AP Impersonation Alarm

Unanswered Question
Dec 30th, 2008
User Badges:

I recently recevied an AP impersonation alarm. The culprit seems to be a Netgear AP outside of the walls of our office space. I am in our corporate office several states away and we have no IT staff that is local to the location that this is occuring.

What are you all doing when you receive such an alarm? Is it something that I should be seriously concerned with?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sschmidt Tue, 01/06/2009 - 11:56
User Badges:
  • Cisco Employee,

The AP Impersonation feature improves the detection of rogue APs that

attempt to impersonate valid Cisco APs. This feature creates a radio

frequency (RF) network group, and the Cisco APs in the same group distribute

radio resource management (RRM) neighbor packets to each other. If a Cisco

AP hears packets from another Cisco AP from which it has not received any

RRM neighbor packets, then the Cisco AP can assume that the new AP is

impersonating a Cisco AP and therefore reports it as a rogue AP.

When the WCS finds an AP that attempts to impersonate another AP on the

WLAN, you see this alert on the WCS server, WCS talks to the controllers to

get the information through SNMP.


This is only cosmetic and does not affect the network.

As of 5.0 you could also look at the containment feature which should help lock them down:


kylerossd Tue, 01/06/2009 - 13:58
User Badges:

Depends if that AP has the same SSID as your network.

Windows wireless clients connect to the last SSID they were on before being shutdown/hibernated. Most Wireless clients do as well, so someone could call any AP the same SSID as your network and try to get your users to connect to their AP to pull whatever information they are after. I would treat this one a little more seriously, even if they don't get any information off your clients.


This Discussion



Trending Topics - Security & Network