Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
235
Views
0
Helpful
3
Replies

Access Points detected managed Access Points as "Malicious" Rogues

Toy Thompson
Level 1
Level 1

‎10-22-2025 02:53 AM

We have a Cisco 9800-40 running 17.12.5.

We want to enable containment of rogue Access Points (not registered with the WLC or WLCs within the mobility group) broadcasting managed SSIDs or part of the SSID. We enabled rogue detection in the AP Join Profile but at the moment Access Points detected each other (registered to the same WLC) as "Malicious" Access Points.

Why is that?

If we enable containment will the Access Points contain each other?

How can I set a rule to automatically classify all registered APs as "Friendly" to avoid containment.

Will monitor mode start containing APs automatically or can I force containment by rule only.

Labels:
0 Helpful
3 Replies 3

Mark Elsen
Hall of Fame
Hall of Fame

‎10-22-2025 04:31 AM

 

   - Why is that :
                   In a single controller environment this should never happen, if however APs also connect to
                   an N+1  high availability controller, or another controller in a mobility group then it can happen

   - If we enable containment will the Access Points contain each other?
                 So in that depends on the definition of 'each other' for  the case outlined above, they will
                 For APs connected to the same controller they won't

   How can I set a rule to automatically classify all registered APs as "Friendly" to avoid containment.
                You can't for the APs  connected to another controller. That would then have to be done manually

     Will monitor mode start containing APs automatically or can I force containment by rule only.
               Monitor mode only will not start containing APs

   M.

 -  



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful

Toy Thompson
Level 1
Level 1
In response to Mark Elsen

‎10-22-2025 05:00 AM

Thanks for the response....The Access Points are all registered to the same controller and 21 of the registered APs are classified as "Malicious" rogues. I have attached the list of APs registered with the WLC, the "Malicious" Rogue List, and the details for the actual rogue AP

 

 

Preview file
198 KB
Preview file
172 KB
Preview file
242 KB
0 Helpful

Mark Elsen
Hall of Fame
Hall of Fame
In response to Toy Thompson

‎10-22-2025 05:26 AM

 

  - @Toy Thompson                   Here are a number of related bugs :
                                     https://bst.cloudapps.cisco.com/bugsearch?pf=prdNm&kw=AP%20detects%20its%20own%20BSSID%20as%20Rogue&bt=custV&sb=anfr
                                  But at first glance your current controller version should be good enough or no longer
                                  applicable for 17.12.5

                                  Validate your controller configuration with the CLI command :
                                  show tech wireless and feed the output from that into Wireless Config Analyzer
                                            (use the full command as outlined in green; it does not work with show tech-support !)

                                  You could have a try with 17.15.3 which is also an advisory release although
                                                    I don't have a direct motivation for that ,

   N.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card