AP Impersonation Alarms - WCS 4.1.83

Answered Question
Aug 10th, 2007

We see many AP Impersonation alarms from WCS 4.1.83:

AP Impersonation of MAC '00:17:0f:xx:xx:xx' using source MAC '00:e0:98:xx:xx:xx' is detected by authenticated AP '00:17:0f:xx:xx:xx' on '802.11a' radio and Slot ID '0'.


Any ideas about this alarm? I have checked the source MACs in the alarm message are some client MACs.


Thanks,

Zhenning

Correct Answer by Rob Huffman about 9 years 6 months ago

Hi Zhenning,


These seem to be strictly bug related. Have a look;


CSCsb90622 AP impersonation alarms flooding the WCS


CSCsg01470 Add source address to AP-IMPERSONATION Trap. AP impersonation traps don't include the source MAC address. Format of the alarm message needs to be changed.


CSCsj50060 WCS use display wrong radio in AP Impersonation alarms. (shows 802.11a radio, even if 802.11a radio is off)


CSCsg44344 Add source address to AP-IMPERSONATION Trap. AP impersonation traps don't include the source MAC address. WCS currently only shows: AP Impersonation with MAC '00:14:1b:62:4e:42' is detected by authenticated AP '00:14:1b:62:4e:40' on '802.11b/g' radio and Slot ID '0'.



These bugs have been nicely documented by John in threads that date back a fair bit;


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddc3127/7#selected_message


Hope this helps!

Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Rob Huffman Sat, 08/11/2007 - 09:21

Hi Zhenning,


These seem to be strictly bug related. Have a look;


CSCsb90622 AP impersonation alarms flooding the WCS


CSCsg01470 Add source address to AP-IMPERSONATION Trap. AP impersonation traps don't include the source MAC address. Format of the alarm message needs to be changed.


CSCsj50060 WCS use display wrong radio in AP Impersonation alarms. (shows 802.11a radio, even if 802.11a radio is off)


CSCsg44344 Add source address to AP-IMPERSONATION Trap. AP impersonation traps don't include the source MAC address. WCS currently only shows: AP Impersonation with MAC '00:14:1b:62:4e:42' is detected by authenticated AP '00:14:1b:62:4e:40' on '802.11b/g' radio and Slot ID '0'.



These bugs have been nicely documented by John in threads that date back a fair bit;


http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddc3127/7#selected_message


Hope this helps!

Rob

Rob Huffman Mon, 08/13/2007 - 04:35

Hi Zhenning,


You are always welcome :) As I noted, John has done some really nice legwork and written up some excellent posts on this subject. It is great to see so many great people participating here!


Take care,

Rob

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode