Recently I have been getting event logs in my WCS about an AP being spoofed and contained. I check the logs and it gives me no information about the rogue AP/client that could be causing this. It happens at random and not very often. Is there a way to get more information then simply the trap log.
Warning: Our AP with Base Radio MAC <mac address> is under attack (contained) by another AP on radio type 802.11a
AP '<AP NAME>' is being contained. This is due to rogue device spoofing AP '<AP NAME>' BSSID or targetting AP '<AP NAME>' BSSID
What version of WCS are you running and what controller version?
These AP impersonation alarms indicate that an unknown
802.11 entity seems to be sending 802.11 frames that are normally expected from one of the controller's APs.
There is a cosmetic bug:
CSCsj50060 WCS displays wrong radio in AP Impersonation alarms, fix Integrated in version 4.2.108.
There could be other defects depending on the controller and WCS version you are running.
In most of the times, those messages come from misbehaving NIC cards.
Basically messages like this should be seen under 2 conditions:
1) srcMac[Deauth originator] is our AP's BSSID
2) srcMac[Deauth originator] is *not* our AP's BSSID
What we've seen in the past is NIC cards with poor drivers can get confused and send deauths to the AP itself, sourcing the AP's mac. So if the NIC is 00:11:22:33:44:55 and the AP is 00:55:44:33:22:11, the NIC sends deauths from 00:55:44:33:22:11 to 00:55:44:33:22:11 and the AP sees them. Hard to detect without a wireless sniffer though. The fix for the bug is not to do away with the messages but reword them more clearly. I'm not sure how many APs you have in all, but I would guess in your case it's affects a particular NIC card, or few.
Thanks for the info that will help. I will see if in the future I can use a wireless sniffer to locate this. It happens at random and only for a minute in duration. I am running both the WLC and WCS on the newest version.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...