About 50 Pending macs for one host? Beware of Windows 10 random MAC feature for WLAN!

x23piracy

1.4.0

Hi, today i mentioned the following, the list is much longer its only a part:

What happened here?
This host it4314 never has such much macs.

Regards X23

Tom Elliott

@x23piracy Windows 10 has this feature to “randomize” mac’s to help prevent hijacking of your ip’s. Maybe this is enabled on this machine?

Tom Elliott

If one of the already additional MAC’s on it4314 does match a mac on the other systems (think tunnel adapters, vpn adapters, virtual machine adapters) that is common with all systems, and it4314 has that mac associated to it, this can happen.

x23piracy

@Tom-Elliott howto deal with it? I would not approve those macs.

Tom Elliott

@x23piracy well pending mac’s can be deleted. But I would recommend finding the common MAC and putting that mac into the mac filter list.

x23piracy

@Tom-Elliott what do you mean with common MAC? lan, wlan, bt, vpn adapter? What about the mac filter list idk it.
Could you please give me more advises?

I deleted all the pendings for 4314 but they are coming back… what a wonder

Regards X23

Tom Elliott

@x23piracy I don’t know what mac is the one it’s finding in common with all of your systems.

The Filter list is located under FOG Configuration Page->FOG Settings->FOG Client - Host Register->FOG_QUICKREG_PENDING_MAC_FILTER

x23piracy

@Tom-Elliott when i look at the macs in my screenshot they look all totally different? What could cause this? Afaik the mac filter list is for example for vm ware nic macs but this looks like that this macs are from different devices.

I cannot explain my self what happens on this computers to cause this lot of pending macs.

x23piracy

Here is a complete list of the local network devices of it 4314:

Windows-IP-Konfiguration

   Hostname  . . . . . . . . . . . . : it4314
   Primäres DNS-Suffix . . . . . . . : haan.local
   Knotentyp . . . . . . . . . . . . : Hybrid
   IP-Routing aktiviert  . . . . . . : Nein
   WINS-Proxy aktiviert  . . . . . . : Nein
   DNS-Suffixsuchliste . . . . . . . : haan.local
                                       carbolite.local

Ethernet-Adapter Ethernet:

   Verbindungsspezifisches DNS-Suffix: haan.local
   Beschreibung. . . . . . . . . . . : Intel(R) Ethernet Connection I219-LM
   Physische Adresse . . . . . . . . : 40-B0-34-11-A6-D2
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : fe80::6844:9327:ec81:4731%11(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 172.19.101.150(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.252.0
   Lease erhalten. . . . . . . . . . : Donnerstag, 1. Juni 2017 11:01:07
   Lease läuft ab. . . . . . . . . . : Samstag, 3. Juni 2017 07:52:26
   Standardgateway . . . . . . . . . : 172.19.100.1
   DHCP-Server . . . . . . . . . . . : 172.19.100.9
   DHCPv6-IAID . . . . . . . . . . . : 54571060
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-20-3C-5E-9A-40-B0-34-11-A6-D2
   DNS-Server  . . . . . . . . . . . : 172.19.100.9
                                       172.19.100.10
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

Drahtlos-LAN-Adapter LAN-Verbindung* 2:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physische Adresse . . . . . . . . : F4-8C-50-49-D1-AE
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Ethernet-Adapter Bluetooth-Netzwerkverbindung:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physische Adresse . . . . . . . . : F4-8C-50-49-D1-B1
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Drahtlos-LAN-Adapter WLAN:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix: haan.local
   Beschreibung. . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260
   Physische Adresse . . . . . . . . : F2-6F-77-13-41-73
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

I really don’t understand why i get so much pending macs for this host

Tom Elliott

You need to find out what “other” mac’s are registering to compare those system’s macs to the mac on this particular system. I can’t tell you that. I don’t know what macs are in common, only you can do that.

Tom Elliott

@x23piracy said in About 50 Pending macs for one host?:

F4-8C-50-49-D1-AE

If I had to guess, the information above is likely the culprit?

george1421

@Tom-Elliott I’m kind of scratching my head on this one.

Is this a database anomaly or does this device have an adapter with a dynamic mac address (I have seen them)?

From a FOG perspective where do these pending macs come from, only from FOS inventory or will the FOG client do this too?

If its only FOS inventory and this is not a database anomaly (table joins creating multiple entries) then we need to focus on this hardware.

@x23piracy Can you tell us, are the systems that are duplicating these pending macs, are they the same type of hardware?

x23piracy

@george1421 i only have this one system throwing such mass of macs, no other system is doing this.
I could not talk to the user yet, but i cannot identify anything on that system whats causing that mac flood.

Tom Elliott

@x23piracy It’s not on THAT host. It’s from a common mac from other systems that are sending a MAC that IS on that host.

x23piracy

@Tom-Elliott but how could this be possible? let me check which macs fog has registered for it 4313

omg it seems that i already approved some of the wrong macs, the list continues…

This are the macs from a local ipconfig /all from the machine:
LAN: 40-B0-34-11-A6-D2
BT: F4-8C-50-49-D1-B1
WLAN: F2-6F-77-13-41-73
WLAN2: F4-8C-50-49-D1-AE

Tom Elliott

@x23piracy IT HAS NOTHING TO DO WITH it4313

It has to do when a mac address that IS registered to it4313, but being presented from the other systems.

Tom Elliott

@Tom-Elliott said in About 50 Pending macs for one host?:

F4-8C-50-49-D1-AE

I suspect F4-8C-50-49-D1-AE is the culprit because it appears to be a “Virtual” adapter.

x23piracy

@Tom-Elliott ok so you would recommend to filter this mac out?

Tom Elliott

@x23piracy I’m giving what I know. I don’t know if that IS the mac that’s causing the problems. You need to compare one of the systems that the associated macs as well as the it4313 device.

Wayne Workman

@x23piracy This query will identify which MAC it is:
SELECT hmMAC, count(*) FROM hostMAC GROUP BY hmMAC HAVING COUNT(*) > 1;

x23piracy

@Wayne-Workman

mysql> use fog
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT hmMAC, count() FROM hostMAC GROUP BY hmMAC HAVING COUNT() > 1;
Empty set (0.00 sec)

Hmm? May i did something wrong?