We have several WLC's in school sites all connected back to a central WCS (ver6) which is working fine so I am just trying to clear up a few small issues.
At a couple of sites I am getting alarms on WCS as per example below which has me at a loss.
WCS has detected one or more alarms of category AP and severity Critical in Virtual Domain root
for the following items:
AP 'grafs-S03' is being contained. This is due to rogue device spoofing AP 'grafs-S03' BSSID or targetting AP 'grafs-S03' BSSID. - Controller Name: grafs-wlc-01
E-mail will be suppressed up to 30 minutes for these alarms.
Then a minute later I get the following to say its no longer being contained.
WCS has detected a change in one or more alarms of category AP and severity Critical in Virtual Domain root.
The new severity of the following items is Clear:
AP 'grafs-S03' with protocol '802.11b/g' on Controller '10.96.192.5' is no longer being contained. Service is restored. - Controller Name: grafs-wlc-01
E-mail will be suppressed up to 30 minutes for these changes.
Any suggestions on this error would be appreciated.
If there is a device spoofing one of your AP's you'll really need to get a wireless sniffer capture while the event is occurring to determine the source. You would review the capture and identify the packets causing the event, typically would be deauth frames. Look at the sequence number in the dot11 header, then trace back through the capture to determine the who the actual sender was of the packet. The sequence number will increment by one for every packet a radio sends.
Thanks for that,
This site is a school in a rural area so I would doubt there is actually an AP spoofing. I feel it is a false positive as I have been onsite when this occurs and it happens for less then a minute.. maybe 30 seconds and there are no rogue AP's detected at all within range.
I am running the same versions and am getting the same errors. I also think they are bogus, but why are they being generated?
I've seen in the 4.X and 5.X of this bogus "honeypots" but I would've thought the issue was fixed. Has anyone tried using 7.X?
Im on the same code and have the same issue. Dont feel bad ..
Im upgrading here in the next week. I will let you know what i see...
There are several versions af Apple code on iPhones and iBooks (and other iProducts) that will cause this error. Turning off "Remember any network this computer has joined" will usually get rid of it.
Thanks everyone for your suggestions, Rob is this a setting (Turning off "Remember any network this computer has joined") that needs to be changed on the "i"device?
The "remember all wireless networks" is a setting on the "i" devices. One thing we have found useful is to look for devices with Apple prefixes near the affected AP. If manually disabling them on the controller or WCS stops the containment messages, there is a good chance you have found the cause.
Im slow this morning ... Coffee hasnt kicked in ...
So why would the controller flag this as a rogue conatinment ?
Can you explain?
I can only explain the effects. The "AP being contained as a rogue" message doesn't actually mean that the WLC is containing its own AP, only that it sees its AP contained. We found the Apple software issue more or less by trial and error - by disabling clients in proximity to the affected AP. Once we saw the containment message drop we got our hands on the affecting device and looked at its settings (It turns out that disabling access will often get a machine brought to the help desk by its owner!). Hope this helps.
I would have loved to seen a packet capture ... Because the Cisco Wireless would only flag this if a device was spoofing the AP. Thats my guess ...
I'm running 7.0.98 and see the same issues, I treat it as a false positive as I get the contain and no longer being contained messages back to back. My environment has many many ipad's, iphones, MacBooks, iMacs, etc. Running around and trying to turn off the "remember networks" setting isn't an option; but the issue happens frequently enough I will try and grab a capture and share it with you guys.
I am seeing this on our campus as well. It is not realistic (with the volume of devices we have) to change settings on every iDevice that is causing this problem. Is there any way to find and mark these devices as "safe" or some other solution to make these alerts go away? I probably see 10-20 of these alerts every day....
Please mark the Question as Answered, if the provided information is correct and it helped. By doing that others can take benefit as well.
Community Manager – Wireless
Has there been a resonable solution found for this issue? Telling people with Apple devices to adjust their settings is not an acceptable answer.
Apple's iOS code updates seem to have reduced the problem a lot. Upgrade controller code to 7.2 series or later and it should disappear altogether.