Re: "Rogue APs" w/our SSID and radio MAC addrs one or two off fr

johnruffing · ‎12-14-2006

We are using WCS/WLC version 4.x and are in an environment with approx. 175 access points in a multi-floor building.

We have recently seen rogue AP security events that show a "rogue" AP whose radio MAC address value is one or two more MAC addresses higher than those of our trusted APs.

Since this appears throughout the building (and appears to be detected from adjacent APs - same floor, above, or below), I am fairly certain that these "rogue" APs are false alarms.

The SSID is the same one we are using (and I understand that, theoretically, there could be the possibility that someone with a true rogue AP is out there

attempting a man-in-the middle attack). However, this seems unlikely since this "attack" appears at different areas intemittently at various locations in the building - often many simultaneously.

Has anyone else seen or experienced this?

johnruffing · ‎12-15-2006

Update: Apparently, this is a known issue (Bug CSCse87066 ? "Access Points associated to controllers in the same mobility group no longer appear as rogue access points.")

And the fix is to upgrade to 4.0.179.11

lvalbekm · ‎01-11-2007

We had the exactly same symptoms as the first poster. Upgraded to ver .11 but no luck. Anyone with similar problems / solutions?

johnruffing · ‎01-15-2007

According to the release notes, 4.0.206.x is supposed to fix this. Apparently, in high-density deployments (such as multi-floor, high quantities of LWAPs), if the access points hear too many adjacent on-network, trusted LWAPs, the table that keeps track of these adjacent LWAPs overflows and these then become "rogue".

Hopefully, the latest/greatest firmware will resolve this. Our customer is in the process of performing the upgrade and we shuold see the results soon.

"Rogue APs" w/our SSID and radio MAC addrs one or two off from trusted APs