12-30-2008 01:40 PM - edited 07-03-2021 04:56 PM
I recently recevied an AP impersonation alarm. The culprit seems to be a Netgear AP outside of the walls of our office space. I am in our corporate office several states away and we have no IT staff that is local to the location that this is occuring.
What are you all doing when you receive such an alarm? Is it something that I should be seriously concerned with?
01-06-2009 11:56 AM
The AP Impersonation feature improves the detection of rogue APs that
attempt to impersonate valid Cisco APs. This feature creates a radio
frequency (RF) network group, and the Cisco APs in the same group distribute
radio resource management (RRM) neighbor packets to each other. If a Cisco
AP hears packets from another Cisco AP from which it has not received any
RRM neighbor packets, then the Cisco AP can assume that the new AP is
impersonating a Cisco AP and therefore reports it as a rogue AP.
When the WCS finds an AP that attempts to impersonate another AP on the
WLAN, you see this alert on the WCS server, WCS talks to the controllers to
get the information through SNMP.
Impact:
This is only cosmetic and does not affect the network.
As of 5.0 you could also look at the containment feature which should help lock them down:
01-06-2009 01:58 PM
Depends if that AP has the same SSID as your network.
Windows wireless clients connect to the last SSID they were on before being shutdown/hibernated. Most Wireless clients do as well, so someone could call any AP the same SSID as your network and try to get your users to connect to their AP to pull whatever information they are after. I would treat this one a little more seriously, even if they don't get any information off your clients.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: