WLC containing one of its own AP's as a rogue?

Unanswered Question
Aug 15th, 2010

Hi,

We have several WLC's in school sites all connected back to a central WCS (ver6) which is working fine so I am just trying to clear up a few small issues.

At a couple of sites I am getting alarms on WCS as per example below which has me at a loss.

WCS has detected one or more alarms of category AP and severity Critical in Virtual Domain root
for the following items:

AP 'grafs-S03' is being contained. This is due to rogue device spoofing AP 'grafs-S03' BSSID or targetting AP 'grafs-S03' BSSID. - Controller Name: grafs-wlc-01

E-mail will be suppressed up to 30 minutes for these alarms.


Then a minute later I get the following to say its no longer being contained.

WCS has detected a change in one or more alarms of category AP and severity Critical in Virtual Domain root.
The new severity of the following items is Clear:

AP 'grafs-S03' with protocol '802.11b/g' on Controller '10.96.192.5' is no longer being contained. Service is restored. - Controller Name: grafs-wlc-01

E-mail will be suppressed up to 30 minutes for these changes.


Any suggestions on this error would be appreciated.

TIA Tony

I have this problem too.
2 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
dancampb Mon, 08/16/2010 - 06:09

If there is a device spoofing one of your AP's you'll really need to get a wireless sniffer capture while the event is occurring to determine the source.  You would review the capture and identify the packets causing the event, typically would be deauth frames.  Look at the sequence number in the dot11 header, then trace back through the capture to determine the who the actual sender was of the packet.  The sequence number will increment by one for every packet a radio sends.

Tony Dann Mon, 08/16/2010 - 18:48

Thanks for that,

This site is a school in a rural area so I would doubt there is actually an AP spoofing. I feel it is a false positive as I have been onsite when this occurs and it happens for less then a minute.. maybe 30 seconds and there are no rogue AP's detected at all within range.

cheers

Tony

Tony Dann Mon, 08/16/2010 - 21:10

Firmware Version 6.0.196.0 on the WLC

Firmware Version                                           6.0.181.0on the WCS

shrauger1 Thu, 08/26/2010 - 08:47

I am running the same versions and am getting the same errors.  I also think they are bogus, but why are they being generated?

Laura

Leo Laohoo Thu, 08/26/2010 - 15:48

I've seen in the 4.X and 5.X of this bogus "honeypots" but I would've thought the issue was fixed.  Has anyone tried using 7.X?

George Stefanick Sun, 08/29/2010 - 16:16

Im on the same code and have the same issue. Dont feel bad ..

Im upgrading here in the next week. I will let you know what i see...

Tony Dann Mon, 08/30/2010 - 16:22

Thanks everyone for your suggestions, Rob is this a setting (Turning off "Remember any network this computer has joined") that needs to be changed on the "i"device?

Tony

George Stefanick Thu, 09/02/2010 - 08:24

Im slow this morning ... Coffee hasnt kicked in ...

So why would the controller flag this as a rogue conatinment ?

Can you explain?

I can only explain the effects. The "AP being contained as a rogue" message doesn't actually mean that the WLC is containing its own AP, only that it sees its AP contained. We found the Apple software issue more or less by trial and error - by disabling clients in proximity to the affected AP. Once we saw the containment message drop we got our hands on the affecting device and looked at its settings (It turns out that disabling access will often get a machine brought to the help desk by its owner!). Hope this helps.

George Stefanick Fri, 09/03/2010 - 16:50

I would have loved to seen a packet capture ... Because the Cisco Wireless would only flag this if a device was spoofing the AP. Thats my guess ...

William Maguire Thu, 09/09/2010 - 10:31

I'm running 7.0.98 and see the same issues, I treat it as a false positive as I get the contain and no longer being contained messages back to back.  My environment has many many ipad's, iphones, MacBooks, iMacs, etc.  Running around and trying to turn off the "remember networks" setting isn't an option; but the issue happens frequently enough I will try and grab a capture and share it with you guys.

Thanks,

Bill

ThomasPemberton Thu, 03/01/2012 - 08:04

I am seeing this on our campus as well.  It is not realistic (with the volume of devices we have) to change settings on every iDevice that is causing this problem.  Is there any way to find and mark these devices as "safe" or some other solution to make these alerts go away?  I probably see 10-20 of these alerts every day....

Vinay Sharma Sun, 09/25/2011 - 11:01

Hello Tony,

Please mark the Question as Answered, if the provided information is correct and it helped. By doing that others can take benefit as well.

Thanks,

Vinay Sharma

Community Manager – Wireless

grccadmin Tue, 02/18/2014 - 07:54

Has there been a resonable solution found for this issue? Telling people with Apple devices to adjust their settings is not an acceptable answer.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode