We've previously had problems with AP impersonation alarms but they seem to have stopped a couple of months ago. However, yesterday it started up again yesterday on another AP. This one is in our building instead of 30 min away by car so this time it's easier to experiment.
The message is as follows:
AP Impersonation of MAC '64:d8:14:37:ed:b1' using source MAC '00:23:6c:75:8f:e7' is detected by authenticated AP 'Ekonomi_4' on '802.11b/g' radio and Slot ID '0'.
How do I find out who/what is the source of the impersonation?
The people seated in the same area as the AP are working with salaries etc and the average technical knowledge is rather basic. Not the first ones I would suspect of attacking our network but they do have laptops and smartphones.
We're running 220.127.116.11 and the bugs mentioned in that document are supposed to have been fixed in 4.x. It doesn't seem likely that we're experiencing those bugs. The answer we got the last time was that likely culprit was a laptop in the vicinity where networking card disagreed with the AP (I'm not sure if I believe that since we tried exchanging the original AP for a new one but the problem stayed).
If there is a real attack, how do I find out who is responsible?
You have the Mac address in the log, so you would need to try to track down that Mac address. If its a client device acting bad, then search for that Mac on the client list and see what APs are hearing that device and then go out there and try to find it with a wireless tool. It's probable a device acting up.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...