I'm facing a frustrating issue where a user keeps getting their account locked out, and after some digging, we've traced it back to a device in another office trying to connect to our Wi-Fi with RADIUS authentication. I suspect that a long time ago, they might have shared their credentials with someone for their phone. Now, after several password changes, the original user's account gets locked due to failed login attempts.
The security logs (Event 4625s) don't show us the workstation name, leading us to think it's a mobile device. All we have from the RADIUS logs is a MAC address. Is our only option to ask everyone in that office to look up their phone's MAC address?
4 Answers
I had a similar scenario before. If you have multiple access points (APs) set up, try to trace back to which AP the MAC address connected to. This could help narrow it down to a specific area or room.
Keep in mind if the phone has 'randomized MAC addresses' enabled, it won’t work to block it that way. If it has a static MAC, you could add a filter to prevent it from connecting before any authentication even happens. Alternatively, you could ask everyone to check their phone's settings to disable that feature.
Randomized MAC addresses complicate things, but they usually get randomized for each SSID. You could check your DHCP or DNS servers for that MAC address; sometimes, the device might register with a name, like "John's iPhone" if it’s actually connected.
I checked there, but it’s not showing up. I don't think it’s getting an IP address at all, so that might rule it out. I can see all our company devices in Intune, and it’s not in the list, which probably means it’s a personal device.
One solution could be to blacklist the MAC address in your 802.1X system. Usually, if the device gets blocked, you'll eventually get someone contacting you in a couple of weeks about their phone not connecting to the Wi-Fi anymore. That'll help you identify the user and solve the issue.
That’s our plan as well if we can’t track it down. But honestly, if the device isn’t connecting due to using an old password, the owner probably won't even notice it’s blocked for a while.
Exactly! If it was causing real issues, I think the original poster would have mentioned a ton of complaints already.
Totally agree! Phones can be really tricky. I dealt with iPhones doing the same thing, constantly sending incorrect credentials every few seconds until the account got locked out. It’s frustrating how they don’t alert users when stored credentials fail.