cancel
Showing results for 
Search instead for 
Did you mean: 

Radar detection of "WEP or WPA-PSK active encryption attack"

Radar detection of "WEP or WPA-PSK active encryption attack"

hsachse
New Contributor III
I have enabled the the in-service scan on one AP3825i access point to
test the Radar feature. Since I've enabled it at the morning the Radar reports "WEP or WPA-PSK active encryption attack" in the log.

Based on my knowledge this could be caused by excessive FCS errors and other reasons. I discovered the same behavior during severals other tests at different locations. For me it looks like a false positive. The Wireless Statistic Report of the access point shows a large FCS Error Count on Radio 1 (5 GHz):

ecf47554415b4e69bc1aa5a728f15950_RackMultipart20160824-7496-1rmh0b7-FCS-Erros_inline.png



Anyone else has the same alarms?
9 REPLIES 9

Thanks for your feedback. If you would, please submit this to the documentation team so the author can work with our engineers to fix the incorrect information in the documentation. It would also be good if the author can contact you directly, so please leave your email address in the feedback form.

From the http://documentation.extremenetworks.com/wireless/UG/Wireless/User_Guide/c_radar_overview.shtml page, please click the Feedback link on the right.

bd8d944e339045d4bd01fea248566052_RackMultipart20160826-100750-uo5cz7-doc_feedback_inline.png



Thanks!

Thanks Christina,

I had a ticket (#01236555) open last week and a remote session with a GTAC engineer.

During the session I've asked the engineer to explain the part about collection engine configuration to me and even he got it wrong.

As I've mentioned in the ticket review the user manual is not clear/correct.

- missleading information about collection engine in HA mode
The manual indicate that you'd need only one / or could only have one BUT as soon as you enable collection engine in HA it's enabled on both of the pair, so it's not even possible to have only one CE in HA mode

- note "If an AP is part of a WDS/Mesh link, you cannot configure it to act as a scanner in Radar." = replace scanner with Guardian AP

I've stopped reading at that point as I don't want to confuse myself any further.
Would be great if someone could review the whole chapter.

Thanks,
Ron

Hi, Ronald! You can read about Wireless Radar for v9.21 here (see Chapter 16): http://documentation.extremenetworks.com/wireless/9.21/9034729-09_Wireless_User_Guide_v9.21.01.pdf

For the most recent release, here is the Radar chapter: http://documentation.extremenetworks.com/wireless/UG/Wireless/User_Guide/c_radar_overview.shtml

Steve_Ballantyn
Contributor
Hello Hartmut,

What version of Netsight are you using? I am running 7.0.4.29. When I look at this particular alarm in my console, it says "Cracking: Possible attack on WEP or WPA - Excessive frame receive errors". So it seems like it's an admission that it could be a lot of frame errors and not necessarily an attack.

I too get this alarm fairly often. Some sites more than others. I haven't yet investigated as to why. It might be an indication that the laptops wireless NIC's are lousy. Or that my coverage is lousy / congested.

Sorry i forgot this infos. The V2110 running latest 9.21.11. Same behavior with older 9.21.x releases. Netsight version ist 6.3.0.182.

I think the problem goes in the direction you mention, but its big coincidence to see this on every AP3825i i tried Radar. If i find the time i will do a wireless trace to check for CRC errors and retry count.

GTM-P2G8KFN