A short while ago I redesigned my home network and in this process, I decided to configure it to only accept preconfigured ethernet mac addresses.
After I setup logging and everything, I noticed that every day two DHCP requests with the ethernet MAC addresses E1:6C:D6:AE:52:90 and E9:EB:B3:A6:DB:3C showed up in the deny logs.
My logs looked like this:
Dec 14 06:23:13 10.10.2.1 dhcp,error dhcp home: radius authentication failed for E1:6C:D6:AE:52:90: user <E1:6C:D6:AE:52:90> not found Dec 14 06:23:14 10.10.2.1 dhcp,error dhcp home: radius authentication failed for E9:EB:B3:A6:DB:3C: user <E9:EB:B3:A6:DB:3C> not found
I had absolutely no clue which of my clients that might be and I began to dig into this issue. Of course I checked ethernet MAC address databases, but they did not give me any useful hint.
I stumbled accross a lot of pretty useless information about these two MAC addresses; sometimes people were talking about worms, trojans and viruses and so on but there were no educated guesses.
SolutionAfter a while I noticed, that the log entries corresponded with my system boot times of my Windows 7 PC and after that I quickly got on the right track.
I learned that the Service “MSiSCSI” of the Windows operating system uses those two MAC addresses to get a DHCP lease for it’s iSCSI handling.
I deacitvated this service and the DHCP broadcasts with those weird ethernet MAC addresses vanished from my logs.