issue containing a rogue AP

ccernivani · ‎08-24-2008

My WLC has detected (via 15 detecting radios) a rogue AP with a client connected to it. The infrastructure has not determined that the AP is plugged into the local network. I'm trying to contain the AP - I classify it as "Malicious", update its status to "Contain" & assign 2 APs (though the number of APs don't matter here) to contain the rogue.

Everything looks right, as the WLC shows that the rogue AP is in a "Contained" status. However, after about a minute the WLC shows the rogue having been reverted to an "Alert" status. I've contain other rogues before but have yet to see one not have the "Contained" status stick.

Anyone seen this? Or know why it's happening? Thanks!

dennischolmes · ‎08-24-2008

Check and verify that the "rogue" is not one of your APs associated to a controller with a different mobility group name but on the same network as your primary mobility group. This is the only way I could think that this is happeneing. Also, try a 4 AP containment. At 2 APs a client could still associate to the rogue thus generating a new alert.

ccernivani · ‎08-24-2008

I've tried all containing AP options - 1 thru 4. Doesn't make a difference. The AP goes into a "Contained" status for less than a minute then reverts to "Alert".

The AP is definitely not ours. I did an OUI look up and its MAC address pops up as an Apple device.