Rogue containment with deauthentication frames ?

Alejandro Cadarso Cerdeirina · ‎03-01-2013

Hi,

In the last WLC releases and APs from other vendors are Introducing support for the 802.11w standard as defined by the Management Frame Protection (MFP) service This implies that Disassociation, Deauthentication, and Robust Action frames increase Wi-Fi network security by protecting the management frames from being spoofed.

Does this mean that containment using over-the-air de-authentication frames to temporarily interrupt service on a rogue device is not possible if the device and clients associated to it use 802.11w?

Thanks in advance

Scott Fella · ‎03-01-2013

That's what they say. There are many reference materials out there. Here is one.

http://www.cisco.com/en/US/partner/docs/wireless/mse/3350/release/notes/mse7_3_101_0.html

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Alejandro Cadarso Cerdeirina · ‎03-02-2013

I don't see any reference to 802.1w in the link you post

I know this can be done, I've done it many times myself, with cisco and other vendors, BUT my question is

is it possible when the rogue AP we try to mitigate is using IEEE 802.11w-2009 with their clients?

Scott Fella · ‎03-02-2013

The one thing is that you should never use containment. If a rouge device is inside your building and affecting your wireless, you should find it and remove it. Now if your APs are being contained, this should help as it will not work, but both AP and client must support it.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎03-02-2013

Sorry wrong link

http://books.google.com/books?id=D4u6ctj9KcYC&pg=PA416&lpg=PA416&dq=802.11w+protect+against+containment&source=bl&ots=nFc7kW5O9p&sig=rbXSP3ltOIY08Ir7WkwRDDBsPuw&hl=en&sa=X&ei=gwoyUdC1L9OHqwGdsoGIBQ&ved=0CDYQ6AEwAQ

http://www.cwnp.com/cwnp_wifi_blog/wireless-lan-security-and-ieee-802-11w/

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Alejandro Cadarso Cerdeirina · ‎03-02-2013

Thanks Scott,

Then is what I thought, but I don't understand why we shouldn't use this mitigation if a rogue AP is inside our buliding WIPS have traditionally used deauthentication frames as rogue containment measures.

Now that MFP-protected stations discard frames that fail the MIC, WIPS may have to come up with some new ways of booting rogue devices.

Anybody knows new methods?

Scott Fella · ‎03-02-2013

Well what I have seen is that you can be doing a deauth to a neighboring tenant. That's a bad thing especially if they catch you. Now why not just contain rogue APs that are using your SSID? The best way to eliminate rogue APs from your internal network is to find it and get rid if it. Now you can use Cisco ISE and protect the ports so that no one can connect rogue devices to your switch, I think that would be a better way. When doing containment, you really need to use like 3 APs and that would also affect the process of the AP if its also supporting clients. To be honest, I wish they got rid of this because it caused more issue than good. That's my opinion. You accidentally contain a neighbor and have to apologize because they will know its you, or vise versa. So if your worried about rogue APs in your internal network, then make sure your containment policy is only for rouge APs using your SSID. If your out in no where land and you don't have any tenants around you, go ahead an contain whatever you want because you are not doing anything illegal then.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***