Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1251
Views
4
Helpful
3
Replies

How do I check if my AP is being contained?

paddy.d
Level 1
Level 1

‎02-27-2016 02:48 AM - edited ‎07-05-2021 04:41 AM

Hello,

I have worked out how containment works from my WLC but how can I check if my AP('s) are being contained by someone else?

Thanks in advance!

Kind regards!

Paddy

Labels:
0 Helpful
3 Replies 3

Freerk Terpstra
Level 7
Level 7

‎02-27-2016 09:23 AM

Hi Paddy,

First of all be cautious with containment, doing it wrong might have legal consequences.

With containment the client will receive a deauth message from an access-point which spoofs the MAC address of the access-point on which the client was connected. By default this message cannot be verified by the client and the client will act on it. However, since 2009 there is a protocol called 802.11w (PMF) that allows the access-point and client to agree on a certain hash while performing the 4 way handshake. This hash is being used to sign and validate the management messages, so with help of this hash the client can validate the incoming deauth message and ignore it when needed :-)

Back in 2005 Cisco developed MFP (Management Frame Protection) to battle this same problem. Cisco's implementation contains of two parts: infrastructure and client MFP. The client MFP part is somewhat the same as 802.11w but requires the client to be CCXv5 compatible. However, the infrastructure side is not covered in 802.11w. With infrastructure MFP access-points add a MIC to their management frames, based on this your own access-points can report about received spoofed management frames as well. This does not stop it from happening or your clients to ignore it from trusting, but will generate a message on the WLC which you can use for further investigation.

It is possible to active Cisco MFP and 802.11w PMF at the same time, I do not recommend to configure it to be "required" due to the lack of support on clients (unless you really know that your clients support it). The 802.11w PMF configuration can be found under the layer 2 security tab of the SSID. MFP configuration can be done under security -> wireless protection policy -> AP authentication & MFP.

Please rate useful posts... :-)

paddy.d
Level 1
Level 1
In response to Freerk Terpstra

‎02-28-2016 12:58 AM

Hello Freerk,

Thanks for your detailed answer. However I do not want to contain a network but want to check if a third party is containing us. One of my clients has a lot of problems with his wireless connectivity and I want to rule out that he is being contained.

How could I do that, are there debug commands to check this? DO I need to setup a syslogserver and check the entries there?

I am reasonably new at this so any suggestions are welcome.

Thanks!

Paddy

0 Helpful

Freerk Terpstra
Level 7
Level 7
In response to paddy.d

‎02-28-2016 02:55 AM

Hi Paddy,

The syslogserver is a good starting point for all kinds of troubleshooting. Is the enduser using a client which is being used more in your infrastructure? If so, is the same driver software being installed? A lot of weird client issues turn out to be related to (faulty) drivers in my experience.

If the behavior is predictable I recommend to run an "debug client MAC" on the CLI of the WLC and further investigate that output. If you really want to rule out any RF issues you need to go on-site and "sniff" the wireless packets.

Please rate useful posts... :-)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card