Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Wireless LAN Controller (WLC) error message "AP Impersonation with MAC '00:00:00:00:00:00' is detected by authenticated AP '00:00:00:00:00:00' on '802.11b/g' radio and Slot ID '0'"

Core Issue

You might be hitting Cisco bug ID CSCsb90622.


Access point (AP) impersonation alarms are seen on the Wireless Control System (WCS) with output similar to this example:

Thu Jun  2 13:21:48 2005--Impersonation of AP MAC Address
00:0b:85:06:28:ef has been detected by the AP with MAC Address:
00:0b:85:06:28:e0 on its 802.11a radio whose slot ID is 0

What this means is that an unknown 802.11 entity appears to be sending 802.11 frames that are normally expected from one of the controller's APs.

Resolution

AP impersonation is reported by the Intrusion Detection System (IDS) when it notices an AP advertising a Cisco MAC address that is not communicating properly either through the Lightweight AP Protocol (LWAPP) or WLC Configuration Protocol (WLCCP). What happens is that in the LWAPP model, the WCS can map an approximate location of a rogue AP from the controller's interpretation of all AP readings. In Cisco IOS , you must determine which AP has the highest Signal-to-Noise Ratio (SNR) for this MAC, indicating it is nearest the offender.

The AP Impersonation feature improves the detection of rogue APs that attempt to impersonate valid Cisco 1000 Series Lightweight APs (LAPs). This feature creates an RF Network Group, and the Cisco 1000 Series LAPs in the same group distribute radio resource management (RRM) neighbor packets to each other. If a Cisco 1000 Series LAP hears packets from another Cisco 1000 Series LAP from which it has not received any RRM neighbor packets, then the Cisco 1000 Series LAP can assume that the new AP is impersonating a Cisco 1000 Series LAP and therefore report it as a rogue AP.

Cisco bug IDs CSCsb90622 and CSCse04554 are associated with this problem.

Cisco bug ID CSCsb90622 is only cosmetic and does not affect the network.

You can follow these workarounds:

  • On the controller CLI, issue the show advanced 802.11a monitor command.

    This is example output:

    Default 802.11a AP monitoring
      802.11a Monitor Mode........................... enable
      802.11a Monitor Channels....................... Country channels
      802.11a AP Coverage Interval................... 180 seconds
      802.11a AP Load Interval....................... 60 seconds
      802.11a AP Noise Interval...................... 180 seconds
      802.11a AP Signal Strength Interval............ 60 seconds

  • If 802.11a monitor channels is set to All Channels, then set it to Country Channels with the config advanced 802.11a monitor channel-list country command.

    You can confirm the change using the show cmd command, and then check if the AP impersonation alarms are still raised when monitoring is set to only Country Channels.

If the workaround dose not work then the following debugs should be run for the APs thats reporting the issue:

- config ap remote-debug enable
- config ap remote-debug exc-command "debug lwapp rm rogue detector"

when the logs are no longer needed:

- config ap remote-debug exc-command "no debug lwapp rm rogue detector"
- config ap remote-debug disable

Also if one have console access to any of the problem ap's then one can run :

-"debug lwapp rm rogue detector" from the command line and

-"no debug lwapp rm rogue detector" to turn it off.

This type of behaviour is covered in bug id : CSCse87315.

Problem Type

Error message

Products

Access point

Wireless LAN Controllers

Wireless Control System

Radio Type / Standards

802.11a

802.11b

Security Options

MAC address authentication (Media Access Control)

Authentication

Topology

LWAPP network

Product OS

IOS

Wireless Devices Errors, Warnings, Statistics and Log Messages

Impersonation of AP MAC Address [mac] has been detected by the AP with MAC Address: [mac] on its 802.11(a/b) radio whose slot ID is [int]

21330
Views
0
Helpful
0
Comments