Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC containing one of its own AP's as a rogue?

Hi,

We have several WLC's in school sites all connected back to a central WCS (ver6) which is working fine so I am just trying to clear up a few small issues.

At a couple of sites I am getting alarms on WCS as per example below which has me at a loss.

WCS has detected one or more alarms of category AP and severity Critical in Virtual Domain root
for the following items:

AP 'grafs-S03' is being contained. This is due to rogue device spoofing AP 'grafs-S03' BSSID or targetting AP 'grafs-S03' BSSID. - Controller Name: grafs-wlc-01

E-mail will be suppressed up to 30 minutes for these alarms.


Then a minute later I get the following to say its no longer being contained.

WCS has detected a change in one or more alarms of category AP and severity Critical in Virtual Domain root.
The new severity of the following items is Clear:

AP 'grafs-S03' with protocol '802.11b/g' on Controller '10.96.192.5' is no longer being contained. Service is restored. - Controller Name: grafs-wlc-01

E-mail will be suppressed up to 30 minutes for these changes.


Any suggestions on this error would be appreciated.

TIA Tony

18 REPLIES
Gold

Re: WLC containing one of its own AP's as a rogue?

If there is a device spoofing one of your AP's you'll really need to get a wireless sniffer capture while the event is occurring to determine the source.  You would review the capture and identify the packets causing the event, typically would be deauth frames.  Look at the sequence number in the dot11 header, then trace back through the capture to determine the who the actual sender was of the packet.  The sequence number will increment by one for every packet a radio sends.

New Member

Re: WLC containing one of its own AP's as a rogue?

Thanks for that,

This site is a school in a rural area so I would doubt there is actually an AP spoofing. I feel it is a false positive as I have been onsite when this occurs and it happens for less then a minute.. maybe 30 seconds and there are no rogue AP's detected at all within range.

cheers

Tony

Hall of Fame Super Gold

Re: WLC containing one of its own AP's as a rogue?

What is your WLC firmware?

New Member

Re: WLC containing one of its own AP's as a rogue?

Firmware Version 6.0.196.0 on the WLC

Firmware Version                                           6.0.181.0on the WCS

New Member

Re: WLC containing one of its own AP's as a rogue?

I am running the same versions and am getting the same errors.  I also think they are bogus, but why are they being generated?

Laura

Hall of Fame Super Gold

Re: WLC containing one of its own AP's as a rogue?

I've seen in the 4.X and 5.X of this bogus "honeypots" but I would've thought the issue was fixed.  Has anyone tried using 7.X?

Re: WLC containing one of its own AP's as a rogue?

Im on the same code and have the same issue. Dont feel bad ..

Im upgrading here in the next week. I will let you know what i see...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: WLC containing one of its own AP's as a rogue?

There are several versions af Apple code on iPhones and iBooks (and other iProducts) that will cause this error.  Turning off "Remember any network this computer has joined" will usually get rid of it.

New Member

Re: WLC containing one of its own AP's as a rogue?

Thanks everyone for your suggestions, Rob is this a setting (Turning off "Remember any network this computer has joined") that needs to be changed on the "i"device?

Tony

New Member

Re: WLC containing one of its own AP's as a rogue?

The "remember all wireless networks" is a setting on the "i" devices.  One thing we have found useful is to look for devices with Apple prefixes near the affected AP.  If manually disabling them on the controller or WCS stops the containment messages, there is a good chance you have found the cause.

Re: WLC containing one of its own AP's as a rogue?

Im slow this morning ... Coffee hasnt kicked in ...

So why would the controller flag this as a rogue conatinment ?

Can you explain?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: WLC containing one of its own AP's as a rogue?

I can only explain the effects. The "AP being contained as a rogue" message doesn't actually mean that the WLC is containing its own AP, only that it sees its AP contained. We found the Apple software issue more or less by trial and error - by disabling clients in proximity to the affected AP. Once we saw the containment message drop we got our hands on the affecting device and looked at its settings (It turns out that disabling access will often get a machine brought to the help desk by its owner!). Hope this helps.

Re: WLC containing one of its own AP's as a rogue?

I would have loved to seen a packet capture ... Because the Cisco Wireless would only flag this if a device was spoofing the AP. Thats my guess ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: WLC containing one of its own AP's as a rogue?

I'm running 7.0.98 and see the same issues, I treat it as a false positive as I get the contain and no longer being contained messages back to back.  My environment has many many ipad's, iphones, MacBooks, iMacs, etc.  Running around and trying to turn off the "remember networks" setting isn't an option; but the issue happens frequently enough I will try and grab a capture and share it with you guys.

Thanks,

Bill

New Member

WLC containing one of its own AP's as a rogue?

I am seeing this on our campus as well.  It is not realistic (with the volume of devices we have) to change settings on every iDevice that is causing this problem.  Is there any way to find and mark these devices as "safe" or some other solution to make these alerts go away?  I probably see 10-20 of these alerts every day....

WLC containing one of its own AP's as a rogue?

Hello Tony,

Please mark the Question as Answered, if the provided information is correct and it helped. By doing that others can take benefit as well.

Thanks,

Vinay Sharma

Community Manager – Wireless

Thanks & Regards
New Member

WLC containing one of its own AP's as a rogue?

Has there been a resonable solution found for this issue? Telling people with Apple devices to adjust their settings is not an acceptable answer.

New Member

WLC containing one of its own AP's as a rogue?

Apple's iOS code updates seem to have reduced the problem a lot.  Upgrade controller code to 7.2 series or later and it should disappear altogether.

4237
Views
0
Helpful
18
Replies