Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2621
Views
0
Helpful
4
Replies

AP spoofing

preilly78
Level 1
Level 1

‎09-17-2009 04:28 AM - edited ‎07-03-2021 06:03 PM

WLC 4404 (6.0.182.0)

Recently I have been getting event logs in my WCS about an AP being spoofed and contained. I check the logs and it gives me no information about the rogue AP/client that could be causing this. It happens at random and not very often. Is there a way to get more information then simply the trap log.

(WLC)

Warning: Our AP with Base Radio MAC <mac address> is under attack (contained) by another AP on radio type 802.11a

(WCS)

AP '<AP NAME>' is being contained. This is due to rogue device spoofing AP '<AP NAME>' BSSID or targetting AP '<AP NAME>' BSSID

Labels:
0 Helpful
4 Replies 4

Vinay Saini
Cisco Employee
Cisco Employee

‎09-19-2009 10:04 PM

This means that Some other AP is using the BSSID of your AP and sending deauth.

If you have multiple Controllers , Make sure all are configured with the same RF group.

0 Helpful

Lucien Avramov
Level 10
Level 10

‎09-20-2009 12:42 AM

What version of WCS are you running and what controller version?

These AP impersonation alarms indicate that an unknown

802.11 entity seems to be sending 802.11 frames that are normally expected from one of the controller's APs.

There is a cosmetic bug:

CSCsj50060 WCS displays wrong radio in AP Impersonation alarms, fix Integrated in version 4.2.108.

There could be other defects depending on the controller and WCS version you are running.

In most of the times, those messages come from misbehaving NIC cards.

Basically messages like this should be seen under 2 conditions:

1) srcMac[Deauth originator] is our AP's BSSID

2) srcMac[Deauth originator] is *not* our AP's BSSID

What we've seen in the past is NIC cards with poor drivers can get confused and send deauths to the AP itself, sourcing the AP's mac. So if the NIC is 00:11:22:33:44:55 and the AP is 00:55:44:33:22:11, the NIC sends deauths from 00:55:44:33:22:11 to 00:55:44:33:22:11 and the AP sees them. Hard to detect without a wireless sniffer though. The fix for the bug is not to do away with the messages but reword them more clearly. I'm not sure how many APs you have in all, but I would guess in your case it's affects a particular NIC card, or few.

0 Helpful

preilly78
Level 1
Level 1
In response to Lucien Avramov

‎09-22-2009 07:09 AM

Thanks for the info that will help. I will see if in the future I can use a wireless sniffer to locate this. It happens at random and only for a minute in duration. I am running both the WLC and WCS on the newest version.

Again thanks for the info.

0 Helpful

Lucien Avramov
Level 10
Level 10
In response to preilly78

‎09-22-2009 05:41 PM

Please run a sniffer trace and advise back if anything else is needed.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card