Weird MAC Addresses in DHCP Requests 8


A short while ago I redesigned my home network and in this process, I decided to configure it to only accept preconfigured ethernet mac addresses.

After I setup logging and everything, I noticed that every day two DHCP requests with the ethernet MAC addresses E1:6C:D6:AE:52:90 and E9:EB:B3:A6:DB:3C showed up in the deny logs.

My logs looked like this:

Dec 14 06:23:13 10.10.2.1 dhcp,error dhcp home: radius authentication failed for E1:6C:D6:AE:52:90: user <E1:6C:D6:AE:52:90> not found
Dec 14 06:23:14 10.10.2.1 dhcp,error dhcp home: radius authentication failed for E9:EB:B3:A6:DB:3C: user <E9:EB:B3:A6:DB:3C> not found

I had absolutely no clue which of my clients that might be and I began to dig into this issue. Of course I checked ethernet MAC address databases, but they did not give me any useful hint.

I stumbled accross a lot of pretty useless information about these two MAC addresses; sometimes people were talking about worms, trojans and viruses and so on but there were no educated guesses.

Solution

This is the Windows service, which is responsible for the weird MAC addresses.

This is the Windows service, which is responsible for the DHCP requests.

After a while I noticed, that the log entries corresponded with my system boot times of my Windows 7 PC and after that I quickly got on the right track.

I learned that the Service “MSiSCSI” of the Windows operating system uses those two MAC addresses to get a DHCP lease for it’s iSCSI handling.

I deacitvated this service and the DHCP broadcasts with those weird ethernet MAC addresses vanished from my logs.


Leave a comment

Your email address will not be published. Required fields are marked *

 

8 thoughts on “Weird MAC Addresses in DHCP Requests

  • Henny Vijn

    The right answer to something I cracked my brains! Even my internet-provider-helpdesk could not help me. Thank you!

  • Daniel McCoy

    Thanks for this post! I thought I was going nuts when I’d see these mac addresses showing up in the DHCP lease list on my pfSense box. 2 minute leases. Now I can put my mind at ease a bit.

  • Devin Baysinger

    Harry,
    I hope you still are reading this problem.
    I have the same problem that you and the others have but my problem is a slight bit different. The windows service that you said to disable, is already disabled on my Win 7 computer.

    I ran a scan of my router with my anti-virus set up and that was when the two mac addresses showed up but they said it belonged to something that had attached itself to my network. The only other info I can find out about this is that it is a problem with Win Vista systems but not much help on how to fix it.
    My other computer attached to the router is a Win Vista.

    If you can think of any other possible ways to get rid of it I would greatly appreciate the help.

    Thank you,
    Devin

    • Harry B. Post author

      Devin,
      its hard to guess without details about the setup. Do you see those mac addresses regularly showing up on your DHCP server? If so, you might be able to identify the responsible device since it is something which should happen on system boot time. Then you can track down services on that device – maybe the service name is different on Windows Vista?
      Harry.

      • Devin Baysinger

        Hi Harry,
        Thank you for the prompt reply. I will have to dive deeper into the setup on the Vista machine and see if I can find out any more info.

        Thank you for the suggestion. i will get back to you and see if it tells me anything more.

        Devin