Hi all,
We are seeing some issues on our AP’s where we have a lot of deauths. Performance on these are really bad and we see pings up to 5000ms. It seems like everytime we have deauths in the log, AP’s performance degrades dramaticly. Is there any way around this?
/Henrik
Does the log specify the reason for the deauth?
If you’ve got customers with poor connections, the AP has to spend more time trying to exchange packets with those customers, to the exclusion of better connections. That drops the throughput pretty rapidly.
Well..
We know our customers MAC addresses because we provide the equiptment and this is not any of ours. Also the behavior, we have tried to change MAC adresse, Hide SSID, change channels.. They just keep hammering. Is there any way to make the radio ignore the death packages?
Regards
Henrik
My guess would be that you’ve got non-customers who haven’t configured their computers to attach to a specific SSID, so they’re trying to attach to the strongest signal they hear, which is you. There aren’t many ways to fix that, if the owners of those computers won’t fix their config.
You could always add their MAC to your connection table, but firewall/drop the traffic from it. I ended up doing something like that once to deal with a business near our NOC that didn’t want to configure their laptops to only connect to their own local AP’s. It stopped the thrashing on our AP and they eventually starting configuring their laptops correctly just to get them working again.
I tried that with no effect. Put them i ACL with no encryption etc with no result. Also the rate (several per second) isn’t normal for any kind of client trying to connect.
/Henrik
When you allow them to connect, what kind of signal strengths to you get from them? I don’t see that many unique MAC’s in your posting so this appears to be just a small number of stations running unconfigured. If they connect, what’s the reason given for their disconnection?
That’s the funny part and what leads me to believe it’s a DoS attack, they do not connect at all, just keep hammering. i think it’s maybe a wep bruteforce. This is a 80 meter high location with 4 Sectors and i see the same on another sector, all sectors runs multiple SSIDs and the attacks are on specific SSID’s.
/Henrik