Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
844
Views
5
Helpful
0
Comments

Unable to Contain Wireless Rogue APs and Clients

Saravanan Lakshmanan
Cisco Employee
Cisco Employee

‎03-08-2014 01:50 PM - edited ‎11-18-2020 03:06 AM

     

     

    Introduction

    Rogue Containment not working though Broadcast and Unicast deauths are enabled, sent to the Rogue devices, and those devices are on the vicinity of the detecting/ trying to contain APs.

    Rogue containment should be avoided

     

    "Automatic and indiscriminate rogue AP containment can cause outages for legitimate neighbor Wi-Fi networks which, if implemented willfully, constitutes an FCC offense."

    How to verify Rogue containment working or not?
    On AP run the below command and verify, if deauths are sent Or take wireless packet capture showing deauths.

    Effect of containment (AP debug showing AP sending bcast deauth packets)

    we can see the containment packets sent by AP.
DOC-HQ-AP18.1#sh deb
CAPWAP:
CAPWAP IDS Rogue Containment debugging is on
CAPWAP IDS Active Rogue Containment debugging is on
CAPWAP console CLI allow/disallow debugging is on*May 1 22:07:08.651: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON
*May 1 22:07:09.135: IDS ROGUE CONTAIN: 00:1C:10:AA:15:4E: Normal AP, Sending Deauth Bcast on channel = 6, Seq = 0, MIC ON

     

    But even if We have contained the AP manually still wireless clients are being able to connect to it and obtain IP.
    Rogue Containment can either send Unicast(spoofing client MAC that's trying to connect to Rogue AP) or Broadcast containment to the Rogue AP or Both. Check what is happening. Some clients doesn't honour Broadcast deauth and can be contained only using Unicast deauths, however if client MFP is enabled(and honoured between Rogue AP and Rogue client) then containment doesn't work. So, when the Rogue AP itself uses an MFP to protect their management frames then it can't be contained. Same is true for 802.11w.
     
    When does AP sends Broadcast deauth or Unicast deauth or both. When only Rogue AP is detected then only broadcast deauth frames are seen, client trying to connect to the Rogue AP is considered as Rogue client and if that client is detected by an detecting AP then both broadcast and unicast deauth frames are sent.

    Infrastructure Management Frame Protection (MFP) with WLC and LAP Configuration Example

     

    • Client MFP Functionality
    • Protection of Management Frames
    • Unicast class 3 management frames are protected with the application of either AES-CCMP or TKIP in a similar manner to that already used for data frames.

    These frame types are protected:

    • Disassociation
    • Deauthentication
    • QoS (WMM) action frames
    Getting Started

    Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

    Customers Also Viewed These Support Documents