Identifying device from its MAC address
Posted by Recent_Carpenter8644@reddit | sysadmin | View on Reddit | 55 comments
We have a situation where a user is regularly getting account lockouts, and have finally tracked it down to a device in another one of our offices trying to connect to the wifi there, which has Radius authentication. I suspect the user has a long time ago helped someone else connect their phone to the wifi with their own credentials. After a password change, or possibly several password changes because of the password history, they're getting locked out.
Event 4625s in the security event log don't show the workstation name, so we think it's probably a phone. All we can get from the Radius logs is the MAC address.
Is the only way forward to ask everyone in that office to check their phone's MAC address?
dirtyredog@reddit
first id do
tcpdump -i eth0 host 00:00:00:01:02:03
if it's talking you'll get it's ip address
then I'd look for the switch ports that's seen the address until I locate its drop.
I find it useful to document the ports and addresses while investigating these sort of things. well, it's only a few hundred ports...
Recent_Carpenter8644@reddit (OP)
If there's no ip lease showing in DHCP, this isn't going to work, is it?
dirtyredog@reddit
could be just broadcasting or assigned statically
JamieTenacity@reddit
https://it-tools.tech/mac-address-lookup
Recent_Carpenter8644@reddit (OP)
"Not found". Could be randomised.
JamieTenacity@reddit
Oh, that’s disappointing.
I had an issue like this a while back, so I was hoping this would help.
My random device turned out to be an EPOS card reader. Wasn’t expecting that!
Recent_Carpenter8644@reddit (OP)
TIL randomised MAC addresses have 2, 6, A or E as the second digit. This one must be randomised. I assume then that getting people to check their MAC address won't work.
MajorVarlak@reddit
The randomized mac addresses do make this much harder, but they tend to be randomized per SSID. With that in mind, can you look at the dhcp/dns servers and look for that mac address? The device might have registered itself with its name like "Steve's iPhone".
Recent_Carpenter8644@reddit (OP)
Yes, it's not there. I assume it's not being issued an address. Or is it? I looked at the leases, not listed.
I can also see all our company phones' MAC addresses in Intune, and it's not there, so it's likely a personal phone, or somehow not enrolled.
MajorVarlak@reddit
If its been long enough that it hasn't been able to login, then the lease probably expired and was deleted. Unless you keep a log of your dhcp/dns servers that might not help any.
Depending on your wireless platform, and how many APs you have, can you narrow it down to a specific part of the building?
You could also take the "lazy" way out and send an email to everybody at that location with instructions for "upgraded wireless security" that "requires all users to tell their mobile devices to forget the wifi network" and have them re-add it. "This improved security setting only applies to personal devices, as well management security on corporate phones"
Recent_Carpenter8644@reddit (OP)
There's 8. I just had a look a the logs, and I can see they spent a lot of time in a training room on Monday. But that's too long ago. I might work out a way to get times and access point numbers quickly, so I can get our IT guy over there to narrow it down.
birduino@reddit
It's probably a printer
Recent_Carpenter8644@reddit (OP)
I never thought of that. But the fact that the attempts come in bursts suggests it's a mobile device. There's been none for 36 hours now.
I wonder if someone's got a mobile printer. I know of one team that used to have one.
DifferentComedian332@reddit
I assume you filtered your logs for event ID 4740 first and got no results? 4740 gives affected machine name. If that doesn't work, like others explained, send a mass email having everyone clear the company networks from their phone and if they need the wifi they can reconnect it. This is a great security measure. Also, most phones just need internet it doesnt need AD access, so request that they only connect to guest Wi-Fi after the clearing. Make the clearing manditory as well so those that look at the email and go i dont use it so oh well.
Recent_Carpenter8644@reddit (OP)
The 4740s are showing a blank machine name too.
ThatBrozillianGuy@reddit
Don't know if you know it, but the first 3 octets of a MAC (the OUI) are vendor specific. This might help narrowing down your search. It will even help you find out if it's a mobile phone or not. There are nuances to all of it, but in general, it might help.
If possible, revert to the old password, let it log in and sniff traffic coming from the device. Although everything is HTTPS nowadays, DNS queries can be useful to pinpoint the device/owner.
Recent_Carpenter8644@reddit (OP)
I thought of that, but the old password is way to old for the user to have a record.
caveboat@reddit
I love this method.
demonseed-elite@reddit
Blacklist the device by MAC address via a rule in your 802.1X system. See who drops a ticket in two week about "my phone won't connect to wifi!!"
Solved.
Recent_Carpenter8644@reddit (OP)
That's what we were thinking of doing if we can't locate it, but the device owner won't complain if we do - it's not connecting anyway because they have the old password.
jnievele@reddit
Still, the actual issue will be solved.
jeffrey_smith@reddit
Match attempt times vs building entry times?
Recent_Carpenter8644@reddit (OP)
I wish I had access to those. I'm running a ping log on the laptop of one suspect, to see how that matches, but I don't think it's worth doing them all.
coming2grips@reddit
Scream test. For sure. This is the way
HappyDadOfFourJesus@reddit
ScreamTest :)
MajorVarlak@reddit
The fact the wifi keeps locking somebody else's account suggests its not connecting anyway, and haven't complained, or I'd expect this post wouldn't exist. Or I'm not reading the OPs problem properly.
Recent_Carpenter8644@reddit (OP)
Yep.
Pale-Muscle-7118@reddit
Why not just blacklist the MAC address?
catherder9000@reddit
If it's not a random generated MAC, you can look up the vendor.
https://maclookup.app/
TheLastPioneer@reddit
If your DHCP or wifi logs go back far enough look for the device name from when it actually connected and worked. You may find its got a unique name (like Glen's iPhone) that you can use to figure out who it might be.
Oh and slap the user for putting their username into someone else's phone. it's very very easy to extract those details and then use them.
Recent_Carpenter8644@reddit (OP)
Only a week, unfortunately. Good chance it's just called iPhone anyway.
I think back when this happened, we were in the turmoil of a combination of a company merger, domain migrations, and pandemic lockdowns, and only some users had wifi access, so they improvised.
It astounds me that you can just look in the wifi settings and see the username and password, at least on an iPhone. Whose idea was that?
CriticalMine7886@reddit
Android as well
IsaJustaGuy@reddit
If you've a MAC address, you might be able to narrow it down to the manufacturer of the phone to eliminate a bunch of ones it won't be.
So you might be able to say "OK, iPhone" and all the Android phones are off the suspect list. (Well, sure....spoofing...but it sounds like the person with the device isn't that clued in.)
Though I think as others have said...block it/lock it and see who complains. If it is a phone, they may not, since they probably will end up using cellular data instead of wifi and not know it.
Hoosier_Farmer_@reddit
not gonna work if the phone has 'randomized mac addresses' setting enabled - but if it's static, you should be able to add a wireless filter to block it from connecting before it even tries to authenticate.
that or ask the office to update their phones wifi settings
demonseed-elite@reddit
Yeah, phones are the worst. Recently had the same scenerio with iPhones hammering away bad credentials every 3 seconds and just would not stop until the account got locked.
I hate how dumbed down phones are to not even prompt when a stored credential no longer works.
BoltActionRifleman@reddit
We’ve had this happen with the iOS mail app and mobile Outlook. Why it doesn’t pop up asking to update credentials on some devices is beyond me.
CommutedSentence@reddit
iOS Mail won't even let you re-enter credentials anymore, if you change your password you need to remove your account in the phone's Settings and re-add it. It's about as far from user-friendly as can be.
BoltActionRifleman@reddit
That’s horrible, I quit using iOS mail years ago because it was so sluggish.
Recent_Carpenter8644@reddit (OP)
Yes, and it appears they'll keep trying for years.
scizzat@reddit
If you’re using Splunk, you should be able to search the network logs for the lockout and possibly see where the lockouts are coming from (if you have that being fed to Splunk). Had this happen years ago and was able to pinpoint down to the particular access point the attempts were coming from which made it easier to find out what device was locking the account. If you don’t have Splunk, network logs should be able to help just as well.
AlmosNotquite@reddit
Yes if you block it they will scream and problem is solved. They don't complian now be cause they are just putting in their information and getting in thinking they typed it wrong the first time.
narcissisadmin@reddit
I have my phone set to use a different MAC every time it connects to wifi, I'm not the only one.
Check if the MAC matches the user's device, it's probably something on their phone.
Lynch_67816653@reddit
The device is already not able to connect to the WiFi. Just block the Mac address so that it stops trying to login with an expired account.
Probably no one will notice and you will never know which device it was, but I think you can live with that.
nailzy@reddit
Most phones have rotating macs for wifi, it’s on by default in iOS and Android now.
Lynch_67816653@reddit
This is a common misconception: they will use the same random Mac adress on each Network.
PurpleFlerpy@reddit
Check the OUI in the MAC to find manufacturer, that will help determine what it is. Sometimes.
Surprised nobody else has mentioned it yet.
BigBobFro@reddit
Check the connection logs of the wifi access points,.. that will give you some idea of where, especially if in a satellite office.
The first 6 chrs of a MAC are mfg specific. That may narrow it down, however many phones now a days rotate their MACs to be different every time (nightmare for admins)
Jazzlike_Pride3099@reddit
Got a security department? Bounce it to them as an attempt to get access to another users account...
Otherwise keep track of when the first attempt is for a few days and then check entry logs who got to work at that times
nico282@reddit
Can't you locate the user's access point from the wifi management system? You can also look for the start/end of the device tentative logins and check with the time people entered the building.
Cormacolinde@reddit
More complex than just “find the device”, but I strongly suggest you disable PEAP/MS-CHAPv2 on your WiFi and switch all clients to EAP-TLS.
Outside-After@reddit
This is why I use Clearpass for RADIUS.
YourMotherIsNaughty@reddit
This might be same person, credentials stored on his private or company phone.
nailzy@reddit
OP has said it’s coming from a different office from where the user is based.
Skexie@reddit
Are you certain it's a phone? You could try to check your CMDB/"asset inventory" Excel spreadsheet to see if the device is known. Maybe there's a loaner laptop or shared workspace that the user sat in 8 months ago and never logged out?
Also, are you sure it's trying to connect to WiFi? If so, do you have multiple APs? If you could isolate to a single AP, that would at least get you in a specific area and maybe floor of the office instead of the whole building.
Also, regarding DNS. Make sure you're looking at the reverse as well.
If you have the MAC, there are online lookup tools that can team you device manufacturer which could narrow your search a bit as well. The first 6 characters of all MAC addresses are assigned to a manufacturer and can't be reused by anyone else... Unless it IS a mobile with randomized MAC enabled. :/
Lots of potential options here. I wish you luck on your quest, Detective!
Puffypenwon@reddit
Had this issue before. Do you have multiple aps set up. You can try to locate it down to a room based on which ap the Mac connects to