07-02-2012 07:10 AM - edited 07-03-2021 10:22 PM
Any idea on how to solve the below error on Cisco WCS:
"AP Impersonation of MAC '18:ef:63:9b:bb:96' using source MAC '64:27:37:9b:ed:97' is detected by authenticated AP 'APc84c.75f3.e51a' on '802.11b/g' radio and Slot ID '0'. "
07-02-2012 08:30 AM
Here is a link to a support forum doc. You can search the forum also as there are other post with he same thing your seeing.
https://supportforums.cisco.com/docs/DOC-3666
https://learningnetwork.cisco.com/thread/28472
07-02-2012 01:05 PM
issue: wireless client 64:27:37:9b:ed:97 spoofed the MAC of AP 18:ef:63:9b:bb:96 and trying to send data. Sure this wireless client is connected to the AP 18:ef:63:9b:bb:96 when the issue occured.
64:27:37:9b:ed:97, it is a culprit that causing this issue. 64:27:37 belong to hon hai(may be wireless client vendor for dell or something). Update the latest good known driver on those clients and you will be fine.
Wireless packet capture between the client and ap should prove the issue.
07-03-2012 01:20 AM
Salam Houssam,
The reason of the erros is that there are other access points that use your AP's mac address.
Reason:
Your AP's MAC address is being used by some other party and your WLC detects that the MAC address is being used by somebody else while it actually belongs to one of the APs joined to it.
This happens usually if there is another wireless system can your hear the signal from your wireless system. Some wireless systems use some security features by impersonating another (rogue) wireless system in neighbor.
What you can do:
- If you are using more than one WLC, mac sure they are all on same mobility and RF groups.
- If all WLCs under same mobility/RF groups, then try to look in neighbor of AP "APc84c.75f3.e51a" that detected the attack and find any other wireless systems around. If any exist then try to either remove them. If they it is a legitimate WLAN then ask the WLAN administrator to configure his systme not to harm your WLAN. This is configurable in the security features in that system.
HTH
Amjad
07-03-2012 01:36 AM
BTW, you can avoid any other system to impersonate your AP mac address by using MFP:
Be careful if you want to configure MFP because some clients (especially old ones) may have problems to connect if it is configured.
HTH
Amjad
05-28-2015 01:29 AM
Hi,
please check the below post for the same query.
https://supportforums.cisco.com/discussion/10145656/ap-impersonation-alarms-wcs-4183
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide