AP spoofing

Unanswered Question
Sep 17th, 2009

WLC 4404 (6.0.182.0)

Recently I have been getting event logs in my WCS about an AP being spoofed and contained. I check the logs and it gives me no information about the rogue AP/client that could be causing this. It happens at random and not very often. Is there a way to get more information then simply the trap log.

(WLC)

Warning: Our AP with Base Radio MAC <mac address> is under attack (contained) by another AP on radio type 802.11a

(WCS)

AP '<AP NAME>' is being contained. This is due to rogue device spoofing AP '<AP NAME>' BSSID or targetting AP '<AP NAME>' BSSID

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Vinay Saini Sat, 09/19/2009 - 22:04

This means that Some other AP is using the BSSID of your AP and sending deauth.

If you have multiple Controllers , Make sure all are configured with the same RF group.

Lucien Avramov Sun, 09/20/2009 - 00:42

What version of WCS are you running and what controller version?

These AP impersonation alarms indicate that an unknown

802.11 entity seems to be sending 802.11 frames that are normally expected from one of the controller's APs.

There is a cosmetic bug:

CSCsj50060 WCS displays wrong radio in AP Impersonation alarms, fix Integrated in version 4.2.108.

There could be other defects depending on the controller and WCS version you are running.

In most of the times, those messages come from misbehaving NIC cards.

Basically messages like this should be seen under 2 conditions:

1) srcMac[Deauth originator] is our AP's BSSID

2) srcMac[Deauth originator] is *not* our AP's BSSID

What we've seen in the past is NIC cards with poor drivers can get confused and send deauths to the AP itself, sourcing the AP's mac. So if the NIC is 00:11:22:33:44:55 and the AP is 00:55:44:33:22:11, the NIC sends deauths from 00:55:44:33:22:11 to 00:55:44:33:22:11 and the AP sees them. Hard to detect without a wireless sniffer though. The fix for the bug is not to do away with the messages but reword them more clearly. I'm not sure how many APs you have in all, but I would guess in your case it's affects a particular NIC card, or few.

preilly78 Tue, 09/22/2009 - 07:09

Thanks for the info that will help. I will see if in the future I can use a wireless sniffer to locate this. It happens at random and only for a minute in duration. I am running both the WLC and WCS on the newest version.

Again thanks for the info.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode