cancel
Showing results for 
Search instead for 
Did you mean: 

EWC ignore clients Deauth frames

EWC ignore clients Deauth frames

M_Nees
Contributor III
At several customers EWC installations i am wondering that some clients are reported as active (Reports - All Active clients) although i know they are definitive offline.

To debug this i have connect a recent Windows 7 client to a WPA2 802.1x SSID. After that i disconnect the SSID via Windows normally.

Remote wireshark trace on that AP shows me a vaild Deauth frame:

0d7bf5f15c834b00ad061f064f133b96_RackMultipart20180126-97961-5my6hv-1_inline.png



But EWC report this MAC as active till idle timer after 30 minutes cut the session ...

Why does EWC ignore this above Deauth Frame ?
EWC = 10.31.07

Anybody who observe this behaviour too ?

11 REPLIES 11

Would it be possible to add info to the report that the client sent a de-auth frame? E.g. add "de-auth frame received" in parenthesis? I'd say that would avoid some needless confusion when trying to decipher the report.

Thanks,
Erik

StephanH
Valued Contributor III
Hello Umut,

thank you very much for clarification.

Best regards
Stephan
Regards Stephan

Hi Stephan,

deauth frames cleared the session on the AP ( Hardware) but it doesn't get cleared on the Controller database. For example.. If you using 802.1x and you will be idle for period of time and will come back with your client the user doesn't need go through the whole authentication process because it's still known on the controller.( also Guest User )

Regarding the "Session timer - or passing data traffic.

This timer is the time where a user are authorized to talk / communicated.
If this time is passed you are not abel to communicate further. ( similar Guest User)
This means the User are only eligible for this period of time .
Therefore it set to " 0 " ( never exceed the timer - it's unlimited)

So the word " no" is not missing in the kb.

Yes you can see this also like a reauth-timer.

Regards

Umut Aydin

StephanH
Valued Contributor III
Hello Umut.

what is the advantage of keeping the client session in the controller (caused by the idle timer (post)) if the client sends and an De-Auth?

A second question: is it correct in the mentioned KB "the user's session will end every 5 minutes, if it's idle or passing data traffic" that the session ends with data traffic, too. Or is here a "no" missing?

Or is the session timer like a reauth-timer?

Best regards
Stephan
Regards Stephan

Craig_Guilmette
Extreme Employee
The default session timer is 30 minutes.
GTM-P2G8KFN