Dan
asked on
APs and Radius server constant lopk is locking out domain accounts, and non-existant MACs
I have a network issue that I can't figure out.
Network Details:
Windows server 2012R2 DCs
Cisco switches
Sophos Firewall and APs
Problem:
I have multiple domain accounts that keep on getting locked out, after unlocking them, they keep on getting locked
I have run multiple applications that I have obtained IPs/Macs from my network (UVexplorer, Advanced IP scanner, wireshark, CMD prompt, etc...)
I ran wireshark on my DC which is my radius server, and there's constant packets from my Sophos APs and my Radius server, with the username
that is getting locked and others.
What I have tried so far:
I have ran multiple wireshark traces and have looked at the windows radius logs and have tried to correlate the two
I have discovered that the packets are coming from a MAC address that is from a Sophos AP, but it's not a device on my network, none of my scans pick up the MAC address anywhere, it's only listed in the logs and in wireshark.
As of yesterday, the same MAC has changed the first 2 numbers, for example, until now the MAC was 7C-5A-1C-34-97-9D, which I did multiple scans with multiple apps, and none of them pick up any device on my network with that MAC. Also of yesterday, the MAC changed to 82-5A-1C-34-97-9D
Then the 2nd MAC that is in wireshark and the logs is F8-59-71-A3-5A-57, which is from an intel machine, but again, this MAC does now come up or show up anywhere on my network, only in the logs, but not in any of my scans.
I have called Sophos support and they are looking into the issue, but don't have an answer yet, they are just as puzzled as Iam.
How can a MAC be referenced in a log and in wireshark but not exist on my network? Where would it come from?
If anyone can point me in the right direction in solving this issue, I would be so grateful!!!!!!
Network Details:
Windows server 2012R2 DCs
Cisco switches
Sophos Firewall and APs
Problem:
I have multiple domain accounts that keep on getting locked out, after unlocking them, they keep on getting locked
I have run multiple applications that I have obtained IPs/Macs from my network (UVexplorer, Advanced IP scanner, wireshark, CMD prompt, etc...)
I ran wireshark on my DC which is my radius server, and there's constant packets from my Sophos APs and my Radius server, with the username
that is getting locked and others.
What I have tried so far:
I have ran multiple wireshark traces and have looked at the windows radius logs and have tried to correlate the two
I have discovered that the packets are coming from a MAC address that is from a Sophos AP, but it's not a device on my network, none of my scans pick up the MAC address anywhere, it's only listed in the logs and in wireshark.
As of yesterday, the same MAC has changed the first 2 numbers, for example, until now the MAC was 7C-5A-1C-34-97-9D, which I did multiple scans with multiple apps, and none of them pick up any device on my network with that MAC. Also of yesterday, the MAC changed to 82-5A-1C-34-97-9D
Then the 2nd MAC that is in wireshark and the logs is F8-59-71-A3-5A-57, which is from an intel machine, but again, this MAC does now come up or show up anywhere on my network, only in the logs, but not in any of my scans.
I have called Sophos support and they are looking into the issue, but don't have an answer yet, they are just as puzzled as Iam.
How can a MAC be referenced in a log and in wireshark but not exist on my network? Where would it come from?
If anyone can point me in the right direction in solving this issue, I would be so grateful!!!!!!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Look up the vendor from the MAC address to get an idea of what kind of device it is.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Got it, that makes sense. So how would you go about in identifying the potential computer that is trying to authenticate, brute force?
I used wireshark on my DC and couldn't find anything.
One of the MACs does not exist in the online MAC address vendor lookup. The other 2 are intel.
I used wireshark on my DC and couldn't find anything.
One of the MACs does not exist in the online MAC address vendor lookup. The other 2 are intel.
An Intel MAC is probably a laptop. You should use another vendor lookup tool for that 3rd MAC you can't identify. I have found that not all of the free online tools cover all vendors.
ASKER
I have worked with Sophos Support and they identified the mac trying to authenticate to which AP, so I had my coworker walk around and he found the computer that was trying to authenticate.
ASKER