Hey Chris,
We're taking a look at this. Please can you unicast me the TAC case
number and we'll track it.

Thanks
-Alok

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Chris Healey
Sent: Friday, February 13, 2009 11:51 AM
To: [log in to unmask]
Subject: HELP! - MAC Agent causes Denial of Service-like attack on my
DHCP server

Hello all; I wish I can be brief but I need to be detailed . . . sorry!

Summary bullets:
- DHCP renew requests about 4 times a minute from MACs
- New/Clean MacBook Pro w/ Mac CCA agent 4.1.3.1 moved from AP to AP
- iPhone to the Wi-Fi makes the MacBook switch to another AP
- Also would happen as the MacBook would sit on my desk
- Conclusion: MAC CCA Agent performs a DHCP renew when changing APs
- DHCP lease time changed from 8 Hrs to 3 Days - no affect
- MAC CCA 4.5.0.0 and it has helped but will still perform renews just 
sitting on my desk.


Detailed explanation / request:
I need help: we noticed a couple of weeks ago that we are getting
SLAMMED 
with DHCP renew requests. After a couple of days thinking it was a
D.O.S. 
attack/virus we noticed that it was centered mostly on our Macintosh 
users. I took one of my server's logs and ran it through MS Access and
did 
a count based on MAC addresses and the top ones had hostnames that said 
Macintosh something or another in them. My logs reach a 10Mb stop limit 
around about 1:00pm - so in that 13 hr time one student was performing a

DHCP renew request about 4 times a minute.

Using a new, clean MacBook Pro with the Mac CCA agent 4.1.3.1 we noticed

that as we walked around the building and moved from AP to AP (Cisco
LWAPs 
w/ WiSM controllers) the DHCP server would log a renew entry. We also 
noticed this when a co-worker connected their iPhone to the Wi-Fi that
the 
MacBook would switch to another AP - we assume for load balancing etc. 
Turing on the MacBook's console we would see the refresh DHCP lease 
request logged locally too. 

Up to this point we were not sure if it was the APs or the NAC until we 
noticed the Sender PID listed in the MAC console said CCAAgent - I shut 
down the agent, had the co-worker turn on the WI-FI of their iPhone - No

DHCP renew request on the server. We walked from AP to AP and can see
the 
radios the MacBook is connected to change in the WiSM controller but no 
DHCP renew request is logged in the server.

Therefore: our only conclusion is that the MAC CCA Agent performs a DHCP

renew request when changing radios; even when on the same sub-net. BTW 
there is no logout / login with the Clean Access Manager event log
listed 
nor is there any change in the Online users section of the CCA Manager 
details.

My lease time was kind of short for this subnet (8 hours - student 
wireless in the library) I have since increased that time to 3 days. In 
fact all locations have been boosted to at least 3 days, - No affect. I 
still firmly believe it is the MAC agent. 

I have made available the MAC CCA 4.5.0.0 and it has helped but still
not 
enough. The MacBook Pro will still perform DHCP renews just sitting on
my 
desk. Times seem to range now from every few minutes to maybe a few
times 
an hour. 

The problem is as students move from class to class they cause a ripple
in 
the APs as they balance the clients and all the MAC based agents renew 
their IPs. Why would the MAC agent renew its IP Address when it is the 
same network???? Why does it not behave like the PC client????

I do not see the PCs renewing at this rate - they renew much less often 
such as at renew time or power up. I can walk around the building with a

PC and it will change APs but not generate a renew request based on the 
DHCP server's log or on it's lease time info. 

I opened a case at TAC and also called my local Cisco folks and have 
gotten very little in response as if they are shying away from the 
problem. Reading the emails from the list I do not see anyone talking 
about this so either I am the only one . . . or no one else has seen it 
yet. 

If anyone knows what I can do then please respond as my server is not 
getting behind in supplying IPs but it is getting battered nonetheless.
In 
addition I ask for everyone to please check to see if you are
experiencing 
this and if so lets get Cisco TAC to take responsibility of this and
give 
us a good MAC client. 

Thanks for your time and any thoughts you can offer.