MFP Anomaly Detected - WLC-4402-25-K9 - 5.0.148.0

trond1endr · ‎03-17-2008

From time to time I see messages like the one below in the Trap logs of a WLC-4402-25-K9 running 5.0.148.0:

MFP Anomaly Detected - 1 Invalid MIC event(s) found as violated by the radio <offending-MAC> and detected by the dot11 interface at slot 0 of AP <reporting-MAC> in 300 seconds when observing Deauthentication frames. Client's last source mac <client-MAC>

Is my WLC misconfigured or is this a (known) bug in 5.0.148.0?

Trond.

ivillegas · ‎03-21-2008

This message might occur when the access joins another contoller because initially joined controller goes out of service. This is documented in the Bug id: CSCse80121 . As a wordaround disable MFP and reboot the controller.

sabhasin · ‎03-21-2008

There are some known issues in this area (mainly cosmetic) but it might also be an indication of an attack. You'd have to track this down with a packet capture to see if this is a false positive or not. From the MIB, the description of the event that triggers this message is:

"bcastDeauthenticationFrameRcvd - The Access Point detected a broadcast deauthentication frame. Broadcast

deauthentication frames are rejected by CCXv5 compliant

devices."

More info in: CISCO-LWAPP-TC-MIB.my