell a added feature without any technical knowledge about it.

I've found a document from 2014 v8.21 but I hope that there is something more current/accurate that also includes new APs.

Thx,
Ron

RE: Radar detection of "WEP or WPA-PSK active encryption attack"

Christina_M — Thu, 25 Aug 2016 16:15:00 GMT

Hi, Ronald! You can read about Wireless Radar for v9.21 here (see Chapter 16): http://documentation.extremenetworks.com/wireless/9.21/9034729-09_Wireless_User_Guide_v9.21.01.pdf

For the most recent release, here is the Radar chapter: http://documentation.extremenetworks.com/wireless/UG/Wireless/User_Guide/c_radar_overview.shtml

RE: Radar detection of "WEP or WPA-PSK active encryption attack"

Ronald_Dvorak — Thu, 25 Aug 2016 16:15:00 GMT

Thanks Christina,

I had a ticket (#01236555) open last week and a remote session with a GTAC engineer.

During the session I've asked the engineer to explain the part about collection engine configuration to me and even he got it wrong.

As I've mentioned in the ticket review the user manual is not clear/correct.

- missleading information about collection engine in HA mode
The manual indicate that you'd need only one / or could only have one BUT as soon as you enable collection engine in HA it's enabled on both of the pair, so it's not even possible to have only one CE in HA mode

- note "If an AP is part of a WDS/Mesh link, you cannot configure it to act as a scanner in Radar." = replace scanner with Guardian AP

I've stopped reading at that point as I don't want to confuse myself any further.
Would be great if someone could review the whole chapter.

Thanks,
Ron

RE: Radar detection of "WEP or WPA-PSK active encryption attack"

Christina_M — Thu, 25 Aug 2016 16:15:00 GMT

Thanks for your feedback. If you would, please submit this to the documentation team so the author can work with our engineers to fix the incorrect information in the documentation. It would also be good if the author can contact you directly, so please leave your email address in the feedback form.

From the http://documentation.extremenetworks.com/wireless/UG/Wireless/User_Guide/c_radar_overview.shtml page, please click the Feedback link on the right.

Thanks!

RE: Radar detection of "WEP or WPA-PSK active encryption attack"

hsachse — Thu, 25 Aug 2016 16:15:00 GMT

I think Ronald mean the old tech note for Radar feature introduced in version 8.21. This document include about the threats the WIDS/WIPS discover. In have one customer who asked for such an overview. Would be great if you include a updated version of this in the user guide.

RE: Radar detection of "WEP or WPA-PSK active encryption attack"

Ronald_Dvorak — Thu, 25 Aug 2016 16:15:00 GMT

Sorry Hartmut because I've hijacked the thread with my post.
You are right that is exactly the document I mean 🙂

@Extreme - I can't "sell" Radar to anyone without the information how it works.
The amount of "whitepapers" and othere technical material is VERY limited.

@Christina - Thanks but I think I've done enough - I've opened a GTAC ticket / I've wrote comments in the survey of the GTAC ticket and reported the issue here.

RE: Radar detection of "WEP or WPA-PSK active encryption attack"

Ryan_Mathews — Thu, 25 Aug 2016 16:15:00 GMT

Thanks for being vocal about this Ron.