Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Unable to Contain Wireless Rogue APs and Clients
Issue: Rogue Containment not working though Broadcast and Unicast deauths are enabled, sent to the Rogue devices, and those devices are on the vicinity of the detecting/ trying to contain APs.
Generally, Rogue containment should be avoided due to: "Automatic and indiscriminant rogue AP containment can cause outages for legitimate neighbor Wi-Fi networks which, if implemented willfully, constitutes an FCC offense."
How to verify Rogue containment working or not? On AP run the below command and verify, if deauths are sent Or take wireless packet capture showing deauths.
Effect of containment(AP debug showing AP sending bcast deauth packets):- we can see the containment packets sent by AP. DOC-HQ-AP18.1#sh deb CAPWAP: CAPWAP IDS Rogue Containment debugging is on CAPWAP IDS Active Rogue Containment debugging is on CAPWAP console CLI allow/disallow debugging is on
*May 1 22:07:08.651: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:09.135: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
But even if We have conatined the AP manually still wireless clients are being able to connect to it and obtain IP. // Rogue Containment can either send Unicast(spoofing client MAC that's trying to connect to Rogue AP) or Broadcast containment to the Rogue AP or Both. Check what is happening. Some clients doesn't honour Broadcast deauth and can be contained only using Unicast deauths, however if client MFP is enabled(and honoured between Rogue AP and Rogue client) then containment doesn't work. So, when the Rogue AP itself uses an MFP to protect their management frames then it can't be contained. Same is true for 802.11w.
When does AP sends Broadcast deauth or Unicast deauth or both. When only Rogue AP is detected then only broadcast deauth frames are seen, client trying to connect to the Rogue AP is considered as Rogue client and if that client is detected by an detecting AP then both broadcast and unicast deauth frames are sent.