Problema con AP Hogareños

supercanal · ‎03-26-2025

Buenos dias Gente, Le hago una pregunta tengo un WLC de Cisco con 10 AP air-ap2802i-a-k9 en la oficna, pero tengo problema con varios AP Hogareños que colocan en la oficina de manera clandestina y se solapan las señales y el WIFI empieza andar mal, apararte de la Seguridad, queria ver si desde los equipos Cisco ap2802i o del WLC hay alguna forma de hacer un ataque a eso WIFI Hogareños (DoS) para que no se puedan loguear y asi que lo saquen. Saludos

marce1000 · ‎03-26-2025

- Si busca problemas al hacer esto, el controlador inalámbrico asigna canales y potencia a los puntos de acceso para optimizar la cobertura inalámbrica en la oficina. Interferirá con la red al instalar puntos de acceso autónomos. Abandone este plan y convierta también esos puntos de acceso al modo cliente (CAWAP).

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎03-27-2025

What you are referring to is called containment - using spoofed de-authorisation frames to interrupt communications between rogue APs and clients. You should be very careful about enabling containment because it can be illegal in many situations in most countries and there are well known cases of authorities prosecuting for illegal use of containment. Remember the unlicensed WiFi frequencies are a shared public resource.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-10/config-guide/b_cg810/wireless_intrusion_detection_system.html#rogue-management

What you should be doing is using equipment to physically locate the offending APs (if they are on your property) and advise their owners to remove or adjust them according to company policy and get HR involved if necessary. If the APs are not on your property then your only option is a friendly chat with your neighbours.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

supercanal · ‎03-28-2025

Thank you very much for the response. This is for the company only; they've been warned to remove all Wi-Fi equipment, but they continue to do so.

Scott Fella · ‎03-29-2025

Well that is something that needs to be enforced or else folks will continue to do whatever they want to do. I would think that you can track these down since the environment seems pretty small and give warnings, take away the gear you find, etc. Trying to block ports will not stop people from doing what they want to do, they will figure it out. Its a security issue more than anything.

-Scott
*** Please rate helpful posts ***