AC-68U: DHCP Lease for Unautheticated Wireless Clients?

[Bosus]

Hi all- first post.

I have two AC-68U routers running ASUS-Merlin 384.9 firmware. One router is in router mode, the other is in repeater mode.

WPA2 authentication is on, webgui disabled on the WAN side, upnp and wps are disabled according to the webgui. No other holes poked in the firewall for VPN, ssh, etc.

I'm seeing DHCP leases for several devices I don't recognize, and corresponding WLCEVENTD assoc events for their MAC addresses. I can't tell if the devices are authenticating and they don't show up on the network map.

Questions:
1. Does DHCP lease IP addresses on wireless assoc, prior to wireless authentication? IOW, is this just neighborhood devices trying to see if my network is open?
2. What's the best way to log wireless authentication history and network activity for a particular mac address?

Thank you all!

 

[EmeraldDeer]

Note: Disregard if JFFS not enabled

Not aware of an easy way to hook a script into logging wireless or authentication events, but there is an easy way to log DHCP events.

/jffs/scripts/dnsmasq.postconf

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "dhcp-option=dnsf5" $CONFIG
pc_delete "dhcp-option=dnsf6" $CONFIG
pc_append "dhcp-script=/jffs/scripts/log-dhcp.sh" $CONFIG
pc_append "neg-ttl=3600" $CONFIG
pc_delete "no-negcache" $CONFIG
pc_delete "servers-file=/tmp/resolv.dnsmasq" $CONFIG
#

/jffs/scripts/log-dhcp.sh

#!/bin/sh
myscriptname=$(/usr/bin/basename $0)
/usr/bin/logger -t ${myscriptname} -p local6.info "Action $1, MAC $2, IP_address $3, Hostname $4"

 

[ColinTaylor]

I'm seeing DHCP leases for several devices I don't recognize, and corresponding WLCEVENTD assoc events for their MAC addresses. I can't tell if the devices are authenticating and they don't show up on the network map.

Try logging to the the router and repeater and looking at System Log > Wireless Log.

 

[Bosus]

Try logging to the the router and repeater and looking at System Log > Wireless Log.

I'm looking at the Wireless log in the webgui and it appears to only show current connections, not prior ones. I can see WLCEVENTD assoc events in the System Log, but am not sure how to see who has actually authenticated.

What I see from the unknown clients is WLCEVENTD assoc events, followed by DHCP lease request/renewal, followed by WLCEVENTD disassoc . Here's an example:

Mar 12 17:28:39 WLCEVENTD: eth1: Assoc B8:C1:11:21:6B:CB
Mar 12 17:28:40 dnsmasq-dhcp[214]: DHCPREQUEST(br0) 192.168.1.155 b8:c1:11:21:6b:cb
Mar 12 17:28:40 dnsmasq-dhcp[214]: DHCPACK(br0) 192.168.1.155 b8:c1:11:21:6b:cb Williams-iPhone
Mar 12 17:31:16 WLCEVENTD: eth1: Disassoc B8:C1:11:21:6B:CB

Is the router leasing an IP address to any device that connects, prior to WPA authentication?

 

[OzarkEdge]

Is the router leasing an IP address to any device that connects, prior to WPA authentication?

I don't think so. See this post.

OE

 

[ColinTaylor]

I'm looking at the Wireless log in the webgui and it appears to only show current connections, not prior ones. I can see WLCEVENTD assoc events in the System Log, but am not sure how to see who has actually authenticated.

What I see from the unknown clients is WLCEVENTD assoc events, followed by DHCP lease request/renewal, followed by WLCEVENTD disassoc . Here's an example:

Mar 12 17:28:39 WLCEVENTD: eth1: Assoc B8:C1:11:21:6B:CB
Mar 12 17:28:40 dnsmasq-dhcp[214]: DHCPREQUEST(br0) 192.168.1.155 b8:c1:11:21:6b:cb
Mar 12 17:28:40 dnsmasq-dhcp[214]: DHCPACK(br0) 192.168.1.155 b8:c1:11:21:6b:cb Williams-iPhone
Mar 12 17:31:16 WLCEVENTD: eth1: Disassoc B8:C1:11:21:6B:CB

Is the router leasing an IP address to any device that connects, prior to WPA authentication?

I'm not sure what you're trying to demonstrate here. Presumably this isn't an example of an "unknown client" as it is clearly "Williams-iPhone".

 

[Bosus]

I'm not sure what you're trying to demonstrate here. Presumably this isn't an example of an "unknown client" as it is clearly "Williams-iPhone".

... But I don't know who Williams-iPhone is. I see a device associating, getting/renewing a dhcp lease, and disconnecting.

I'm trying to determine if devices like this are authenticating with the router, or connecting to the network through some other wireless device. Also trying to see if they're doing anything on the network.

 

[ColinTaylor]

... But I don't know who Williams-iPhone is. I see a device associating, getting/renewing a dhcp lease, and disconnecting.

I'm trying to determine if devices like this are authenticating with the router, or connecting to the network through some other wireless device. Also trying to see if they're doing anything on the network.

The fact that it's getting a DHCP address means that it has successfully connected to your network. Where was that log from, the router or the repeater? The device in question was connecting to its primary 2.4GHz SSID.

 

[Bosus]

The fact that it's getting a DHCP address means that it has successfully connected to your network. Where was that log from, the router or the repeater? The device in question was connecting to its primary 2.4GHz SSID.

Yeah, that's what I was afraid of. That log was from the router. I've changed my SSID and WPA2 password and will see what happens next. Thanks, all.

 

[ColinTaylor]

I've changed my SSID and WPA2 password and will see what happens next.

That was my next suggestion . Who knew the old password? Do you have any children with a friend called William?

 

[Bosus]

That was my next suggestion . Who knew the old password? Do you have any children with a friend called William?

We provide our kids' babysitters with wifi access, so that's definitely a possibility.

 

[ColinTaylor]

We provide our kids' babysitters with wifi access, so that's definitely a possibility.

Yeah, and just because it says "Williams-iPhone" doesn't necessarily mean its current user is called William.