Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Rogue AP Countermeasure in WLC

WLC detects rogue AP in their environtment, WLC also have some action to do with those rogue AP, by changing Update Status in Rogue AP Detail to Contain. It will make the AP that detect rogue AP launch the management frame (deauthentication frame) to that rogue AP. So whatever and whoever client trying to connect to the rogue AP, they will kicked out or deauthenticated.

 

So that's in theory.

 

In a real, i set up an AP using Nokia tethering features. Obviously the WLC will detect it as rogue AP, and i initiate deauth attack to AP that i just been setup using WLC. In theory all device that trying to associate to this AP will deauthenticated or it will not be connected. But in my lab, i am trying to connect my other device to my nokia AP. And voila my other device is connected.

 

So my question ,

What makes my other device is not deauthenticated ?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

You need more than one to

You need more than one to make this really work, but in a non lab environment, you really don't ever want to use it.  You can run into legal issues and also it uses resources on the access points that is performing the containment.

Scott

-Scott
*** Please rate helpful posts ***
5 REPLIES

Are you sure that your AP's

Are you sure that your AP's are in range of the client? If so, what happens if you contain the specific client instead of the SSID?

Community Member

So instead contain the AP , I

So instead contain the AP , I also have to contain the rogue client too ?
I understand about the legal issues, i just want to test the theory and the features in cisco wlc

Thanks

Hall of Fame Super Silver

You need more than one to

You need more than one to make this really work, but in a non lab environment, you really don't ever want to use it.  You can run into legal issues and also it uses resources on the access points that is performing the containment.

Scott

-Scott
*** Please rate helpful posts ***
Community Member

I've thought about this a lot

I've thought about this a lot recently as the MSE is more readily bundled into a Wi-Fi offering. You can do rogue detection, but any form of mitigation such as containment throws up a lot of possible legal ramifications.

Community Member

Did you use Monitor mode AP

Did you use Monitor mode AP?

Also If client and AP are using 802.11w then containment will not work as in that case the management frames are protected.

To dig further you can try the setup where you have one monitor mode Ap to launch deauth attach. One sniffer  mode Ap to see whats going on in Air. and a hotspot which you already have  for containing.

501
Views
0
Helpful
5
Replies
CreatePlease to create content