Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
2
Replies

AP Impersonation Alarm 5.1.64.0

jordanperks
Level 1
Level 1

‎12-30-2008 01:40 PM - edited ‎07-03-2021 04:56 PM

I recently recevied an AP impersonation alarm. The culprit seems to be a Netgear AP outside of the walls of our office space. I am in our corporate office several states away and we have no IT staff that is local to the location that this is occuring.

What are you all doing when you receive such an alarm? Is it something that I should be seriously concerned with?

Labels:
0 Helpful
2 Replies 2

sschmidt
Cisco Employee
Cisco Employee

‎01-06-2009 11:56 AM

The AP Impersonation feature improves the detection of rogue APs that

attempt to impersonate valid Cisco APs. This feature creates a radio

frequency (RF) network group, and the Cisco APs in the same group distribute

radio resource management (RRM) neighbor packets to each other. If a Cisco

AP hears packets from another Cisco AP from which it has not received any

RRM neighbor packets, then the Cisco AP can assume that the new AP is

impersonating a Cisco AP and therefore reports it as a rogue AP.

When the WCS finds an AP that attempts to impersonate another AP on the

WLAN, you see this alert on the WCS server, WCS talks to the controllers to

get the information through SNMP.

Impact:

This is only cosmetic and does not affect the network.

As of 5.0 you could also look at the containment feature which should help lock them down:

http://www.cisco.com/en/US/customer/docs/wireless/wcs/5.2/configuration/guide/5_2mon.html#wpmkr1144959

0 Helpful

kylerossd
Level 4
Level 4

‎01-06-2009 01:58 PM

Depends if that AP has the same SSID as your network.

Windows wireless clients connect to the last SSID they were on before being shutdown/hibernated. Most Wireless clients do as well, so someone could call any AP the same SSID as your network and try to get your users to connect to their AP to pull whatever information they are after. I would treat this one a little more seriously, even if they don't get any information off your clients.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card