Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Rogue Access Point Location and Containment




    Rogue Access Point Location and Containment

    Core Issue

    User has a WLAN Controller (2504) and it sees rogue access points. How to check if no one is on that access point that can join our network. What will happen if we tell the controller that it's malicious and then contain? When tried to select the option got a warning message from the controller about some legal things.


    Containment option does a denial of service attack. As long as the rogue access point isn't in your building, no issues. If there is an access point that is using your SSID, then go for it and contain the AP.


    So if someone contained my AP, AP will show the below mentioned logs that it has been contained.


    Thu Feb 21 18:49:05 2013

    Warning: Our AP with Base Radio MAC f4:ea:67:0e:6f:80 is under attack

    (contained) by another AP on radio type 802.11b/g

    Syslog Message

    *spamApTask1: Feb 21 18:49:05.141: #LWAPP-1-AP_CONTAINED: spam_lrad.c:33698 AP AIR-CAP3602E-A-K9-MAP

    is being contained on slot 0

    Rogue Access Point Challenges

    Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain text or other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to capture sensitive information, such as passwords and usernames. The hacker can then transmit a series of clear-to-send (CTS) frames, which mimics an access point informing a particular wireless LAN client adapter to transmit and instructing all others to wait. This scenario results in legitimate clients being unable to access the wireless LAN resources. Thus, wireless LAN service providers have a strong interest in banning rogue access points from the air space.

    The operating system security solution uses the radio resource management (RRM) function to continuously monitor all nearby access points, automatically discover rogue access points, and locate them

    Rogue Access Point Location, Tagging, and Containment

    When the Cisco Unified Wireless Network Solution is monitored using WCS, WCS generates the flags as rogue access point traps and displays the known rogue access points by MAC address. The operator can then display a map showing the location of the access points closest to each rogue access point. The next step is to mark them as Known or Acknowledged rogue access points (no further action), Alert rogue access points (watch for and notify when active), or Contained rogue access points (have between one and four access points discourage rogue access point clients by sending the clients deauthenticate and disassociate messages whenever they associate with the rogue access point).

    This built-in detection, tagging, monitoring, and containment capability enables system administrators to take appropriate action:

    • Find rogue access points.
    • Receive new rogue access point notification, eliminating hallway scans.
    • Monitor unknown rogue access points until they are eliminated or acknowledged.
    • Find the closest authorized access point, making directed scans faster and more effective.
    • Contain rogue access points by sending their clients deauthenticate and disassociate messages from one to four access points. This containment is done for individual rogue access points by MAC address or is mandated for all rogue access points connected to the enterprise subnet.

    Tag rogue access points:

    1. Acknowledge rogue access points when they are outside of the LAN and do not compromise the LAN or wireless LAN security.
    2. Accept rogue access points when they do not compromise the LAN or wireless LAN security.
    3. Tag rogue access points as unknown until they are eliminated or acknowledged.
    4. Tag rogue access points as contained and discourage clients from disassociating with the rogue access points by having between one and four access points transmit deauthenticate and disassociate messages to all rogue access point clients. This function applies to all active channels on the same rogue access point.

    Rogue AP Containment

    Rogue AP-connected clients, or rogue ad hoc connected clients, may be contained by sending 802.11 de-authentication packets from local APs. This should be done only after steps have been taken to ensure that the AP is truly a rogue AP, because it is illegal to do this to a legitimate AP in a neighboring WLAN. This is the reason why Cisco removed the automatic rogue AP containment feature from this solution.

    To determine whether rogue AP clients are also clients on the enterprise WLAN, the client MAC address can be compared with MAC addresses collected by the AAA during 802.1X authentication. This allows the identification of possible WLAN clients that may have been compromised or users that are not following security policies.



    This document was generated from the following discussion: Rogue Access Points

    Version history
    Revision #:
    2 of 2
    Last update:
    ‎08-29-2017 06:38 AM
    Updated by: