Of course, it is technologically possible for the WLCs / RF Group of WLCs to keep a table of all the mac addresses that they are containing. If they detect a broadcast deauthentication (aka" Bcast deauth ), they should filter out these false positives so that you don't get flooded with these wireless IDS alarms (which are flagged as "Critical" in the system).
Apparently, the Cisco engineers point out that it is impossible to tell over the air where the attack is coming from and this is true (without MFP).
However, since I am actively launching containment against a rogue wireless device, do I really care if another hacker is helping me keep that device off the network?
Therefore, the wireless IDS system needs to be intelligent enough to filter out Bcast deauth alarms that it is creating.
Sadly, Cisco has labelled this bug as "cosmetic" at this time (4.1.171) .
Re: AP Containment results in false Bcast Deauth alarms on the W
Further efforts appear to indicate that the Wireless IDS will alarm on ANY dissassociation storm of traffic - whether it is intended for a trusted client or AP, or the dissassocation attack is launched against external ("rogue") clients/APs that are not even attached to your own system.
We have run this issue all the way to 3-tier TAC who gives us the response from the Wireless Business Development Unit (WNBU): "that's not a bug, it's a feature request" - which is quickly becoming the WNBU mantra when they encounter a bug they don't want to fix (we are hearing the same nonsense regarding sychronization issues between the WLC and WCS).
This has resulted in our having to make a formal request through the Cisco sales team for Cisco to add the "feature" that the wireless IDS not alarm on its own Wireless IDS containment messages.
Has anyone else experiencing these false alarms?
Why would I care if a hacker is attacking an adjacent system or system admin using an RF control system outside of my own RF system is containing a rogue AP or not?
Should the control system be expected to alarm on its own containment message by design?
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...