MFP Anomaly Detected - WLC-4402-25-K9 - 5.0.148.0

Unanswered Question
Mar 17th, 2008

From time to time I see messages like the one below in the Trap logs of a WLC-4402-25-K9 running 5.0.148.0:

MFP Anomaly Detected - 1 Invalid MIC event(s) found as violated by the radio <offending-MAC> and detected by the dot11 interface at slot 0 of AP <reporting-MAC> in 300 seconds when observing Deauthentication frames. Client's last source mac <client-MAC>

Is my WLC misconfigured or is this a (known) bug in 5.0.148.0?

Trond.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
ivillegas Fri, 03/21/2008 - 11:34

This message might occur when the access joins another contoller because initially joined controller goes out of service. This is documented in the Bug id: CSCse80121 . As a wordaround disable MFP and reboot the controller.

sabhasin Fri, 03/21/2008 - 11:39

There are some known issues in this area (mainly cosmetic) but it might also be an indication of an attack. You'd have to track this down with a packet capture to see if this is a false positive or not. From the MIB, the description of the event that triggers this message is:

"bcastDeauthenticationFrameRcvd - The Access Point detected a broadcast deauthentication frame. Broadcast

deauthentication frames are rejected by CCXv5 compliant

devices."

More info in: CISCO-LWAPP-TC-MIB.my

Actions

This Discussion

 

 

Trending Topics - Security & Network