ROUGUE: DHCP service drops network.
-
You should be able to find this rogue device if you have managed switch (or just slightly smart ones with an interface). Look for what port has the MAC of the Linksys on it.
-
If you want a Paid option look at OpUtils for rouge device detection and Inventory of your network from your Managed switches.
http://www.manageengine.com/products/oputils/features.html -
You could fix this with network level authentication - but I'm sure it's not worth the expense, or issues.
-
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
-
@Dashrender said:
You could fix this with network level authentication - but I'm sure it's not worth the expense, or issues.
I was thinking that RADIUS was an option. Or do I have that wrong?
-
DHCP doesn't use RADIUS, or vice versa. I know there is the possibility of some type of tie together.. but not normally for general networks.
-
@ajstringham said:
@Hubtech said:
@g.jacobse said:
This morning fun-escaped was half the network was down for some reason. Won't recount most of it, but it boils down to an Linksys WRX54 device was sending out DHCP in the 192.168 arena. Our network is configured to 10.0, so the change in IP was throwing people into oblivian when trying to get to servers or the internet. Others were 'ok' for most things.
Searched around the office for the offending device (person) but wasn't able to locate it. I had a PC that was pulling DHCP from it which is how I knew what type of device it was. Using a browser I attempted to log in... but failed.
It took about 20 minutes of cycling USERID and passwords to come upon the default USERID (blank) and password. I was in and could take it down.
I don't know where it is,.. but I've turned off DHCP, the wireless and changed the Admin Password. There were no listed DHCP leases.
It's been a fun morning.
Question: Is there some way to prevent this from occurring?
dont use dhcp.
DHCP is standard in an environment. No real good way to avoid using it unless you want to manage static IPs for every device and workstation. That's way more hassle than it's worth.
** It's likely someone plugged in the device** thinking it was a switch, or to bypass the company wifi, or to just get a wifi signal for their phone where they can't normally get one.
Oops - I may have left that out. That is what I suspect - I havea EdgeMAX lite running DHCP currently. This just popped up out of no where..
-
@g.jacobse said:
@ajstringham said:
** It's likely someone plugged in the device** thinking it was a switch, or to bypass the company wifi, or to just get a wifi signal for their phone where they can't normally get one.
Oops - I may have left that out. That is what I suspect - I havea EdgeMAX lite running DHCP currently. This just popped up out of no where..
yeah most of us have had this happen to us at one point or another.
-
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
-
@JaredBusch said:
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
smells like rogue wifi to me!
-
@JaredBusch said:
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
Since it looks like I"ll be here half the weekend, I may do this. of course that is if I can reach it... I'm about to dig out a unused box to see if I can still reach it and go from there. My hope is that someone will figure out they aren't getting what they used to and call someone and ask - or call me about it. that would be nice and 'fast'.
Otherwise it'll have to be sniffed. Which I don't really have gear for.. If I can find my kindle, it may help being a poor mans triangulation... -
@Dashrender said:
DHCP doesn't use RADIUS, or vice versa. I know there is the possibility of some type of tie together.. but not normally for general networks.
Are you referring to 802.1x authentication?
-
@thecreativeone91 said:
@Dashrender said:
DHCP doesn't use RADIUS, or vice versa. I know there is the possibility of some type of tie together.. but not normally for general networks.
Are you referring to 802.1x authentication?
Uh.. maybe, I never dug into the protocol.
-
@g.jacobse said:
@JaredBusch said:
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
Since it looks like I"ll be here half the weekend, I may do this. of course that is if I can reach it... I'm about to dig out a unused box to see if I can still reach it and go from there. My hope is that someone will figure out they aren't getting what they used to and call someone and ask - or call me about it. that would be nice and 'fast'.
Otherwise it'll have to be sniffed. Which I don't really have gear for.. If I can find my kindle, it may help being a poor mans triangulation...Ping the IP of the Linksys, then type arp -a | findstr IPADDRESS
this will tell you the MAC of the device. Then go to your switch(es) and look through their MAC tables to find what port that MAC is on. Then look at your building map for that port location, done. -
@Dashrender said:
@g.jacobse said:
@JaredBusch said:
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
Since it looks like I"ll be here half the weekend, I may do this. of course that is if I can reach it... I'm about to dig out a unused box to see if I can still reach it and go from there. My hope is that someone will figure out they aren't getting what they used to and call someone and ask - or call me about it. that would be nice and 'fast'.
Otherwise it'll have to be sniffed. Which I don't really have gear for.. If I can find my kindle, it may help being a poor mans triangulation...Ping the IP of the Linksys, then type arp -a | findstr IPADDRESS
this will tell you the MAC of the device. Then go to your switch(es) and look through their MAC tables to find what port that MAC is on. Then look at your building map for that port location, done.If I wasn't still someone miffed and other choice words I won't use I'd laugh...
Uhm... I don't have one. It would really be nice to have one,.. but with all the spot fires and 'crash' calls... I don't get time to address things like that.... Some day maybe... if I survive that long.
-
@g.jacobse said:
@JaredBusch said:
@Hubtech said:
I had one of these pop up at a client a month or so ago. whoever configured the switches didn't leave their login info so i wasn't able to use the management. ended up super sleuthing and found it by using a "sniffer" that basically just polled the stregnth of the AP. old school
I would do this. turn the wifi back on and sniff the signal.
Since it looks like I"ll be here half the weekend, I may do this. of course that is if I can reach it... I'm about to dig out a unused box to see if I can still reach it and go from there. My hope is that someone will figure out they aren't getting what they used to and call someone and ask - or call me about it. that would be nice and 'fast'.
Otherwise it'll have to be sniffed. Which I don't really have gear for.. If I can find my kindle, it may help being a poor mans triangulation...naw man. you can get close by using a laptop and a yagi or just your laptop.
-
Found it, it was a AP that was in the conference room.. Oddly enough it had been reset and was working for about 2 or three months before it started being a problem.
It's been locked down, and updated. and a Do Not Reset placed over the button.
-
Cool, glad that you found it.
-
how'd you find it?
-
@Hubtech said:
how'd you find it?
It was a cross of things really.
About 2 or so months ago the intern (I heard that groan) had some issues with wireless and was compelled to reset the unit. Only instead of just unplugging it, he hit the reset button. No big deal even in the default mode... Until last week (OP date) when for what ever reason I started having DHCP issues. It was offering DHCP in the 192.168 schema when our network is in the 10.0 schema.
While it took some time to find just that, I started with a PC that was in the 192.168 and went to the IP, and found that it was the Linksys system.
I didn't have any means of tracing the AP signal until I brought in my Kindle, Isolated it, and got more into the back info and found that the Device was the unit. I had walked around that day, but even with the AP model, it didn't completely register that it was this.
With the WiFi analyzer on the Kindle I confirmed it after powering it off.
If I had taken the time to slow down that day and noted the model number I might have caught it sooner. Having so many different device types for wireless and such makes it a challenge.
Boils down to I found it using Sneaker Net....