Can someone explain the random MAC Addresses in Syslog? Should I be concerned?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

FanaticLight7

Occasional Visitor
I have an AC3100 a couple of months old. Today I was checking the system log and I found multiple entries such as these

Oct 19 12:05:36 syslog: WLCEVENTD wlceventd_proc_event(500): eth1: Auth EA:06:02:EB:04:5C, status: Successful (0)
Oct 19 12:05:36 syslog: WLCEVENTD wlceventd_proc_event(529): eth1: Assoc EA:06:02:EB:04:5C, status: Successful (0)
Oct 19 12:05:46 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind EA:06:02:EB:04:5C, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Oct 19 12:05:55 syslog: WLCEVENTD wlceventd_proc_event(500): eth1: Auth EA:06:02:EB:04:5C, status: Successful (0)
Oct 19 12:05:55 syslog: WLCEVENTD wlceventd_proc_event(529): eth1: Assoc EA:06:02:EB:04:5C, status: Successful (0)

Of MAC Addresses that are definitely not any of our devices. I see similar logs for ones that are from my devices. None of these unknown MAC are in the client list or DCHP leases list. I'm just confused about what the Auth means. It sounds like they were able to connect to my network? Or is that just passing devices that get in range of my network, like people walking by?
 

FanaticLight7

Occasional Visitor
There have been numerous similar posts to yours recently. Most often they are caused by the recent updates to Android, iOS and Windows whereby they now using randomised MAC addresses to connect instead of their real addresses.

For example: https://www.techrepublic.com/article/how-to-enable-a-randomized-mac-address-in-android-10/
But I have MAC randomization turned off for all my android/windows devices. Does it do that despite the fact its turned off? On top of that I don't see these MAC addresses in the DCHP list or client list. I want to make sure no one has connected to my network without it showing on the client list.
 

ColinTaylor

Part of the Furniture
If you've explicitly turned randomisation off then that should be OK. One way to diagnose the problem would be to change your WiFi passwords and then see what device complains about it. It usually ends up being some sort of IoT device in sleep mode, e.g. a Smart TV.
 

FanaticLight7

Occasional Visitor
If you've explicitly turned randomisation off then that should be OK. One way to diagnose the problem would be to change your WiFi passwords and then see what device complains about it. It usually ends up being some sort of IoT device in sleep mode, e.g. a Smart TV.
Thing is, none of these clients show up in the DCHP lease list. Or in the active clients. Or in the offline clients. Is this a bug or something? Like if it was actually connected to the network wouldn't it be showing there?
 

techcafe

Regular Contributor
I see one 'rogue' MAC address (EA:06:02:EB:04:5C) in your log excerpt. If it was a stranger walking by, their device would not be able to authenticate without your wifi password, but your log shows that authentication & association were successful for that unknown MAC.

A OUI lookup on that MAC address (EA:06:02) produces no results (vendor ID not found), which could possibly mean the offending device, as Colin suggested, is using a spoofed/fake MAC address, aka Private Address in iOS; and Randomized MAC in Android OS. The locally-assigned MAC address is unique to each network SSID, so as to prevent tracking of your device across different networks & hotspots as you travel around. It's a smart idea to use random MACs with public wifi, but not so good on your private network, like at home with statically-assigned IPs, when you need to know whose devices are connecting to your wifi.

You could, as I have done, enable the Wireless MAC filter on the 2GHz band (in Accept Mode) and populate the filter list with the MACs of all of your known devices. This will prevent all unknown devices from connecting on the 2.4GHz band. Since the 5GHz signal doesn't penetrate through walls or propagate nearly as far as 2GHz, I leave MAC filtering disabled on the 5GHz band, which will allow nearby devices to connect, whether known or unknown. Using this method, guest devices can connect to our 5GHz wifi if they are within physical proximity of the access points, like inside of our building, but not from the outside.
 
Last edited:

FanaticLight7

Occasional Visitor
I see one 'rogue' MAC address (EA:06:02:EB:04:5C) in your log excerpt. If it was a stranger walking by, their device would not be able to authenticate without your wifi password, but your log shows that authentication & association were successful for that unknown MAC.

A OUI lookup on that MAC address (EA:06:02) produces no results (vendor ID not found), which could possibly mean the offending device, as Colin suggested, is using a spoofed/fake MAC address, aka Private Address in iOS; and Randomized MAC in Android OS. The locally-assigned MAC address is unique to each network SSID, so as to prevent tracking of your device across different networks & hotspots as you travel around. It's a smart idea to use random MACs with public wifi, but not so good on your private network, like at home with statically-assigned IPs, when you need to know whose devices are connecting to your wifi.

You could, as I have done, enable the Wireless MAC filter on the 2GHz band (in Accept Mode) and populate the filter list with the MACs of all of your known devices. This will prevent all unknown devices from connecting on the 2.4GHz band. Since the 5GHz signal doesn't penetrate through walls or propagate nearly as far as 2GHz, I leave MAC filtering disabled on the 5GHz band, which will allow nearby devices to connect, whether known or unknown. Using this method, guest devices can connect to our 5GHz wifi if they are within physical proximity of the access points, like inside of our building, but not from the outside.
Thanks. That was only a part of the log. There's a bunch of other devices I've seen that exhibit similar behaviour in the log, some of these do have vendors (samsung, apple, oneplus). Thing is, they show as associated but immediately get a deauth. I was just thinking its people walking by because it looks like its mostly mobile devices. The pattern in the logs for these unknown MACs are always the same. It associates, then deauth a few seconds later. This doesn't happen with my devices. Some more examples:

Oct 14 14:37:33 syslog: WLCEVENTD wlceventd_proc_event(500): eth1: Auth 64:9A:BE:3D:75:08, status: Successful (0)
Oct 14 14:37:33 syslog: WLCEVENTD wlceventd_proc_event(529): eth1: Assoc 64:9A:BE:3D:75:08, status: Successful (0)
Oct 14 14:37:47 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 64:9A:BE:3D:75:08, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Oct 14 14:49:36 syslog: WLCEVENTD wlceventd_proc_event(500): eth1: Auth 8E:56:E3:A9:A0:73, status: Successful (0)
Oct 14 14:49:36 syslog: WLCEVENTD wlceventd_proc_event(529): eth1: Assoc 8E:56:E3:A9:A0:73, status: Successful (0)
Oct 14 14:49:50 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 8E:56:E3:A9:A0:73, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Oct 14 08:01:31 syslog: WLCEVENTD wlceventd_proc_event(500): eth1: Auth 10:8E:E0:37:67:2C, status: Successful (0)
Oct 14 08:01:31 syslog: WLCEVENTD wlceventd_proc_event(529): eth1: Assoc 10:8E:E0:37:67:2C, status: Successful (0)
Oct 14 08:01:40 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 3 frame received from nonassociated station (7)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 3 frame received from nonassociated station (7)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 3 frame received from nonassociated station (7)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 3 frame received from nonassociated station (7)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 3 frame received from nonassociated station (7)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 3 frame received from nonassociated station (7)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 3 frame received from nonassociated station (7)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 3 frame received from nonassociated station (7)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 3 frame received from nonassociated station (7)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 2 frame received from nonauthenticated station (6)
Oct 14 08:01:41 syslog: WLCEVENTD wlceventd_proc_event(466): eth1: Deauth_ind 10:8E:E0:37:67:2C, status: 0, reason: Class 2 frame received from nonauthenticated station (6)

I'm thinking this has to do with an unauthorized range extender that was connected to my router a few months ago. No idea how it got connected in the first place. Maybe through WPS which I had turned on back then? I blocked the range extender from the router back then, but maybe these are devices trying to connect through that range extender? Does it make sense? Also would you know if they were actually connected, would it show in the connected clients or offline client list at all? The only device I saw in the offline client list from several months ago was that unknown range extender.


Either way I changed the SSID, passwords, and turned off the 2.4GHz radio, and turned on MAC filter for only my devices.
 

techcafe

Regular Contributor
ahh ok, if the wireless log shows Associated but not Authenticated, followed by a DeAuth, then it could just be random passersby, but their device(s) don't successfully Authenticate on your network, so no worries there.

i'm thinking, if there are many different random MACs attempting to connect, then a nearby device must be generating those random addresses OR simply random smartphones on people who happen to be walking nearby at the time. is there a pattern to these unknown MAC events, such as particular days or times, or are the events also random? are the unknown MAC addresses repeating or always changing?

as for the unauthorized range extender, if you didn't set it up, then somebody, somewhere else, obviously did. that being the case, the logs appear to indicate (to me) that the rogue extender does successfully authenticate, then immediately de-authenticates, or am i reading the logs wrong? in any event :) as i mentioned, you can easily remedy this by turning on the Wireless MAC filters, thus preventing unknown MACs from connecting.
 

FanaticLight7

Occasional Visitor
ahh ok, if the wireless log shows Associated but not Authenticated, followed by a DeAuth, then it could just be random passersby, but their device(s) don't successfully Authenticate on your network, so no worries there.

i'm thinking, if there are many different random MACs attempting to connect, then a nearby device must be generating those random addresses OR simply random smartphones on people who happen to be walking nearby at the time. is there a pattern to these unknown MAC events, such as particular days or times, or are the events also random? are the unknown MAC addresses repeating or always changing?

as for the unauthorized range extender, if you didn't set it up, then somebody, somewhere else, obviously did. that being the case, the logs appear to indicate (to me) that the rogue extender does successfully authenticate, then immediately de-authenticates, or am i reading the logs wrong? in any event :) as i mentioned, you can easily remedy this by turning on the Wireless MAC filters, thus preventing unknown MACs from connecting.
The MAC address of the rogue extender isn't in the logs anywhere actually. I don't think I've seen it since I blocked it several months ago. It's a bizarre situation all around because I bought this router in June and in the first week of owning it I saw the range extender somehow on the offline client list in my network, meaning someone somehow connected to this router through the extender in the first week? It made no sense. I blocked the device either way. I'm just wondering maybe it was a neighbour that connected through WPS on my router when I pressed the WPS button at the same time - coincidentally, and probably by accident. And these unknown MACs are their devices trying to "connect" to my network through that extender, even though internet access is blocked on it. I'm also just assuming it's a range extender or some sort of AP because the device just shows as "D-Link" on my offline client list, but some googling of the MAC indicates its likely some sort of router/extender.

That's the only thing I can think of really. I can't imagine someone hacked my WPA2 password in the first week of owning this router. Especially because I changed the passwords from the old router.
 

techcafe

Regular Contributor
in order to successfully connect via WPS, your neighbours would need the correct wifi PIN, right? the unique WPS AP PIN Code is located under Advanced, Wireless, WPS settings. I disable WPS on my routers, so I'm not exactly sure how it all works. I'm fresh out of ideas about the rogue range extender, but I highly suggest changing your wifi password(s), which you did already, I think you said.
 

FanaticLight7

Occasional Visitor
in order to successfully connect via WPS, your neighbours would need the correct wifi PIN, right? the unique WPS AP PIN Code is located under Advanced, Wireless, WPS settings. I disable WPS on my routers, so I'm not exactly sure how it all works. I'm fresh out of ideas about the rogue range extender, but I highly suggest changing your wifi password(s), which you did already, I think you said.
I'm not sure. I thought just pushing the button on both devices around the same time would make it work. I'm guessing if that's the case someone pushed their range extender WPS button at the same time I did on my router. A very rare occurence but maybe its possible..
 

Ronald Schwerer

Very Senior Member
With the 3-4 range extenders I've used (AKA repeater), the clients log-in to the extender's SSID (not necessarily the same as the base router). It is only the extender that authenticates it's clients. The wifi connection it extends is basically a backhaul to the router. Once the extender is connected and authenticated, I don't think there is any more additional security than a wired connection.

That said, if you've blocked that MAC, I don't see how it could be used for attempted client connections. Unless there's another (or spoofed MAC) extender.

Another thing that bothers me is, to my understanding, a passing phone would only attempt to connect to an "open" SSID. Otherwise it should only attempt to connect to known and previously authenticated protected networks.
 

FanaticLight7

Occasional Visitor
With the 3-4 range extenders I've used (AKA repeater), the clients log-in to the extender's SSID (not necessarily the same as the base router). It is only the extender that authenticates it's clients. The wifi connection it extends is basically a backhaul to the router. Once the extender is connected and authenticated, I don't think there is any more additional security than a wired connection.

That said, if you've blocked that MAC, I don't see how it could be used for attempted client connections. Unless there's another (or spoofed MAC) extender.

Another thing that bothers me is, to my understanding, a passing phone would only attempt to connect to an "open" SSID. Otherwise it should only attempt to connect to known and previously authenticated protected networks.
Thanks. So would any clients connected to the extender show up in the client list on the router? Because I haven't seen any new unknown devices except for that extender.

I "blocked" the extender but I dont think it was a MAC block. I just used the router app to block it which I believe just blocks the internet connection, but it might still be able to connect to the router? I see the block under parental controls for that device.
 

Ronald Schwerer

Very Senior Member
For some reason, I don't see all the clients in the router's client list. So I'm not sure if you can rely on it. More importantly, I don't think you've actually blocked that rouge extender. I recommend using the router's gui, not the app. In an attempt to be "friendly", I don't know if it shows the true state of connected clients. If it were me, I'd change the SSID(s) and passwords.
 

FanaticLight7

Occasional Visitor
For some reason, I don't see all the clients in the router's client list. So I'm not sure if you can rely on it. More importantly, I don't think you've actually blocked that rouge extender. I recommend using the router's gui, not the app. In an attempt to be "friendly", I don't know if it shows the true state of connected clients. If it were me, I'd change the SSID(s) and passwords.
Yeah I did all that already and set up a MAC whitelist now. But I presume that even blocking the internet should prevent it from passing on a proper internet connection to the devices connected to it right? I tested the same block on one of my devices and I can connect to the network but I don't get any internet access. Another thing to add is that I've also never seen it connected, it has always been in my offline device list with no IP, even after blocking it. I've monitored by client list regularly and have never seen it actually connected or on the online list.

Also is there any way devices that were connected to that extender could bypass that and directly connect to my router then?
 
Last edited:

Ronald Schwerer

Very Senior Member
Also is there any way devices that were connected to that extender could bypass that and directly connect to my router then?
I just checked one of my extenders (an AC68U in repeater mode). Logging in to it, I see all its clients. On my main router (AX3000) I don't see any of the clients that connect to the repeater. However, those clients on the repeater were assigned their reserved IPs from the main DHCP server. If I didn't log-in to the repeater, I'd never have known they were connected. But I do see the repeater's MAC&IP in the router's client list. In your case, there's no way those clients could connect without the repeater connecting to your wifi.
 

FanaticLight7

Occasional Visitor
I just checked one of my extenders (an AC68U in repeater mode). Logging in to it, I see all its clients. On my main router (AX3000) I don't see any of the clients that connect to the repeater. However, those clients on the repeater were assigned their reserved IPs from the main DHCP server. If I didn't log-in to the repeater, I'd never have known they were connected. But I do see the repeater's MAC&IP in the router's client list. In your case, there's no way those clients could connect without the repeater connecting to your wifi.
Makes sense. Thanks. So the clients on your repeater - do you see them in the DCHP list on the AX3000 main router? And also if the AX3000 has traffic history/usage, would the usage log show the extender traffic? I remember when I saw this extender I don't think there was any traffic to it since I didn't even see it on the dropdown list of clients in the traffic monitor/history.

So the only thing that somewhat adds up is if the extender is set up through WPS, it you can use the WPA2 key from my main network to connect to the extender SSID (normally its named SSID_EXT). But technically they can just use WPS on the extender to connect their devices to the SSID_EXT, which would then get a connection through my network - but without internet since it's blocked. Anyway I've also scanned for nearby networks and there are a few D-Link APs, but none that match the MAC address of the extender that had been connected to my network. Not sure if the MAC of the SSID is the same as the MAC that would show on the connected clients list.

Such a weird situation all around.
 
Last edited:

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top