Access point (AP) impersonation alarms are seen on the Wireless Control System (WCS) with output similar to this example:
Thu Jun 2 13:21:48 2005--Impersonation of AP MAC Address 00:0b:85:06:28:ef has been detected by the AP with MAC Address: 00:0b:85:06:28:e0 on its 802.11a radio whose slot ID is 0
What this means is that an unknown 802.11 entity appears to be sending 802.11 frames that are normally expected from one of the controller's APs.
AP impersonation is reported by the Intrusion Detection System (IDS) when it notices an AP advertising a Cisco MAC address that is not communicating properly either through the Lightweight AP Protocol (LWAPP) or WLC Configuration Protocol (WLCCP). What happens is that in the LWAPP model, the WCS can map an approximate location of a rogue AP from the controller's interpretation of all AP readings. In Cisco IOS , you must determine which AP has the highest Signal-to-Noise Ratio (SNR) for this MAC, indicating it is nearest the offender.
The AP Impersonation feature improves the detection of rogue APs that attempt to impersonate valid Cisco 1000 Series Lightweight APs (LAPs). This feature creates an RF Network Group, and the Cisco 1000 Series LAPs in the same group distribute radio resource management (RRM) neighbor packets to each other. If a Cisco 1000 Series LAP hears packets from another Cisco 1000 Series LAP from which it has not received any RRM neighbor packets, then the Cisco 1000 Series LAP can assume that the new AP is impersonating a Cisco 1000 Series LAP and therefore report it as a rogue AP.