cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5972
Views
0
Helpful
18
Replies

WLC containing one of its own AP's as a rogue?

Tony Dann
Level 1
Level 1

Hi,

We have several WLC's in school sites all connected back to a central WCS (ver6) which is working fine so I am just trying to clear up a few small issues.

At a couple of sites I am getting alarms on WCS as per example below which has me at a loss.

WCS has detected one or more alarms of category AP and severity Critical in Virtual Domain root
for the following items:

AP 'grafs-S03' is being contained. This is due to rogue device spoofing AP 'grafs-S03' BSSID or targetting AP 'grafs-S03' BSSID. - Controller Name: grafs-wlc-01

E-mail will be suppressed up to 30 minutes for these alarms.


Then a minute later I get the following to say its no longer being contained.

WCS has detected a change in one or more alarms of category AP and severity Critical in Virtual Domain root.
The new severity of the following items is Clear:

AP 'grafs-S03' with protocol '802.11b/g' on Controller '10.96.192.5' is no longer being contained. Service is restored. - Controller Name: grafs-wlc-01

E-mail will be suppressed up to 30 minutes for these changes.


Any suggestions on this error would be appreciated.

TIA Tony

18 Replies 18

dancampb
Level 7
Level 7

If there is a device spoofing one of your AP's you'll really need to get a wireless sniffer capture while the event is occurring to determine the source.  You would review the capture and identify the packets causing the event, typically would be deauth frames.  Look at the sequence number in the dot11 header, then trace back through the capture to determine the who the actual sender was of the packet.  The sequence number will increment by one for every packet a radio sends.

Thanks for that,

This site is a school in a rural area so I would doubt there is actually an AP spoofing. I feel it is a false positive as I have been onsite when this occurs and it happens for less then a minute.. maybe 30 seconds and there are no rogue AP's detected at all within range.

cheers

Tony

What is your WLC firmware?

Firmware Version 6.0.196.0 on the WLC

Firmware Version                                           6.0.181.0on the WCS

I am running the same versions and am getting the same errors.  I also think they are bogus, but why are they being generated?

Laura

I've seen in the 4.X and 5.X of this bogus "honeypots" but I would've thought the issue was fixed.  Has anyone tried using 7.X?

Im on the same code and have the same issue. Dont feel bad ..

Im upgrading here in the next week. I will let you know what i see...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

There are several versions af Apple code on iPhones and iBooks (and other iProducts) that will cause this error.  Turning off "Remember any network this computer has joined" will usually get rid of it.

Thanks everyone for your suggestions, Rob is this a setting (Turning off "Remember any network this computer has joined") that needs to be changed on the "i"device?

Tony

The "remember all wireless networks" is a setting on the "i" devices.  One thing we have found useful is to look for devices with Apple prefixes near the affected AP.  If manually disabling them on the controller or WCS stops the containment messages, there is a good chance you have found the cause.

Im slow this morning ... Coffee hasnt kicked in ...

So why would the controller flag this as a rogue conatinment ?

Can you explain?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

I can only explain the effects. The "AP being contained as a rogue" message doesn't actually mean that the WLC is containing its own AP, only that it sees its AP contained. We found the Apple software issue more or less by trial and error - by disabling clients in proximity to the affected AP. Once we saw the containment message drop we got our hands on the affecting device and looked at its settings (It turns out that disabling access will often get a machine brought to the help desk by its owner!). Hope this helps.

I would have loved to seen a packet capture ... Because the Cisco Wireless would only flag this if a device was spoofing the AP. Thats my guess ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

William Maguire
Level 1
Level 1

I'm running 7.0.98 and see the same issues, I treat it as a false positive as I get the contain and no longer being contained messages back to back.  My environment has many many ipad's, iphones, MacBooks, iMacs, etc.  Running around and trying to turn off the "remember networks" setting isn't an option; but the issue happens frequently enough I will try and grab a capture and share it with you guys.

Thanks,

Bill

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: