03-17-2008 07:34 AM - edited 07-03-2021 03:33 PM
From time to time I see messages like the one below in the Trap logs of a WLC-4402-25-K9 running 5.0.148.0:
MFP Anomaly Detected - 1 Invalid MIC event(s) found as violated by the radio <offending-MAC> and detected by the dot11 interface at slot 0 of AP <reporting-MAC> in 300 seconds when observing Deauthentication frames. Client's last source mac <client-MAC>
Is my WLC misconfigured or is this a (known) bug in 5.0.148.0?
Trond.
03-21-2008 11:34 AM
This message might occur when the access joins another contoller because initially joined controller goes out of service. This is documented in the Bug id: CSCse80121 . As a wordaround disable MFP and reboot the controller.
03-21-2008 11:39 AM
There are some known issues in this area (mainly cosmetic) but it might also be an indication of an attack. You'd have to track this down with a packet capture to see if this is a false positive or not. From the MIB, the description of the event that triggers this message is:
"bcastDeauthenticationFrameRcvd - The Access Point detected a broadcast deauthentication frame. Broadcast
deauthentication frames are rejected by CCXv5 compliant
devices."
More info in: CISCO-LWAPP-TC-MIB.my
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: