What's new

AC3100 Syslog Auth and Assoc Successful with incorrect WPA2 key

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

FanaticLight7

Occasional Visitor
Hello,

I'm having a similar issue as someone else posted about their A86 here https://www.snbforums.com/threads/problems-with-my-rt-ac86u.66722/page-2#post-628471

Basically I'm seeing several log entries of Assoc and Auth, followed by a Deauth a few seconds later of random MAC addresses that aren't mine. After some testing, I'm pretty sure this is related to unknown devices trying to connect to the network and failing. The logs however, show the authentication process as successful? Here is what I did:

I turned off MAC filtering, changed my SSID/Passwords and then tried authenticating with my phone on the network with an incorrect password. Even though my phone wouldn't sign on to the network, the syslogs show Authentication and Association as successful. Ignore the May 5 date, I think it's because I have my internet unplugged while I was testing this so it probably didn't update to the correct date/time.

May 5 01:09:24 syslog: WLCEVENTD wlceventd_proc_event(500): eth2: Auth AE:23:E3:A2:A5:58, status: Successful (0) <-- using a random MAC on phone with incorrect WPA2 key
May 5 01:09:24 syslog: WLCEVENTD wlceventd_proc_event(529): eth2: Assoc AE:23:E3:A2:A5:58, status: Successful (0)
May 5 01:09:32 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind AE:23:E3:A2:A5:58, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
May 5 01:09:33 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind AE:23:E3:A2:A5:58, status: 0, reason: Class 2 frame received from nonauthenticated station (6)
May 5 01:09:50 syslog: WLCEVENTD wlceventd_proc_event(500): eth2: Auth 44:91:60:8D:37:D3, status: Successful (0) <-- Using phone MAC with incorrect WPA2 key
May 5 01:09:50 syslog: WLCEVENTD wlceventd_proc_event(529): eth2: Assoc 44:91:60:8D:37:D3, status: Successful (0)
May 5 01:09:58 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind 44:91:60:8D:37:D3, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
May 5 01:10:00 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind 44:91:60:8D:37:D3, status: 0, reason: Class 3 frame received from nonassociated station (7)

So I'm not sure why it's showing as successful for Auth and Assoc? This is clearly a bug right?
 
Last edited:
My issue was with a Samsung phone. You have to go into the advance settings of the wi-fi you are connected and have it use the phone MAC. I've never had a Samung phone in my network until just recently that I introduce one and started to get these syslogs like crazy. Another solution provided in a previous thread is to do the following:

wouterv said:

This is introduced due a firmware change some time ago and is related to the setting for the kind of messages to show in the System Log.
The kind of messages shown is defined with the severity level, the higher the number the more message types are shown.
In current firmware the default severity level is 6, this causes the WLCEVENTD messages.
A severity level of 5 will hide those messages.

The severity level can be shown and set with SSH commands:

  1. nvram get log_level
  2. nvram set log_level=5
  3. nvram commit
  4. reboot
 
My issue was with a Samsung phone. You have to go into the advance settings of the wi-fi you are connected and have it use the phone MAC. I've never had a Samung phone in my network until just recently that I introduce one and started to get these syslogs like crazy. Another solution provided in a previous thread is to do the following:



Check my post above. I think it's more than that and this is actually a bug. It shows devices that cannot Authenticate with the network as succesfully authenticated in the log, but deauths them right away.
 
Check my post above. I think it's more than that and this is actually a bug. It shows devices that cannot Authenticate with the network as succesfully authenticated in the log, but deauths them right away.

Know issue.

https://www.snbforums.com/threads/r...13-is-now-available.57860/page-35#post-515660
 
Have you introduced any new devices into your network? Some devices, such as Samsung, will "attempt" to hide the MAC and will through random MAC and connect successfully to the your wi-fi. It may even be a new tablet or new phone that just got an update which is doing the above, and that's why you're seeing successful connections.
 
Have you introduced any new devices into your network? Some devices, such as Samsung, will "attempt" to hide the MAC and will through random MAC and connect successfully to the your wi-fi. It may even be a new tablet or new phone that just got an update which is doing the above, and that's why you're seeing successful connections.


So I'm not sure if it was clear in the post. But basically I cleared all the devices from the router and started with a fresh SSID and password. None of my existing devices could attempt to automatically connect to a new SSID that is not saved on them. There is only one device on the network and that's my laptop to look at the logs. I don't have MAC randomization on for anything.

I then tried to connect to the network using a phone with an incorrect password and when I do that, I get the logs as in the first post with the phone MAC clearly showing. For some reason, the syslog still shows Authentication and Association as successful. But the phone says it wasn't successful.
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top