Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to Contain Wireless Rogue APs and Clients

Issue: Rogue Containment not working though Broadcast and Unicast deauths are enabled, sent to the Rogue devices, and those devices are on the vicinity of the detecting/ trying to contain APs.

 

Generally, Rogue containment should be avoided due to: 
"Automatic and indiscriminant rogue AP containment can cause outages for legitimate neighbor Wi-Fi networks which, if implemented willfully, constitutes an FCC offense."

 

How to verify Rogue containment working or not?
On AP run the below command and verify, if deauths are sent Or take wireless packet capture showing deauths.

 

Effect of containment(AP debug showing AP sending bcast deauth packets):-
we can see the containment packets sent by AP.
DOC-HQ-AP18.1#sh deb
CAPWAP:
CAPWAP IDS Rogue Containment debugging is on
CAPWAP IDS Active Rogue Containment debugging is on
CAPWAP console CLI allow/disallow debugging is on

 

*May 1 22:07:08.651: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

*May 1 22:07:09.135: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

 

But even if We have conatined the AP manually still wireless clients are being able to connect to it and obtain IP.
//
Rogue Containment can either send Unicast(spoofing client MAC that's trying to connect to Rogue AP) or Broadcast containment to the Rogue AP or Both. Check what is happening. Some clients doesn't honour Broadcast deauth and can be contained only using Unicast deauths, however if client MFP is enabled(and honoured between Rogue AP and Rogue client) then containment doesn't work. So, when the Rogue AP itself uses an MFP to protect their management frames then it can't be contained. Same is true for 802.11w.

 

When does AP sends Broadcast deauth or Unicast deauth or both. When only Rogue AP is detected then only broadcast deauth frames are seen, client trying to connect to the Rogue AP is considered as Rogue client and if that client is detected by an detecting AP then both broadcast and unicast deauth frames are sent.

 

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml...


Client MFP Functionality

Protection of Management Frames

Unicast class 3 management frames are protected with the application of either AES-CCMP or TKIP in a similar manner to that already used for data frames.
These frame types are protected:

Disassociation

Deauthentication

QoS (WMM) action frames

Version history
Revision #:
1 of 1
Last update:
‎03-08-2014 01:47 PM
Updated by:
 
Labels (1)