- Silver, 250 points or more
Here is something that I was surprised to learn:
If you turn on containment, the WLC will detect its own containment messages as "Bcast Deauth" wireless IDS errors.
See bug CSCsj06015 "Prevent 'Bcast deauth' alerts for rogue containment by other WLC in MG" for details.
Of course, it is technologically possible for the WLCs / RF Group of WLCs to keep a table of all the mac addresses that they are containing. If they detect a broadcast deauthentication (aka" Bcast deauth ), they should filter out these false positives so that you don't get flooded with these wireless IDS alarms (which are flagged as "Critical" in the system).
Apparently, the Cisco engineers point out that it is impossible to tell over the air where the attack is coming from and this is true (without MFP).
However, since I am actively launching containment against a rogue wireless device, do I really care if another hacker is helping me keep that device off the network?
Therefore, the wireless IDS system needs to be intelligent enough to filter out Bcast deauth alarms that it is creating.
Sadly, Cisco has labelled this bug as "cosmetic" at this time (4.1.171) .