Solved: AP Impersonation setting causing APs to showing up as a rogue threat l - Cisco Community

514

Views

4

Helpful

10

Replies

AP Impersonation setting causing APs to showing up as a rogue threat level. Is it necessary to have it enabled on an AP? We do not use lightweight APs. If it is disabled to get rid of the rogue threat levels in DNAC, what effect will it have? I can't find enough information to make a determination.

1 Accepted Solution

Accepted Solutions

- @john-w-sullivan Actually there is no other option then to disable these checks in DNAC , because if you are only using
standalone access points, then DNAC has no reference about which access points are legitimate.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

View solution in original post

10 Replies 10

- @john-w-sullivan Actually there is no other option then to disable these checks in DNAC , because if you are only using
standalone access points, then DNAC has no reference about which access points are legitimate.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

When you say stand alone APs, are you talking about the lightweight APs? We are an enterprise network (no lightweights) - will DNAC have a reference with our APs? I want to make sure I understand what you stated.

- @john-w-sullivan Standalone APs are the reverse of lightweight APs which are steered by a controller.
Using lightweight APs together with a controller is a preferred solution for
enterprise wireless networking. Besides centralized management of access points
the controller steers channel allocation (DCA) and power control (TPC) on the access points
for optimal coverage (e.g.)
(DNAC can not be used for managing standalone access points neither, it
is developed for controller based wireless deployments)

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

I have a background with Aruba and still trying to wrap my head around the Cisco terminology. Very simply, if I disable AP Impersonation, I know it will get rid of the rogue warnings in DNAC reports, but what other effects will it have on the enterprise network? I don't like the idea that an authorized AP in my network is being detected as a rogue.

- @john-w-sullivan Because DNAC does not support standalone AP's , it will flag any standalone-AP as a roque, that being harmless

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Thanks, had to research some terms. We do not have any stand-alone APs, all are managed by a controller so we must have Lightweight APs. But yet we have APs showing up as rogues with the AP Impersonation. and AP Impersonation is enabled.

- @john-w-sullivan In any company environment you will usually have lot's of unofficial access points being seen by
the official wireless environment, due to smartphones , Personal Wi-Fi routers or hotspots
and other similar devices at the user's end.
Usually they will be harmless. I think for instance that when examining a rogue AP being reported , you can
for instance classify it as Friendly in DNAC (if being judged as not harmless)

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

@john-w-sullivan what version of software is your WLC running?
There have been a number of bugs with APs incorrectly detecting their own and neighbour radios as rogues so you need to make sure you're running up to date software with fixes for those (see TAC Recommended link below). Example:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx80829
Also take note of https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj81093 which says that impersonation detection only works correctly with Aironet-IE enabled (disabled by default on 9800) - covered in the Best Practices guide (link below).
That bug is actually an enhancement request to make impersonation detection work properly without Aironet-IE.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

The APs are on a Cisco Catalyst 9800-40 Wireless Controller with version 17.9.5

> version 17.9.5
Which is now rather out of date and approaching end of life.
Therefore pay close attention to the TAC recommended code versions (link below) and aim to upgrade your WLCs regularly to keep them on fully supported versions of code.

Did you check the Aironet-IE settings?

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide

Log in to Community

Review Cisco Networking for a $25 gift card