keep in mind that in airwave, the clients are uniquely identified by their mac address, so you'll need to check if multiple usernames show up associated to this single mac address, if this is the case, most likely it is multiple clients with either a manually configured mac address (due to WEP sniffing guides on the internet) or with possibly defective wireless NICs.
Airwave (and other monitoring systems) won't be able to show you the "real" manufacturer because they're only performing a standard oui lookup on the first 3 octet. what James (YorkU) did is the next logical step in trying to identify these clients by other metrics (hostname, useragent, etc) depending on how much time and interest you have in this. We've seen at least 4 users all claiming to be 00:11:22:33:44:55 in the past week and we're internally discussing options on how to deal with this issue. ----- Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin [email protected]<mailto:[email protected]> ----- On Sep 27, 2010, at 9:10 AM, Holland, Ryan C. wrote: I will second that. I, too, am seeing one client with this mac address, reported the same way via Airwave as CIMSYS Inc. ========== Ryan Holland Network Engineer, Wireless Office of the Chief Information Officer The Ohio State University 614-292-9906 [email protected]<mailto:[email protected]> On Sep 27, 2010, at 9:39 AM, Michael Dickson wrote: Fascinating. We have one user on campus so far with this address: 00:11:22:33:44:55 Vendor (reported by Airwave): CIMSYS Inc For Macbooks, the vendor is typically reported as Apple or Apple,Inc. Mike ******************************************************** Michael Dickson 413.545.9639 Network Analyst Univ. of Massachusetts Amherst ******************************************************** On 9/26/2010 11:34 PM, Watters, John wrote: I have 7 or 8 machines with this MAC address on our campus. Is it possible that Apple did something not nice with the MAC addresses in the MacBooks? We will try to track some of them down, but it won't be easy even using the block-it-nd-they-will-come method. -jcw ________________________________________ From: The EDUCAUSE Wireless Issues Constituent Group Listserv [[email protected]] On Behalf Of Cortes, Diana [[email protected]] Sent: Friday, September 24, 2010 4:17 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Thought I'd share some interesting news... The student was able to recover the box where her Macbook Pro came in and indeed the Airport ID printed on the box is 00:11:22:33:44:55 Diana Cortes, CISSP, CWNA University of Miami IT - Telecommunications -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Greg Williams Sent: Monday, September 20, 2010 7:19 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses Not sure if there is software out there for the mac to change this automatically, if you just do an "ifconfig en1 ether xx:xx:xx:xx:xx:xx", the mac address will change, but ONLY stay until you reboot the machine, then it changes back. You have to put that command into a script under /system/library/starupitems/ and then run sudo chmod 700 script.sh sudo defaults write com.apple.loginwindow LoginHook /System/Library/StartupItems/script.sh to get it to stick permanently. So it seems to me like people are probably doing this intentionally. Greg Williams IT Security Principal University of Colorado at Colorado Springs [email protected]<mailto:[email protected]> -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Hao, Justin C Sent: Monday, September 20, 2010 4:34 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Macbooks with odd Airport MAC addresses it does show up occasionally, and as far as i can tell, this is because users are following on-line tutorials for cracking WEP passwords (several of them reference changing your mac interface to "00:11:22:33:44:55" manually in the instructions to setup traffic sniffing. If your users are using these on a production network you may want to follow up as they may have inadvertently changed their mac address and have no realized they need to change it back. or you could be mischievous and block that mac address completely and let them come forwards to have their machine fixed. I don't believe this is a bug, but more user-inflicted. ----- Justin Hao CCNA Network Engineer, ITS Networking The University of Texas at Austin [email protected]<mailto:[email protected]> ----- On Sep 20, 2010, at 5:21 PM, Cortes, Diana wrote: Has anyone encountered any Macbooks with the following MAC addresses: 00:11:22:33:44:55? We believe this may be an Apple bug as we have found 2 on our campus already with the exact same MAC address. Thank you, Diana Cortes, CISSP, CWNA University of MIami IT-Telecommunications ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 1091703996) is spam: Spam: https://antispam.osu.edu/b.php?i=1091703996&m=7217e7d87b6f&c=s Not spam: https://antispam.osu.edu/b.php?i=1091703996&m=7217e7d87b6f&c=n Forget vote: https://antispam.osu.edu/b.php?i=1091703996&m=7217e7d87b6f&c=f ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
