WiFi deauthentication issue

authenticationwifi

I would like to find a root of the WiFi issue we've got in our working environment.

Few words about WiFi infrastructure

We are using now Apple solution. Three brand-new access points from Apple connected into one roaming wireless network with one common ESSID. Two access points withing the range of main access point and around 30+ users. The reason for using three access points is low signal strength in different corners of our big office.

Issue

Few times per day we are getting an issue. This issue is

  1. Loss of internet and connection to internal servers
  2. Huge round-trip time for ping and losses
  3. Perfect WiFi strength and no losses of WiFi connectivity

Find-outs

During the issue I have tried to log the WiFi traffic using airodump-ng. Now I have some data to make conclusions, unfortunately I do not have a lot of experience for such conclusions, thus I would like to ask some help.

During the period of 25 minutes we got:

  1. 264 deauthentications
  2. A lot of retransmissions (125) out of 264 deauthentications (In total 257 000 frames been captured, 18 000 are retransmissions)
  3. Usually deauthentication happens with the reason "Reason code: Class 3 frame received from nonassociated STA (0x0007)"
  4. The reason code looks strange because I see in the log that user was communicating with STA and had no problems, the deauthentication frame appears right after spontaneously. Then it gets restransmitted up to 25 times
  5. Approx. frame rate is 167fps
  6. During normal activity even if people still have internet, I see lots of retransmissions

P.S.

Maybe it is necessary to do something else? Is it enough to say that it is an deauthentication attack? Would that make sense to switch to managed cisco wifi network with WPA2-Corporate (now WPA2-PSK)? Can 802.11n help?

Additional Info

  1. The infrastructure: two AirPort Expresses 2013 and one Airport Extreme 2013 in between as main roaming AP
  2. DHCP is from the Windows Server, no NAT and DHCP on the AirPorts (simple Bridge mode)

Best Answer

I'd suggest you to investigate your wireless misbehaviour at 2 levels:

1. Access points

Activate the syslog function on all your AP toward a dedicated syslog server within your network. Beware, the access to this function was suppressed with the version 6 of AirPort Utility: AirPort Utility 6.0 missing a number of features

2. Environnment

Install iSTumbler or any equivalent level tool on a portable and secured Mac to make a serious environnment survey at 2 levels.

  • A first one when you don't see any misbehaviour and which you'll keep as a reference of your basic environnement. This survey will have to cover all your office and most notably all your wireless coverage. Keep in mind that this wireless coverage is a huge 3 dimensionnal potatoe. Don't hesitate to investigate the border where interferences may be a nightmare and not detected from the central point of vue of the AP.
  • A second one when you encounter a misbehavioiur of your network.

Once you will be equiped with these 2 tools, familiarize yourself with them.

Within a few hours you will be able to unravel radio interferences problems, 802.11n misbehaviour, AP misbehaviour, DHCP problem, ARP problem, IP problem, 802.11n attack, ARP attack, IP attackā€¦

Related Topic