Rouge containment :- Only cisco 7920 seems to be contained.

Answered Question
Mar 27th, 2009

I am running a WLC on a 2800 series NM with version 5.0 and a 1131 LWAPP AP.


I have a Netgear AP within range of my Cisco 1131 AP.


When I turn rouge containment on for this NetGear AP's, it seems to work but conttains ONLY a Cisco 7921 phone associated with the NetGear AP.



The WLC does not detect any other clients that are associated with the rouge AP (my Netgear).



Also, under rouge clients, it only seems to detect certain models of Intel and Apple clients (from neighbouring networks).


Is this a limitation of how the WLC does rouge containment ?


Can it detect / contain only CCX compliant devices that have MFP turned off ?


Are many of the older Laptops that use Intel cards immune to this kind of containment ?


Thanks

Correct Answer by jeff.kish about 7 years 11 months ago

That's really interesting. If you make a side-by-side comparison chart of the clients with the 7921 & Blackberry, what differences do you notice? Are they by any chance running at speeds that are unsupported by the AP? If you have B data rates turned off, for example, that might prevent the AP from seeing B clients.


Maybe you could bring a couple more clients over and see if any of them get dropped.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)
Loading.
jeff.kish Fri, 03/27/2009 - 14:47

It helps in this kind of situation to fully understand what a Cisco AP is doing when it contains a rogue. The Cisco AP actually masks itself as the rogue AP and broadcasts disassociation packets to all clients. As such, any client that HEARS the requests will disassociate from the rogue AP.


The key thing to note there is obviously that if a client doesn't hear the packet, it won't be affects. Since your AP is likely not directly on top of the rogue, it's possible that your rogue clients are too far from the containing AP to hear anything.


Try running 3-AP containment and see if that helps. There are no clients that are "immune" to containment - the Cisco AP broadcasts actual 802.11 disassociation packets, and if the client is 802.11 compliant then it will disassociate.


Hopefully that helps give you an understanding of what's going on. Let me know if you have any more questions.

shahedvoicerite Fri, 03/27/2009 - 14:58

Thanks Jeff,


However, both by rouge and Cisco AP, are within a few feet of each other.


The clients are also within a few feet of both AP's.


Infact, the rouge clients can associate with both AP's, so its not a range issue.


I only have 1 Cisco AP, so cant try the 3 ap solution :-(


Also, on the 7921, I dont see the disassociation counter being incremented on the stats screen. (Perhaps I am mistaken..) Other counters like Tx packets, Beacons etc show up...



Is it possible that the clients have some sort of MFP like protection with the Netgear AP ?


Also, the rouge AP WLAN is WPA+PSK, but I dont think that should have any bearing on disassociation packets.



Among Intel based cards, the only ones I see detected as rouges are :


00-12-F0 (hex) Intel Corporate

0012F0 (base 16) Intel Corporate

Lot 8, Jalan Hi-tech 2/3

Kulim Hi-Tech Park

Kulim Kedah 09000

MALAYSIA






Thanks





Leo Laohoo Fri, 03/27/2009 - 17:10

If your client/host are associated to the Netgear AP and you contain the Netgear AP, the WLC will not contain the clients/hosts because it will think that the Netgear AP is acting as a "honeypot" and, I believe, it takes precedence.

This could be one reason why you won't be able to detect other clients/hosts because these same clients/hosts are assocaited to a "rogue" AP, i.e. Netgear.


You could see what clients are/were associated if you click on the unclassified AP and scroll down.

shahedvoicerite Fri, 03/27/2009 - 17:43

Thanks Leo, but I dont think that may be the case.


I dont see the clients anywhere !


But when I have a Blackberry or a Cisco 7921 associated with the NetGear, and I contain the NetGear, both the BlackBerry and the 7921 almost immediately loose connectivity.


However, that does not happen with the other clients (laptops) .


Thanks


Leo Laohoo Fri, 03/27/2009 - 18:46

Ok. So let me understand the situation here. A Blackberry, 7921 and a number of clients connect to a Netgear AP and the WLC classifies it as a Rogue AP. You contain the Netgear AP.


When this happens, the Blackberry and 7921 looses wireless connection to the Netgear AP immediately. Your clients, on the other hand, doesn't loose WLAN to the Netgear AP.


Is this your scenario?

shahedvoicerite Fri, 03/27/2009 - 19:01

Yes. Exactly.


With the blackberry, I can see it flapping between auth / deauth and associate / disassociate very rapidly in the NetGear logs

Leo Laohoo Fri, 03/27/2009 - 19:10

The Blackberry is "behaving" as expected.


Now for the clients. When the WLC contains the Netgear AP, can the client(s) ping the Netgear AP?

shahedvoicerite Fri, 03/27/2009 - 19:15

I did not test pinging the Netgear, but the clients could ping other servers in the same subnet..


shahedvoicerite Sat, 03/28/2009 - 02:38

Only 1 VLAN. Its an old WG-302, which supports only 1 WLAN/VLAN.


I'll attempt to take a Wireshark trace on Monday and see if I can figure out whats happening.



Thanks.

shahedvoicerite Mon, 03/30/2009 - 05:59

I did a wireshark trace, and the WLC seems to send Deauth to the Cisco 7921 phone.


However, it just does not see the other Laptops, and thus it does not send Deauths to them.


It makes sense, as these other clients do not even show up in the WLC web pages, as being associated to the rouge AP.


I wonder if its something to do with the Lenght of the preamble, or some other setting that seems to make these clients "invisible" to the AP/Controller.


Thanks

Correct Answer
jeff.kish Mon, 03/30/2009 - 06:10

That's really interesting. If you make a side-by-side comparison chart of the clients with the 7921 & Blackberry, what differences do you notice? Are they by any chance running at speeds that are unsupported by the AP? If you have B data rates turned off, for example, that might prevent the AP from seeing B clients.


Maybe you could bring a couple more clients over and see if any of them get dropped.

shahedvoicerite Mon, 03/30/2009 - 06:48

I had 802.11n turned on, although my radio does not support it.


I also had "g" support turned on.


After turning off *BOTH*, I now see deauth packets going to my laptop.


It slows the laptop down, but does not entirely kill the connection (every alternate ping works) but thats besides the point.


It would be a shame if I have to disable 802.11g support in order to contain 802.11b clients.


I then tried to keep "n" disabled, and bring back support for 802.11g.


On doing that, once again, the 802.11b clients are not seen.



Thanks !!!

jeff.kish Mon, 03/30/2009 - 11:20

No problem, and thanks to Leo for his work in this thread while I was away :)

Actions

This Discussion