I am running a Cisco 5508 wireless controller with a handful of Cisco 3702I access points. The logs are constantly giving me the following....
"IDS 'Bcast deauth' Signature attack detected on AP 'WAP-10' protocol '802.11b/g' on Controller 'x.x.x.x'. The Signature description is 'Broadcast Deauthentication Frame', with precedence '1'. The attacker's mac address is '00:a6:ca:68:48:a2', channel number is '1', and the number of detections is '300'. - Device Name: WLC-01 - Reporting Address: x.x.x.x"
AND...
"AP 'WAP-10' is being contained. This is due to rogue device spoofing or targeting AP 'WAP-10' BSSID on '802.11a' radio. - Device Name: WLC-01 - Reporting Address: x.x.x.x"
Since these log messages started coming in my clients are unable to connect. What is happening here? Based on my research so far it appears a neighboring WLAN environment is "containing" or sending deauthorizations to our APs. This seems pretty unlikely, but I have no other explanation.
No comments:
Post a Comment