Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Unable to Contain Wireless Rogue APs and Clients

     

     

    Introduction

    Rogue Containment not working though Broadcast and Unicast deauths are enabled, sent to the Rogue devices, and those devices are on the vicinity of the detecting/ trying to contain APs.

    Rogue containment should be avoided

     

    "Automatic and indiscriminate rogue AP containment can cause outages for legitimate neighbor Wi-Fi networks which, if implemented willfully, constitutes an FCC offense."

    How to verify Rogue containment working or not?
    On AP run the below command and verify, if deauths are sent Or take wireless packet capture showing deauths.

    Effect of containment (AP debug showing AP sending bcast deauth packets)

    we can see the containment packets sent by AP.
    DOC-HQ-AP18.1#sh deb
    CAPWAP:
    CAPWAP IDS Rogue Containment debugging is on
    CAPWAP IDS Active Rogue Containment debugging is on
    CAPWAP console CLI allow/disallow debugging is on*May 1 22:07:08.651: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
    *May 1 22:07:09.135: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

     

    But even if We have contained the AP manually still wireless clients are being able to connect to it and obtain IP.
    Rogue Containment can either send Unicast(spoofing client MAC that's trying to connect to Rogue AP) or Broadcast containment to the Rogue AP or Both. Check what is happening. Some clients doesn't honour Broadcast deauth and can be contained only using Unicast deauths, however if client MFP is enabled(and honoured between Rogue AP and Rogue client) then containment doesn't work. So, when the Rogue AP itself uses an MFP to protect their management frames then it can't be contained. Same is true for 802.11w.
     
    When does AP sends Broadcast deauth or Unicast deauth or both. When only Rogue AP is detected then only broadcast deauth frames are seen, client trying to connect to the Rogue AP is considered as Rogue client and if that client is detected by an detecting AP then both broadcast and unicast deauth frames are sent.

    Infrastructure Management Frame Protection (MFP) with WLC and LAP Configuration Example

     

    • Client MFP Functionality
    • Protection of Management Frames
    • Unicast class 3 management frames are protected with the application of either AES-CCMP or TKIP in a similar manner to that already used for data frames.

    These frame types are protected:

    • Disassociation
    • Deauthentication
    • QoS (WMM) action frames
    Version history
    Revision #:
    2 of 2
    Last update:
    ‎08-29-2017 04:18 AM
    Updated by:
     
    Labels (1)
    Contributors