cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1813
Views
5
Helpful
4
Replies

AP Impersonation Alarms - WCS 4.1.83

zhenningx
Level 4
Level 4

We see many AP Impersonation alarms from WCS 4.1.83:

AP Impersonation of MAC '00:17:0f:xx:xx:xx' using source MAC '00:e0:98:xx:xx:xx' is detected by authenticated AP '00:17:0f:xx:xx:xx' on '802.11a' radio and Slot ID '0'.

Any ideas about this alarm? I have checked the source MACs in the alarm message are some client MACs.

Thanks,

Zhenning

1 Accepted Solution

Accepted Solutions

Rob Huffman
Hall of Fame
Hall of Fame

Hi Zhenning,

These seem to be strictly bug related. Have a look;

CSCsb90622 AP impersonation alarms flooding the WCS

CSCsg01470 Add source address to AP-IMPERSONATION Trap. AP impersonation traps don't include the source MAC address. Format of the alarm message needs to be changed.

CSCsj50060 WCS use display wrong radio in AP Impersonation alarms. (shows 802.11a radio, even if 802.11a radio is off)

CSCsg44344 Add source address to AP-IMPERSONATION Trap. AP impersonation traps don't include the source MAC address. WCS currently only shows: AP Impersonation with MAC '00:14:1b:62:4e:42' is detected by authenticated AP '00:14:1b:62:4e:40' on '802.11b/g' radio and Slot ID '0'.

These bugs have been nicely documented by John in threads that date back a fair bit;

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddc3127/7#selected_message

Hope this helps!

Rob

View solution in original post

4 Replies 4

Rob Huffman
Hall of Fame
Hall of Fame

Hi Zhenning,

These seem to be strictly bug related. Have a look;

CSCsb90622 AP impersonation alarms flooding the WCS

CSCsg01470 Add source address to AP-IMPERSONATION Trap. AP impersonation traps don't include the source MAC address. Format of the alarm message needs to be changed.

CSCsj50060 WCS use display wrong radio in AP Impersonation alarms. (shows 802.11a radio, even if 802.11a radio is off)

CSCsg44344 Add source address to AP-IMPERSONATION Trap. AP impersonation traps don't include the source MAC address. WCS currently only shows: AP Impersonation with MAC '00:14:1b:62:4e:42' is detected by authenticated AP '00:14:1b:62:4e:40' on '802.11b/g' radio and Slot ID '0'.

These bugs have been nicely documented by John in threads that date back a fair bit;

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Wireless%20-%20Mobility&topic=Security%20and%20Network%20Management&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddc3127/7#selected_message

Hope this helps!

Rob

I think we are hitting the bug CSCsj50060. Thanks Rob!

Zhenning

Hi Zhenning,

You are always welcome :) As I noted, John has done some really nice legwork and written up some excellent posts on this subject. It is great to see so many great people participating here!

Take care,

Rob

abwahid
Level 4
Level 4

Hi,

Check the similar query on the below link.

https://supportforums.cisco.com/discussion/12486461/ap-impersonation-alarm#comment-10532971

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: