08-24-2008 09:43 AM - edited 07-03-2021 04:22 PM
My WLC has detected (via 15 detecting radios) a rogue AP with a client connected to it. The infrastructure has not determined that the AP is plugged into the local network. I'm trying to contain the AP - I classify it as "Malicious", update its status to "Contain" & assign 2 APs (though the number of APs don't matter here) to contain the rogue.
Everything looks right, as the WLC shows that the rogue AP is in a "Contained" status. However, after about a minute the WLC shows the rogue having been reverted to an "Alert" status. I've contain other rogues before but have yet to see one not have the "Contained" status stick.
Anyone seen this? Or know why it's happening? Thanks!
08-24-2008 12:23 PM
Check and verify that the "rogue" is not one of your APs associated to a controller with a different mobility group name but on the same network as your primary mobility group. This is the only way I could think that this is happeneing. Also, try a 4 AP containment. At 2 APs a client could still associate to the rogue thus generating a new alert.
08-24-2008 12:31 PM
I've tried all containing AP options - 1 thru 4. Doesn't make a difference. The AP goes into a "Contained" status for less than a minute then reverts to "Alert".
The AP is definitely not ours. I did an OUI look up and its MAC address pops up as an Apple device.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide