UNEXPECTED_CHANNEL_BEACON with Ubiquiti access points

[andrewbeard]

I have 3 dual-band UniFi access points set up in my environment all on one SSID, with each locked to specific channels to avoid overlaps. I set up my config to monitor all channels 2.4 Ghz along with the 3 5 Ghz channels in use, but with my network restricted to the 6 in use. Unfortunately this has resulted in a ton of UNEXPECTED_CHANNEL_BEACON alerts, on literally every 2.4 Ghz channel from 1-11. On some channels (like 2 and 10) the alerts are relatively far between, with only a frame picked up every hour or so. In each case I can see the vast majority of frames on the expected channel, and the number of frames decreasing rapidly the further it gets away from expected (for example, 6 is in use and see a lot of traffic. 7 sees less than 1/10th of that, and 8 sees less than 1/100th).

For the moment I've disabled the unexpected_channel alert types, but I'm trying to figure out what's going on. Is it normal for some AP manufacturers to beacon on alternate channels despite being configured to use a specific channel? I was thinking maybe because of the adjacent behavior it could have something to do with using a wide channel width, but after reviewing my config all my 2.4 Ghz channels are 20 Mhz wide.

[lennartkoopmann]

Interesting! Can you share the alert details with me? I'm interested in the "Meta Information" fields on the right hand side on the alert page.

[andrewbeard]

Sure. Sorry the formatting on these are probably going to be a bit poor. The channels in use are 1, 6, and 11. Here are some sample alerts:

ALERT 52F25985-DBD4-496A-BE08-891D515F0D59 INACTIVE
SSID [Beard] was advertised on an unexpected channel.
TIME
First seen:
2021-03-25T12:45:07-04:00 (2 hours ago)
Last seen:
2021-03-25T12:45:07-04:00 (2 hours ago)
META INFORMATION
ssid
Beard 
bssid
b4:fb:e4:84:d5:b5 
channel
2
frequency
2417
antenna_signal
-31

Frames
1
Subsystem
DOT_11
Alert Type ID
UNEXPECTED_CHANNEL_BEACON

SSID [Beard] was advertised on an unexpected channel.
TIME
First seen:
2021-03-25T11:51:27-04:00 (3 hours ago)
Last seen:
2021-03-25T11:51:27-04:00 (3 hours ago)
META INFORMATION
ssid
Beard 
bssid
e0:63:da:52:45:51 
channel
5
frequency
2432
antenna_signal
-59

Frames
1
Subsystem
DOT_11
Alert Type ID
UNEXPECTED_CHANNEL_BEACON

ALERT 92576504-02F4-4C2F-9B9B-F4FEEA753A76 INACTIVE
SSID [Beard] was advertised on an unexpected channel.
TIME
First seen:
2021-03-25T12:49:58-04:00 (2 hours ago)
Last seen:
2021-03-25T12:49:58-04:00 (2 hours ago)
META INFORMATION
ssid
Beard 
bssid
e0:63:da:52:45:51 
channel
10
frequency
2457
antenna_signal
-39

Frames
1
Subsystem
DOT_11
Alert Type ID
UNEXPECTED_CHANNEL_BEACON

[MarpleA]

I am experience the same situation with Sophos Access Points.
I use channel 1,6,44,52 and I'm getting heaps to UNEXPECTED_CHANNEL_BEACON alerts for basically all channels. I haven't found a pattern yet.

[MarpleA]

I did some more observations. Basically it boils down to additional channels 5 and 7 only. And yes, these are shown in the network list in nzyme.
Double checked with bettercap. None of my SSID's is advertised on channel 5 or 7.

Edit: over the last couple of hours, more channels appeared. so far it's channel 2,3 and 11.
So far no additional 5GHz channel_beacons were detected

Edit2: now, all channels for 2.4GHz are announce via channel_beacons. Could it be that compatibility to old wifi modes like 802.11b is part of this issue? I am unfortunately not able to test this, since Sophos AP's always operate in mixed_bgn mode.

[lennartkoopmann]

Yes, if nzyme sees and reports beacons on those channels, then your access point is sending them on those channels. I see the same thing with my Ubiquity APs and I simply added all channels to the expected networks.

Maybe in the future nzyme can have an option to ignore sporadic advertisements and have some sort of minimum threshold.

[MarpleA]

Does it make any difference if I add all channels to this expected channels instead of deactivating unexpected_channel?

[iammrbt]

I would add those expected channels instead. Remember the point is really to see unexpected events. If you exclude the check entirely, you'll do just that. I think your better off knowing if a bad actor slips then not at all :).

[MarpleA]

if you add all channels to expected channel list, the alarm will never go off and therefore I believe it's the same as deactivating it. However, if you have a mixed access point setup where some send "wrong" channel beacons and some don't, then it could make sense to leave unexpected_channel option enabled globally and add all channels in channel list only to those access points which have the discussed behavior.

[andrewbeard]

If you add all the channels to expected when would the alert ever fire, bad actor or not?

On Thu, May 13, 2021 at 8:08 PM Brandon Taylor ***@***.***> wrote: I would add those expected channels instead. Remember the point is really to see unexpected events. If you exclude the check entirely, you'll do just that. I think your better off knowing if a bad actor slips then not at all :). — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#346 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADYYHYZVJ2IEU37CNGPVC6DTNRSYNANCNFSM4ZZYMKXA> .

-- Andrew Beard ***@***.***

[iammrbt]

You are both correct, I didn’t connect “all” with literally all I thought he meant like adjacent channels overlap.

[MarpleA]

I see your point. That's basically a third option. In my case, unfortunately, the access points are sending channel beacons on all channels, not only adjacent channels.