Home > Wireless LAN > Monitoring and Reporting > Common Wireless Event Log Messages

Common Wireless Event Log Messages

When monitoring your wireless environment, the event log (in the Dashboard at Monitor > Event log) can be an invaluable tool in gaining additional visibility into current activity. A list of the common wireless event log messages along with their origin and their potential causes can help to bring a better understanding of the wireless environment.

802.11 event log messages

The 802.11 event log messages are from codes specified in the 802.11 wireless standard from the Institute of Electrical and Electronic Engineers (IEEE). The full list of specified 802.11 reason codes can be found in section 8.4.1.7 here.

  • 802.11 association - Denotes the joining of a client to an AP on a specified channel with the current received signal strength indication (RSSI).

Example:

May 26 14:45:21 00:18:0a:00:00:01 101 IPAD2 802.11 association channel: 36, rssi: 45

Below is an example of the association process as specified by the 802.11 standard:

2650d396-1f59-4170-b0fa-1e16594f502c

 

  • 802.11 disassociation: previous authentication expired - A client that is attempting to join the service set identifier (SSID) is incorrectly entering the pre-shared key (PSK), or a client left the BSSID without sending a deauthentication frame (could be from a client shutting down or leaving the AP)
  • 802.11 disassociation: client has left AP - A client informed the AP that it should no longer keep the client in its association table. You may see this if the client has potentially gone into a hibernate state, a powered down state, or the client may have chosen to roam to another AP.

Example:

May 26 14:51:35 00:18:0a:00:00:01 101 IPAD2 802.11 disassociation client has left AP
  • 802.11 disassociation: unknown reason - A client is no longer communicating with the AP, yet failed to notify the AP that it should be dropped from the association table. This problem is typically associated with wireless interference, but can be caused by any issue that would cause a client to suddenly stop being heard by an AP.

WPA event log messages

  • WPA authentication - Denotes that the client has successfully entered the pre-shared key (PSK) for the associated SSID.

Example:

May 26 14:54:16 00:18:0a:00:00:01 101 IPAD2 WPA authentication

 

  • WPA deauthentication - Signifies that the secure session to the client (known by association ID or AID) has ended to the virtual access point (VAP aka SSID) on the listed radio number.

Example:

May 26 14:51:35 00:18:0a:00:00:01 101 IPAD2 WPA deauthentication vap: 0, radio: 1, aid: 1844047018

802.1X/RADIUS event log messages

  • SSIDs that use WP2-Enterprise for authenticating splash pages will have related 802.1X and RADIUS messages in the event log
  • You may occasionally see 802.1X re-authentication messages at periodic intervals which is explained here.

 

Example of a successful 802.1X sequence in the event logs (using Meraki-hosted RADIUS):

May 26 15:30:30 00:18:0a:00:00:01 101 IPAD2 802.1X authentication identity: caleb@meraki.com, vap: 0, radio: 1
May 26 15:30:30 00:18:0a:00:00:01 101 IPAD2 802.1X EAP success identity: caleb@meraki.com, vap: 0, radio: 1
May 26 15:30:30 00:18:0a:00:00:01 101 IPAD2 RADIUS response group: , vlan: 0, vap: 0
May 26 15:30:27 00:18:0a:00:00:01 101 IPAD2 802.11 association channel: 36, rssi: 53

 

Example of a failed (due to incorrect password) 802.1X sequence in the event logs (using Meraki-hosted RADIUS):

May 26 15:29:34 00:18:0a:00:00:01 101 IPAD2 802.11 disassociation client has left AP
May 26 15:29:34 00:18:0a:00:00:01 101 IPAD2 802.1X deauthentication identity: caleb@meraki.com, vap: 0, radio: 1
May 26 15:29:34 00:18:0a:00:00:01 101 IPAD2 802.1X EAP failure identity: caleb@meraki.com, vap: 0, radio: 1
May 26 15:29:30 00:18:0a:00:00:01 101 IPAD2 802.1X deauthentication identity: caleb@meraki.com, vap: 0, radio: 1
May 26 15:29:30 00:18:0a:00:00:01 101 IPAD2 802.11 association channel: 36, rssi: 46

 

Below is an example of the 802.1X authentication process as specified by the 802.11 standard (Supplicant = client, Authenticator = AP, AS = RADIUS server):

dadd2898-90d8-451e-9ddf-17fd0a9e87f1

 

Air Marshal event log messages

  • The Air Marshal capabilities of Meraki APs can provide detection and classification of potential attacks in the wireless environment.
  • The frequency of the messages and the associated MAC address(es) can help to diagnose. More information on the Air Marshal product can be found here.
  • Single or multiple device packet flood - Denotes that an AP has detected that single or multiple client(s) have attempted to flood the wireless environment with a type of packet. These message can indicate a malicious attack or temporary, client-based misbehavior. 

Examples:

May 26 16:21:54 00:18:0a:00:00:01 Single device packet flood alarm_id: 3402, radio: 1, reason: left_channel
May 26 16:16:09 00:18:0a:00:00:01 Single device packet flood alarm_id: 1514, radio: 1, reason: timer_expired
May 26 16:16:09 00:18:0a:00:00:01 Single device packet flood alarm_id: 1515, radio: 1, reason: timer_expired
May 26 16:15:13 00:18:0a:00:00:01 Single device packet flood inter_arrival: 10000, device: 84:3A:4B:00:00:01, alarm_id: 1515
May 26 16:13:40 00:18:0a:00:00:01 Single device packet flood inter_arrival: 10000, device: 84:3A:4B:00:00:01, alarm_id: 1514

 

  • Channel scan - When APs are not serving clients, they can scan channels on which they were previously serving clients to identify attacks.

Example:

May 26 13:52:03 00:18:0a:00:00:01 Channel scan channel: 36, clients: 0, active: 0
You must to post a comment.
Last modified
17:25, 12 Sep 2017

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community