Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AP spoofing

WLC 4404 (6.0.182.0)

Recently I have been getting event logs in my WCS about an AP being spoofed and contained. I check the logs and it gives me no information about the rogue AP/client that could be causing this. It happens at random and not very often. Is there a way to get more information then simply the trap log.

(WLC)

Warning: Our AP with Base Radio MAC <mac address> is under attack (contained) by another AP on radio type 802.11a

(WCS)

AP '<AP NAME>' is being contained. This is due to rogue device spoofing AP '<AP NAME>' BSSID or targetting AP '<AP NAME>' BSSID

4 REPLIES
Cisco Employee

Re: AP spoofing

This means that Some other AP is using the BSSID of your AP and sending deauth.

If you have multiple Controllers , Make sure all are configured with the same RF group.

Re: AP spoofing

What version of WCS are you running and what controller version?

These AP impersonation alarms indicate that an unknown

802.11 entity seems to be sending 802.11 frames that are normally expected from one of the controller's APs.

There is a cosmetic bug:

CSCsj50060 WCS displays wrong radio in AP Impersonation alarms, fix Integrated in version 4.2.108.

There could be other defects depending on the controller and WCS version you are running.

In most of the times, those messages come from misbehaving NIC cards.

Basically messages like this should be seen under 2 conditions:

1) srcMac[Deauth originator] is our AP's BSSID

2) srcMac[Deauth originator] is *not* our AP's BSSID

What we've seen in the past is NIC cards with poor drivers can get confused and send deauths to the AP itself, sourcing the AP's mac. So if the NIC is 00:11:22:33:44:55 and the AP is 00:55:44:33:22:11, the NIC sends deauths from 00:55:44:33:22:11 to 00:55:44:33:22:11 and the AP sees them. Hard to detect without a wireless sniffer though. The fix for the bug is not to do away with the messages but reword them more clearly. I'm not sure how many APs you have in all, but I would guess in your case it's affects a particular NIC card, or few.

New Member

Re: AP spoofing

Thanks for the info that will help. I will see if in the future I can use a wireless sniffer to locate this. It happens at random and only for a minute in duration. I am running both the WLC and WCS on the newest version.

Again thanks for the info.

Re: AP spoofing

Please run a sniffer trace and advise back if anything else is needed.

1651
Views
0
Helpful
4
Replies
CreatePlease login to create content