09-17-2009 04:28 AM - edited 07-03-2021 06:03 PM
WLC 4404 (6.0.182.0)
Recently I have been getting event logs in my WCS about an AP being spoofed and contained. I check the logs and it gives me no information about the rogue AP/client that could be causing this. It happens at random and not very often. Is there a way to get more information then simply the trap log.
(WLC)
Warning: Our AP with Base Radio MAC <mac address> is under attack (contained) by another AP on radio type 802.11a
(WCS)
AP '<AP NAME>' is being contained. This is due to rogue device spoofing AP '<AP NAME>' BSSID or targetting AP '<AP NAME>' BSSID
09-19-2009 10:04 PM
This means that Some other AP is using the BSSID of your AP and sending deauth.
If you have multiple Controllers , Make sure all are configured with the same RF group.
09-20-2009 12:42 AM
What version of WCS are you running and what controller version?
These AP impersonation alarms indicate that an unknown
802.11 entity seems to be sending 802.11 frames that are normally expected from one of the controller's APs.
There is a cosmetic bug:
CSCsj50060 WCS displays wrong radio in AP Impersonation alarms, fix Integrated in version 4.2.108.
There could be other defects depending on the controller and WCS version you are running.
In most of the times, those messages come from misbehaving NIC cards.
Basically messages like this should be seen under 2 conditions:
1) srcMac[Deauth originator] is our AP's BSSID
2) srcMac[Deauth originator] is *not* our AP's BSSID
What we've seen in the past is NIC cards with poor drivers can get confused and send deauths to the AP itself, sourcing the AP's mac. So if the NIC is 00:11:22:33:44:55 and the AP is 00:55:44:33:22:11, the NIC sends deauths from 00:55:44:33:22:11 to 00:55:44:33:22:11 and the AP sees them. Hard to detect without a wireless sniffer though. The fix for the bug is not to do away with the messages but reword them more clearly. I'm not sure how many APs you have in all, but I would guess in your case it's affects a particular NIC card, or few.
09-22-2009 07:09 AM
Thanks for the info that will help. I will see if in the future I can use a wireless sniffer to locate this. It happens at random and only for a minute in duration. I am running both the WLC and WCS on the newest version.
Again thanks for the info.
09-22-2009 05:41 PM
Please run a sniffer trace and advise back if anything else is needed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide