This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Details to RADAR messages

Details to RADAR messages

Stephan
New Contributor II

‎02-25-2016 02:37 PM

Hi guys,

can somenone please explain what is meant in Radar Analysis Engine message when the shown MAC address is like this (FF:FF:FF:FF:FF:FF)??

Full message is:

Security threat [Denial of Service] detected by AP [DZAP017], SN
[XXXXXXXX85G0000].
Details: state [inactive], location [Bauteil D - 1. OG - Flur mitte], channel
[44], frequency [5220MHz], associated MAC [FF:FF:FF:FF:FF:FF], RSS [-78],
description [Invalid disconnect
code attack]


Security threat [Denial of Service] detected by AP [DZAP002], SN
[XXXXXXXXX85B0000].
Details: state [active], location [EDV - Systemgruppe], channel [44], frequency
[5220MHz], associated MAC [FF:FF:FF:FF:FF:FF], RSS [-77], description
[Authentication
frame flood attack]

Regards,
Stephan


3 REPLIES 3

Stephan
New Contributor II

‎02-26-2016 08:19 AM

Doug, thank you very much! Great work - as always.

Stephan
0 Kudos

Doug
Extreme Employee

‎02-25-2016 09:41 PM

Typically the all FF's Indicates that a wireless client is trying to inject these messages but purposely obfuscating it’s MAC address or this could be a client with a bad card driver, there’s not enough info to pin-point which client is the source.

You can work with GTAC by taking a trace of the air when the issue occurs, then providing that trace to GTAC for review.

Doug
Doug Hyde
Director, Technical Support / Extreme Networks
0 Kudos

Jeremy_Gibbs
Contributor

‎02-25-2016 05:40 PM

I also get lots of these.. IDK if they are true or not because I put a Cisco 3701-i AP in the area and it detected nothing of the sort.

0 Kudos
GTM-P2G8KFN