About 50 Pending macs for one host? Beware of Windows 10 random MAC feature for WLAN!

x23piracy

@Tom-Elliott when i look at the macs in my screenshot they look all totally different? What could cause this? Afaik the mac filter list is for example for vm ware nic macs but this looks like that this macs are from different devices.

I cannot explain my self what happens on this computers to cause this lot of pending macs.

x23piracy

Here is a complete list of the local network devices of it 4314:

Windows-IP-Konfiguration

   Hostname  . . . . . . . . . . . . : it4314
   Primäres DNS-Suffix . . . . . . . : haan.local
   Knotentyp . . . . . . . . . . . . : Hybrid
   IP-Routing aktiviert  . . . . . . : Nein
   WINS-Proxy aktiviert  . . . . . . : Nein
   DNS-Suffixsuchliste . . . . . . . : haan.local
                                       carbolite.local

Ethernet-Adapter Ethernet:

   Verbindungsspezifisches DNS-Suffix: haan.local
   Beschreibung. . . . . . . . . . . : Intel(R) Ethernet Connection I219-LM
   Physische Adresse . . . . . . . . : 40-B0-34-11-A6-D2
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : fe80::6844:9327:ec81:4731%11(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 172.19.101.150(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.252.0
   Lease erhalten. . . . . . . . . . : Donnerstag, 1. Juni 2017 11:01:07
   Lease läuft ab. . . . . . . . . . : Samstag, 3. Juni 2017 07:52:26
   Standardgateway . . . . . . . . . : 172.19.100.1
   DHCP-Server . . . . . . . . . . . : 172.19.100.9
   DHCPv6-IAID . . . . . . . . . . . : 54571060
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-20-3C-5E-9A-40-B0-34-11-A6-D2
   DNS-Server  . . . . . . . . . . . : 172.19.100.9
                                       172.19.100.10
   NetBIOS über TCP/IP . . . . . . . : Aktiviert

Drahtlos-LAN-Adapter LAN-Verbindung* 2:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
   Physische Adresse . . . . . . . . : F4-8C-50-49-D1-AE
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Ethernet-Adapter Bluetooth-Netzwerkverbindung:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Bluetooth Device (Personal Area Network)
   Physische Adresse . . . . . . . . : F4-8C-50-49-D1-B1
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

Drahtlos-LAN-Adapter WLAN:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix: haan.local
   Beschreibung. . . . . . . . . . . : Intel(R) Dual Band Wireless-AC 8260
   Physische Adresse . . . . . . . . : F2-6F-77-13-41-73
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja

I really don’t understand why i get so much pending macs for this host

Tom Elliott

You need to find out what “other” mac’s are registering to compare those system’s macs to the mac on this particular system. I can’t tell you that. I don’t know what macs are in common, only you can do that.

Tom Elliott

@x23piracy said in About 50 Pending macs for one host?:

F4-8C-50-49-D1-AE

If I had to guess, the information above is likely the culprit?

george1421

@Tom-Elliott I’m kind of scratching my head on this one.

Is this a database anomaly or does this device have an adapter with a dynamic mac address (I have seen them)?

From a FOG perspective where do these pending macs come from, only from FOS inventory or will the FOG client do this too?

If its only FOS inventory and this is not a database anomaly (table joins creating multiple entries) then we need to focus on this hardware.

@x23piracy Can you tell us, are the systems that are duplicating these pending macs, are they the same type of hardware?

x23piracy

@george1421 i only have this one system throwing such mass of macs, no other system is doing this.
I could not talk to the user yet, but i cannot identify anything on that system whats causing that mac flood.

Tom Elliott

@x23piracy It’s not on THAT host. It’s from a common mac from other systems that are sending a MAC that IS on that host.

x23piracy

@Tom-Elliott but how could this be possible? let me check which macs fog has registered for it 4313

omg it seems that i already approved some of the wrong macs, the list continues…

This are the macs from a local ipconfig /all from the machine:
LAN: 40-B0-34-11-A6-D2
BT: F4-8C-50-49-D1-B1
WLAN: F2-6F-77-13-41-73
WLAN2: F4-8C-50-49-D1-AE

Tom Elliott

@x23piracy IT HAS NOTHING TO DO WITH it4313

It has to do when a mac address that IS registered to it4313, but being presented from the other systems.

Tom Elliott

@Tom-Elliott said in About 50 Pending macs for one host?:

F4-8C-50-49-D1-AE

I suspect F4-8C-50-49-D1-AE is the culprit because it appears to be a “Virtual” adapter.

x23piracy

@Tom-Elliott ok so you would recommend to filter this mac out?

Tom Elliott

@x23piracy I’m giving what I know. I don’t know if that IS the mac that’s causing the problems. You need to compare one of the systems that the associated macs as well as the it4313 device.

Wayne Workman

@x23piracy This query will identify which MAC it is:
SELECT hmMAC, count(*) FROM hostMAC GROUP BY hmMAC HAVING COUNT(*) > 1;

x23piracy

@Wayne-Workman

mysql> use fog
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> SELECT hmMAC, count() FROM hostMAC GROUP BY hmMAC HAVING COUNT() > 1;
Empty set (0.00 sec)

Hmm? May i did something wrong?

Tom Elliott

That SQL Statement will only find mac’s that are registered to multiple hosts. (Meaning there’s duplicate mac’s in the table.) This is not the case. As I’ve stated multiple times now, the problem is One of the MAC’s that is registered to the it4314 MAC already (not in pending) is in common with the other devices, causing those other devices to try to register their own pending macs AS it4313.

This is why we need two systems (at least). We need it4313 and its ipconfig /all, and the other system (based on MAC) and its ipconfig /all.

This is the only way we’re going to find what’s going on.

x23piracy

@Tom-Elliott from it4314 (it’s not it4313) my mistake and all adapted it i already posted it’s ifconfig, the other system, could this be potentionally every system in our network or only the ones having fog client running? afaik the client must be registered to send pending macs to fog right? If yes i have always approved pending macs so this system must be known by fog allready? If all this gets a yes why will wayne’s query not work?

I have PDQ Inventory running so i can get a list of all macs easily.

Regards X23

Tom Elliott

@x23piracy Wayne’s query is looking for a Single mac be reported multiple times. This isn’t the problem you’re facing. The problem is a single mac, that’s associated to It4314 (sorry) is registered ONLY to 4314, and being used to check in. FOG is seeing it AS it4314 and registering the pending mac’s under that host.

In essence, Wayne’s query is looking for something like:

hmMAC                                    hmHostID
--------------                           --------------
00:01:02:03:04:05                        1
00:01:02:03:04:05                        3

x23piracy

@Tom-Elliott @Wayne-Workman @george1421 here come my dublettes, i ran a report from pdq inventory for all macs from all systems and broke it down to dublettes and sorted em, here is the list (argh):

IT3394	00:11:6B:66:3C:89
IT3755	00:11:6B:66:3C:89
IT2658	00:50:56:C0:00:01
IT3256	00:50:56:C0:00:01
IT3905	00:50:56:C0:00:01
IT4004	00:50:56:C0:00:01
IT4027	00:50:56:C0:00:01
IT4092	00:50:56:C0:00:01
IT2658	00:50:56:C0:00:08
IT3256	00:50:56:C0:00:08
IT3905	00:50:56:C0:00:08
IT4004	00:50:56:C0:00:08
IT4027	00:50:56:C0:00:08
IT4092	00:50:56:C0:00:08
IT2980	02:80:37:EC:02:00
IT3210	02:80:37:EC:02:00
IT3271	02:80:37:EC:02:00
IT3286	02:80:37:EC:02:00
IT3394	02:80:37:EC:02:00
IT3445	02:80:37:EC:02:00
IT3456	02:80:37:EC:02:00
IT3460	02:80:37:EC:02:00
IT3503	02:80:37:EC:02:00
IT3514	02:80:37:EC:02:00
IT3540	02:80:37:EC:02:00
IT3776	02:80:37:EC:02:00
IT3832	02:80:37:EC:02:00
IT3299	0A:00:27:00:00:00
IT3909	0A:00:27:00:00:00
IT2740	18:A9:05:C4:D4:30
IT3254	18:A9:05:C4:D4:30
IT3811	34:64:A9:15:C9:E6
IT3944	34:64:A9:15:C9:E6
IT3524	AA:F3:20:52:41:53
it4244	AA:F3:20:52:41:53

What should or what can i do now? Damn there is no it4314 in the list.

Regards X23

Wayne Workman

@x23piracy The good news is I only see 7 unique MACs in that list. Add those to the mac filter in the web interface.

Also, how did you even get into this situation? Did you get some new devices recently? Image some new stuff? Create a new image in a VM? What caused this?

george1421

@x23piracy Tom and I were chatting last week, and it was his impression that your issue may be related to a mac address for a virtual adapter like a microsoft virtual adapter.

I think that your pdq inventory query only returns mac addresses for physical adapters (??). In that case these virtual ones would not be found. According to Tom the pending mac addresses come from the FOG client sending all discovered mac addresses to the FOG server.

(this following is my personal opinion/) I feel its a flaw in the FOG client, in that it should ONLY send physical mac addresses and leave the virtual ones alone. Because its possible for usb/bluetooth/vpn/etc adapters to have soft mac addresses that could be generated each time a device is plugged in. (/my personal option)

Its also possible if you don’t sysprep the golden image that these duplicate mac address are coming from and the same as the mac addressed defined in the golden image.

Now that you might have a list of 7 or 8 from your initial query. Go to a number of them and dump the output of ipconfig /all > %hostname%_mac.txt (warning I did not test that command so user beware). compare these 7 or so systems to see if any mac address is consistent. If that is the case then that mac address is your filter address for FOG (at least from what I understand chatting with Tom).