Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Detecting MAC spoofing using WLSE IDS feature


We are trying to detect and control MAC address spoofing by using the IDS feature in WLSE.

WLSE user guide says following:

The WDS, however, is in a position to detect when a valid client has had its MACaddress spoofed. The WDS maintains a mapping of UserId to MAC address based

on WLCCP registrations. Whenever the WDS detects an authentication taking

place for a known MAC address, it verifies that the same UserId is being used. If the UserId does not properly match, the authentication is rejected.

We made a small test setup to verify wheather WLSE is able to detect MAC spoofing.

One of the client connects to the AP using CISCO 350 series WLAN adapter. He is able to logon to the network. In the association table of the AP it shows 350 series radio under Device type and also shows the EAP user id under the name category.

Second client, having inbuilt intel 2200BG WLAN NIC, runs a MAC address spoofing software and changes it's own MAC address to the 350 Series WLAN card.

Almost immidietly the first client looses it's connectivity and the second client is connected to the network.

AP association table now shows the details of the second client. It shows the 4800 radio under device type and AP hostname under the Name category.

Please suggest if it is possible to control this type of MAC Spoofing from WLSE??

The original set up is having 80 CISCO 1200 series APs (IOS ver 12.3(4)JA) with appx 500 WLAN clients(Various types of laptops). CISCO 1112 ACS, ver 3.3 acts as authentication server. Clients are authenticated using PEAP.

CISCO 1130 WLSE appliance ver 2.11 is for the WLAN management.

WLSE and APs are configured for radio and SNMP management. One of the AP is also configured as WDS.

Will Appreciate any help on this.


Re: Detecting MAC spoofing using WLSE IDS feature

Does the WLSE inidcate a MAC Spoofing event? I have seen these and they appear to be triggered when the MAC association occurs on another AP in the WDS and the original registration has not cleared. Don't know what the SpoofUserId is yet.

Fault Details

IP Name Family Product Type SpoofClient SpoofIndex SpoofStaMacAddress SpoofUserId mblk7s1ap1 Aironet AP 1210 MAC_spoof 21 00027846b92d 21

CreatePlease login to create content