What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

AC-68U: DHCP Lease for Unautheticated Wireless Clients?

Bosus

New Around Here
Hi all- first post.

I have two AC-68U routers running ASUS-Merlin 384.9 firmware. One router is in router mode, the other is in repeater mode.

WPA2 authentication is on, webgui disabled on the WAN side, upnp and wps are disabled according to the webgui. No other holes poked in the firewall for VPN, ssh, etc.

I'm seeing DHCP leases for several devices I don't recognize, and corresponding WLCEVENTD assoc events for their MAC addresses. I can't tell if the devices are authenticating and they don't show up on the network map.

Questions:
1. Does DHCP lease IP addresses on wireless assoc, prior to wireless authentication? IOW, is this just neighborhood devices trying to see if my network is open?
2. What's the best way to log wireless authentication history and network activity for a particular mac address?

Thank you all!
 
Note: Disregard if JFFS not enabled

Not aware of an easy way to hook a script into logging wireless or authentication events, but there is an easy way to log DHCP events.

/jffs/scripts/dnsmasq.postconf
Code:
#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_delete "dhcp-option=dnsf5" $CONFIG
pc_delete "dhcp-option=dnsf6" $CONFIG
pc_append "dhcp-script=/jffs/scripts/log-dhcp.sh" $CONFIG
pc_append "neg-ttl=3600" $CONFIG
pc_delete "no-negcache" $CONFIG
pc_delete "servers-file=/tmp/resolv.dnsmasq" $CONFIG
#
/jffs/scripts/log-dhcp.sh
Code:
#!/bin/sh
myscriptname=$(/usr/bin/basename $0)
/usr/bin/logger -t ${myscriptname} -p local6.info "Action $1, MAC $2, IP_address $3, Hostname $4"
 
Last edited:
I'm seeing DHCP leases for several devices I don't recognize, and corresponding WLCEVENTD assoc events for their MAC addresses. I can't tell if the devices are authenticating and they don't show up on the network map.
Try logging to the the router and repeater and looking at System Log > Wireless Log.
 
Try logging to the the router and repeater and looking at System Log > Wireless Log.

I'm looking at the Wireless log in the webgui and it appears to only show current connections, not prior ones. I can see WLCEVENTD assoc events in the System Log, but am not sure how to see who has actually authenticated.

What I see from the unknown clients is WLCEVENTD assoc events, followed by DHCP lease request/renewal, followed by WLCEVENTD disassoc . Here's an example:

Mar 12 17:28:39 WLCEVENTD: eth1: Assoc B8:C1:11:21:6B:CB
Mar 12 17:28:40 dnsmasq-dhcp[214]: DHCPREQUEST(br0) 192.168.1.155 b8:c1:11:21:6b:cb
Mar 12 17:28:40 dnsmasq-dhcp[214]: DHCPACK(br0) 192.168.1.155 b8:c1:11:21:6b:cb Williams-iPhone
Mar 12 17:31:16 WLCEVENTD: eth1: Disassoc B8:C1:11:21:6B:CB

Is the router leasing an IP address to any device that connects, prior to WPA authentication?
 
I'm looking at the Wireless log in the webgui and it appears to only show current connections, not prior ones. I can see WLCEVENTD assoc events in the System Log, but am not sure how to see who has actually authenticated.

What I see from the unknown clients is WLCEVENTD assoc events, followed by DHCP lease request/renewal, followed by WLCEVENTD disassoc . Here's an example:

Mar 12 17:28:39 WLCEVENTD: eth1: Assoc B8:C1:11:21:6B:CB
Mar 12 17:28:40 dnsmasq-dhcp[214]: DHCPREQUEST(br0) 192.168.1.155 b8:c1:11:21:6b:cb
Mar 12 17:28:40 dnsmasq-dhcp[214]: DHCPACK(br0) 192.168.1.155 b8:c1:11:21:6b:cb Williams-iPhone
Mar 12 17:31:16 WLCEVENTD: eth1: Disassoc B8:C1:11:21:6B:CB

Is the router leasing an IP address to any device that connects, prior to WPA authentication?
I'm not sure what you're trying to demonstrate here. Presumably this isn't an example of an "unknown client" as it is clearly "Williams-iPhone".:confused:
 
I'm not sure what you're trying to demonstrate here. Presumably this isn't an example of an "unknown client" as it is clearly "Williams-iPhone".:confused:

... But I don't know who Williams-iPhone is. :-) I see a device associating, getting/renewing a dhcp lease, and disconnecting.

I'm trying to determine if devices like this are authenticating with the router, or connecting to the network through some other wireless device. Also trying to see if they're doing anything on the network.
 
... But I don't know who Williams-iPhone is. :) I see a device associating, getting/renewing a dhcp lease, and disconnecting.

I'm trying to determine if devices like this are authenticating with the router, or connecting to the network through some other wireless device. Also trying to see if they're doing anything on the network.
The fact that it's getting a DHCP address means that it has successfully connected to your network. Where was that log from, the router or the repeater? The device in question was connecting to its primary 2.4GHz SSID.
 
The fact that it's getting a DHCP address means that it has successfully connected to your network. Where was that log from, the router or the repeater? The device in question was connecting to its primary 2.4GHz SSID.
Yeah, that's what I was afraid of. That log was from the router. I've changed my SSID and WPA2 password and will see what happens next. Thanks, all.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top