Re: Rouge AP attack on WLC Cisco

it.soporte · ‎04-24-2019

Dear all:

mi wlc 5508 log show me this message :

- IDS Signature attack detected. Signature Type: Standard, Name: NULL probe resp 1, Description: NULL Probe Response - Zero length SSID element, Track: per-Mac, Detecting AP Name:

-Client Deauthenticated: MACAddress:64:c2:de:24:aa:3a Base Radio MAC:70:e4:22:aa:c0:80 Slot: 1 User Name: unknown Ip Address: unknown Reason:Authentication rejected because of challenge failure ReasonCode: 15

it is possible to block the attack on the affected AP, this is causing users to leave the network, with Deauthenticated attacks

- Rogue AP : 90:06:28:6a:71:c1 removed from Base Radio MAC : e4:aa:5d:2c:d2:00 Interface no:0(802.11n(2.4 GHz))

please share some advice or config on my WLC 5508-

regards

patoberli · ‎04-25-2019

There are some ways (check out MFP), but the only real way is to go onsite and talk to the user causing the disruptions.

it.soporte · ‎04-25-2019

Hi @patoberli

thanks for your advice, i need ask! if i just set it up as contained. Who performs this action in the ap rouge?

regards

patoberli · ‎04-25-2019

The other APs that can see the rogue AP will do this.
See here for some more information:
https://community.cisco.com/t5/wireless-security-and-network/wlc-quot-rogue-containment-quot-what-does-it-actually-do/td-p/1012588