One event that may likely be present fairly often in an environment will be the DEAUTHENTICATION FRAME identifier. This event is generated by an AirShield when any 802.11 deauthentication message is sent from the Access Point. There are many reasons why this would be sent with most of them being benign for security.
Deauthentication frames may be sent from the Access Point to a Station (client) or be broadcasted to all nearby devices. BROADCAST DEAUTHENTICATION frames are reported separately as these present a different risk profile.
There are specific codes used by 802.11 to describe why a deauthentication is being requested. This information is reported in the body of the message.
Critical Deauthentication Frames
When observed the following critical reason codes will raise the severity level of the event to 8 out of 10.
| Reason Code | Description |
|---|---|
| 18 | Invalid Group Cipher sent from the Station |
| 19 | Invalid Pairwise Cipher sent from the Station |
| 20 | Invalid Authentication and Key Management Protocol |
| 21 | Unsupported Robust Security Network Element version |
| 22 | Invalid Robust Security Network Element capability |
| 23 | 802.1x Authentication Failed |
| 24 | Cipher Suite Rejected Based on Security Policy |
Each of these events may occur if a device is failing to meeting security practices or a malicious actor is probing for weaknesses.
Any DEAUTHENTICATION FRAME with a severity of 8 should be investigated.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article