This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

EWC ignore clients Deauth frames

EWC ignore clients Deauth frames

M_Nees
Contributor III

‎01-26-2018 06:14 AM

At several customers EWC installations i am wondering that some clients are reported as active (Reports - All Active clients) although i know they are definitive offline.

To debug this i have connect a recent Windows 7 client to a WPA2 802.1x SSID. After that i disconnect the SSID via Windows normally.

Remote wireshark trace on that AP shows me a vaild Deauth frame:

0d7bf5f15c834b00ad061f064f133b96_RackMultipart20180126-97961-5my6hv-1_inline.png



But EWC report this MAC as active till idle timer after 30 minutes cut the session ...

Why does EWC ignore this above Deauth Frame ?
EWC = 10.31.07

Anybody who observe this behaviour too ?

0 Kudos
11 REPLIES 11

Erik_Auerswald
Contributor II
In response to Umut_Aydin

‎02-01-2018 01:19 PM

Would it be possible to add info to the report that the client sent a de-auth frame? E.g. add "de-auth frame received" in parenthesis? I'd say that would avoid some needless confusion when trying to decipher the report.

Thanks,
Erik
0 Kudos

StephanH
Valued Contributor III
In response to Umut_Aydin

‎02-01-2018 01:19 PM

Hello Umut,

thank you very much for clarification.

Best regards
Stephan
Regards Stephan
0 Kudos

Umut_Aydin
Extreme Employee
In response to Umut_Aydin

‎02-01-2018 01:19 PM

Hi Stephan,

deauth frames cleared the session on the AP ( Hardware) but it doesn't get cleared on the Controller database. For example.. If you using 802.1x and you will be idle for period of time and will come back with your client the user doesn't need go through the whole authentication process because it's still known on the controller.( also Guest User )

Regarding the "Session timer - or passing data traffic.

This timer is the time where a user are authorized to talk / communicated.
If this time is passed you are not abel to communicate further. ( similar Guest User)
This means the User are only eligible for this period of time .
Therefore it set to " 0 " ( never exceed the timer - it's unlimited)

So the word " no" is not missing in the kb.

Yes you can see this also like a reauth-timer.

Regards

Umut Aydin

0 Kudos

StephanH
Valued Contributor III
In response to Umut_Aydin

‎02-01-2018 01:19 PM

Hello Umut.

what is the advantage of keeping the client session in the controller (caused by the idle timer (post)) if the client sends and an De-Auth?

A second question: is it correct in the mentioned KB "the user's session will end every 5 minutes, if it's idle or passing data traffic" that the session ends with data traffic, too. Or is here a "no" missing?

Or is the session timer like a reauth-timer?

Best regards
Stephan
Regards Stephan
0 Kudos

Craig_Guilmette
Extreme Employee

‎01-26-2018 11:46 AM

The default session timer is 30 minutes.
0 Kudos
GTM-P2G8KFN