Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

MFP Anomaly Detected - WLC-4402-25-K9 - 5.0.148.0

From time to time I see messages like the one below in the Trap logs of a WLC-4402-25-K9 running 5.0.148.0:

MFP Anomaly Detected - 1 Invalid MIC event(s) found as violated by the radio <offending-MAC> and detected by the dot11 interface at slot 0 of AP <reporting-MAC> in 300 seconds when observing Deauthentication frames. Client's last source mac <client-MAC>

Is my WLC misconfigured or is this a (known) bug in 5.0.148.0?

Trond.

2 REPLIES
Silver

Re: MFP Anomaly Detected - WLC-4402-25-K9 - 5.0.148.0

This message might occur when the access joins another contoller because initially joined controller goes out of service. This is documented in the Bug id: CSCse80121 . As a wordaround disable MFP and reboot the controller.

Community Member

Re: MFP Anomaly Detected - WLC-4402-25-K9 - 5.0.148.0

There are some known issues in this area (mainly cosmetic) but it might also be an indication of an attack. You'd have to track this down with a packet capture to see if this is a false positive or not. From the MIB, the description of the event that triggers this message is:

"bcastDeauthenticationFrameRcvd - The Access Point detected a broadcast deauthentication frame. Broadcast

deauthentication frames are rejected by CCXv5 compliant

devices."

More info in: CISCO-LWAPP-TC-MIB.my

257
Views
0
Helpful
2
Replies
CreatePlease to create content