Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
50847
Views
74
Helpful
18
Replies

WLC "rogue containment" - What does it actually do?

kfarrington
Level 3
Level 3

‎05-08-2008 07:36 AM - edited ‎07-03-2021 03:50 PM

Hi All,

I have read the part of the WLC config guide about rogue containment, but what does it actually do?

It says it sends deauth and deassoc frames to clients of rougue access points. This to me actually seems like we are performing a DOS on another neighbors WLAN?

Can anyone confirm what it actually does in detail?

Does it send deauth messages to a "neighbors APs clients" dis-authenticating it from the "neighbors AP", thus causes the client to lose his own connection to his legitimate AP, or does it send de-auths that say, just dont come near my AP (on my network) ????

What is the frequency of packets that get sent to the neighboring APs clients?

Does it send these frames to a broadcast or unicast MAC?

Does it send these frames to other neighbor rougue APs or just clients?

Is there any legal ramifications of doing this, ie, can you be prosecuted?

Is this the only containment method that Cisco Support?

And, any other info/documentation that anyone may have on this?

Many thx indeed, for all the kind help so far :))

Ken

1 person had this problem
Labels:
0 Helpful
18 Replies 18

ericgarnel
Level 7
Level 7
In response to kfarrington

‎05-15-2008 05:01 AM

Just an observation....

We see a lot of linksys wifi routers that exhibitors bring in for their booths during events at the convention center.

We will get a call on the radio that they are having trouble with their connection and sure enough, they have their wireless enabled on their router.

The linksys router will bog down to a crawl and even become completely unresponsive from either the wireless or wired side.

We have them turn off their wireless and the router is fine for the rest of the time. The more recent linksys routers seem to be affected more. We will occasionally see other retail brands, but for the most part, the majority of wifi routers are linksys.

We do not make use of containment at it takes away from radio performance, but the default effect of our high density wireless upon linksys routers does help "contain" rogues!

0 Helpful

elemzy
Level 1
Level 1
In response to ericgarnel

‎08-27-2015 09:57 AM

Hi Eric,

Sorry to wake this thread after 7years. Im wondering "how do I stop a wireless containment war".

Imagine this scenario, company A has its client a and company B has client b, both companies sharing the same building. So coy A sends de-authenticate packets to B because it doesnt want its users to connect to B or it just does not tolerate other SSIDs in its environs.Coy B does the same thing. So both company ends up with non-working wireless.

Another situation is that a crazy staff brings in this smart device that can send de-auth packet to my company's AP.

Question is, does Cisco WLC have a feature to ensure that legitimate client stay connected irrespective of de-auth packet from another AP?

0 Helpful

Jerome Henry
Cisco Employee
Cisco Employee
In response to elemzy

‎08-27-2015 03:36 PM

Hi Elemzy,

 

Few comments to clarify the behavior:

- when you choose to contain a "rogue SSID", a message warns you that this could have legal consequences. What this means is that you do not have the right to contain a legitimate network. In the scenario you describe, both companies would be at fault, because each is trying to block a legitimate other network. Recent examples with various brands show that when the FCC is called for help for such illegal behavior, the fine can be expensive for the offender. Containment is solely for situations where the rogue is in your facility (and if you are not sure... well you should make sure before you contain :-)). Containment is not automatic, but a conscious admin choice.

- There are mechanisms (RLDP, rogue on wire) to help you decide if the rogue is on your network or not.

- There is no mechanism to resist a deauth (it is part of the protocol). However, there is a protocol called 802.11w (also known as PMF, for which Cisco has a more elaborate and older solution called MFP) that allows the AP and the clients to agree on a hash, and therefore ignore any external deauth message. This would effectively achieve the protection you describe.

 

hth

 

Jerome 

Saravanan Lakshmanan
Cisco Employee
Cisco Employee
In response to elemzy

‎09-06-2015 01:12 AM

#802.11w/mfp doesn't work with open/tkip/wep enabled wlan. It works only with WPA2-PSK or WPA2-802.1x. 802.11w supported from WLC code 7.4.
#Some clients doesn't honor Broadcast deauth and can be contained only using Unicast deauths :)
#Alternatively, attacker can spoof wireless client MAC and send de-auth attack to its connected AP :)

FCC fine on Rogue containment:-
http://www.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/

It requires the WLAN environment ie., WLC code and wireless clients that supports 802.11w.
#client mfp support require ccxv5 certified clients.
#802.11w is supported by win 8 or higher only.
#Device Classification Guide - Look for 802.11w support
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/device_classification_guide.html

#Restrictions for 802.11w:-
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_01010000.html#d62114e888a1635

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card