Looking for Advice to Solve a Persistent Wi-Fi Login Mystery

triathlon
Here to help

Looking for Advice to Solve a Persistent Wi-Fi Login Mystery

Hello, all. We've got a new wireless network using Meraki MR42s (and one MR33 freebie) and I've got a mystery that doesn't actually matter. But, I'd like to solve the mystery as an opportunity to learn about the tech. Here's the deal:

 

We're a small business on one floor of a building we share with other businesses. Someone (almost certainly not one of us) is frequently trying to log into our Wi-Fi as "Eiffel 65," which is a user that does not exist. They're also an Italian electronic band with that one song from the late '90s and is to their credit and my surprise still making music. This happens every weekday from about 8:30am to 5:15pm.

 

My objective is to get "Eiffel 65" to stop, (the user, not the band, but if I get both, so be it.) Again, it doesn't really matter except as an opportunity to learn.

 

Our Wi-Fi is using WPA2-Enterprise (EAP+MSCHAPv2) backended with a a local AD and RADIUS via NPS on Windows Server 2016. It's working great for legitimate users and I don't want to interrupt them.

 

My idea was to somehow let the Eiffel 65 client authenticate on to our wi-fi, where I'd block them with the Meraki, showing a page asking them to "please stop trying." I could get RADIUS to approve based on MAC alone, but the wi-fi connection failed, I assume because the Meraki is expecting EAP and MSCHAPv2. I created a local Eiffel 65 user, but I couldn't successfully guess the password the user is submitting to let them in.

 

Anyway, I'm blue that I haven't been able to sort this out. What might I try? TIA

7 REPLIES 7
DonAnnett
Getting noticed

I suspect they only intentionally tried it once and I suspect the subsequent tries are just the phone itself because the user has not gone in to 'forget this ssid'.

 

I wouldn't do anything about it. 

Oh, I totally agree. And I get that I needn't do anything about it. But solely for the sake of edification, what might I do?

I feel like in order to do something like sending them a message, you'd have to let them in to your network somehow, which is bypassing the protections you've established with 802.1x. Even if you could isolate them, you're still actually letting them in, which to me is far more invasive to your network than their annoying failed attempts. Apologies for not offering a solution. 

 

All true. I'm not extremely concerned, however, since they're they're trying to get on a BYOD SSID that's going to land them on a guest VLAN that can only access the internet. On top of that, I'm blocking their client access to the internet using their MAC address and delivering my would-be message via Meraki splash screen.

 

I was halfway giving the community the chance to say, "why don't you just use [obvious feature X]?" It doesn't seem like that's going to happen. I was other-halfway wondering if a much better hacker than I would pipe in with, "hey, you're holding the private key to the EAP session in which they're sending you their encrypted credentials. Why not just packet capture the session and decrypt the credentials and set your Eiffel 65 password to what they send?" Then I could ask them what tools would help me with that.

 

This is more a shot at a blue team learning exercise than any practical application of systems administration. In the end I'm pleased that the approach I'm using puts user credentials far enough out of reach that the administrator of the wifi can't even get 'em easily.

 

Thanks, all.

Understood. Don't lose hope... the super-nerds around here might still chime in! 😎

Nash
Kind of a big deal


@triathlon wrote:

This is more a shot at a blue team learning exercise than any practical application of systems administration. In the end I'm pleased that the approach I'm using puts user credentials far enough out of reach that the administrator of the wifi can't even get 'em easily.

 

Thanks, all.


I just had to choke down a cackle here. I know what blue team is (heck, I'm going to BlueTeamCon in June) but... you're blue. 😂🎼

Stuck in my head all week.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels