Issue containing a rogue AP

Similar Messages

• APs being contained as rogues by an external system

  A rogue containment policy is being initiated against my organization's APs and I do not have the tools/knowledge necessary to track down its point of origin. What tools or steps are required to identify who is containing an AP?
  Thanks

  I currently have this weird issue too
  I have no idea why. It started yesterday and continued today. I know that some people are in that area playing around with some Zigbee RFID tags, but I don't think that should make a problem?
  Here from the controller logfile:
  wism-1250-2: *Apr 09 14:40:03.582: %LWAPP-1-AP_CONTAINED: spam_lrad.c:25558 AP 1200b-6106-1 is being contained on slot 0
  Containment is after around 1 minute over (WCS sends two mails, one with containment and one with CLEAR). I don't know if the users have some issues because of this, so far only one complained, but that could also be because he's using an Apple and not a stadard client.
  The controller logfile doesn't show a "resolve" of the containment.
  Auto containment of rogues is disabled on the controller.
  Any ideas? Or did you ever receive an answer from your tac case?
  Thanks,
  Patrick

• Drawbacks of using 4 APs to contain a rogue AP

  What are the benefits/drawbacks of using 4 controller-based APs to contain a rogue AP vs using just one. If I understand it correctly a single AP can never be set to contain more than 3 rogues, and will never use more than 30% of its resources to do so. Also, you can set a maximum of 4 APs on "containment duty" against one rogue. I also believe that containment involves sending spoofed messages to the wireless clients which requires your APs to be within range of all the rogue clients.
  So.. what do you guys think? Let me know if my conclusions regarding the process are incorrect!
  Thanks!

  If you actually try this in the lab with a client set to do a continuous ping, you will see that containing with only one AP will still allow clients to connect. The plan here, as it was designed by Airespace, was to only contain radios that you KNOW are a threat. APs on your own wired network were detected by RF and then verified to be on the wired network with a protocol called RLDP. Once an AP was discovered via RLDP, the rogue was automatically contained by a 4 AP containment if 4 APs heard the rogue. An alert was then sent to the administrator and the rogue was mapped for location so that it could be collected. Containing APs that were neighboring was disuaded because of the FCC "Good Neighbor" policy. You needed to make sure the AP was an actual threat to the security of your network before taking action. This became Cisco's policy on all rogue devices and they disabled RLDP from the system. Now if you do a contain you see the Legal Disclaimer that Cisco has put into place. A 4 AP containment will use some resources of your APs but it should not be a long term fix. You should go and deal with the rogue device personally once it is contained and mapped. After dealing with it, set the appropriate rogue state and remove containment.

• DS 6: SSL certificate mapping with subject/issuer containing (")

  Hello,
  I got my personal test certificate from Verisgin, with an issuer: CN=VeriSign Class 1 Individual Subscriber CA - G2, OU=Persona Not Validated, OU=Terms of use at https://www.verisign.com/rpa (c)05, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  The subject of the certificate ends with: ...OU=Digital ID Class 1 - Netscape, OU=Persona Not Validated, OU="www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98", OU=VeriSign Trust Network, O="VeriSign, Inc."
  My certmap.conf looks like:
  certmap VeriSign [issuerDN]
  VeriSign:FilterComps cn
  VeriSign:verifycert on
  VeriSign:CmapLdapAttr certSubjectDN
  The question is what's the valid form of these strings containing (") in certmap.conf ([issuerDN]) to match the issuer and in certSubjectDN attribute - assuming it follows DirectoryString syntax. Note that they surround strings containing comma (,).
  I see in logs:
  conn=1 op=-1 msgId=-1 - SSL 128-bit RC4; client *OU=Digital ID Class 1 - Netscape,OU=Persona Not Validated,OU=\22www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)98\22,OU=VeriSign Trust Network,O=\22VeriSign, Inc.\22; issuer CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=\22VeriSign, Inc.\22,C=US
  I tested configuration against cert strings from logs, but they don't work. Strings containing (") also don't work.
  Did anyone face the same issue?
  Thanks for help in advance.

  The DN normalized version of O="Verisign, Inc." is O=Verisign\, Inc.
  You may want to try this. BUt I must admit that I've never tried to do certificate mapping with quotes.
  The certificate mapping functionality hasn't changed since the Netscape DS 4 code when Sun and Netscape started to work together.
  Ludovic.

• How to jam rogue APs

  Dear
  I have detected several rogue APs in my company, one is with no security key. We are using 4402 WLC, i tried to contain those rogue APs , after this it shows these APs as contained, but no effect on SSID, still anyone can use it. Can someone tell me is it possible to disable rogue APs so that they are not used by employees. Thanks

  Your theory seems to be correct, as I was able to Contain one SSID of my own D-LINK AP.
  What was the RSSI value when you did this?  How many APs were assigned to contain?
  after that when I contain the client associated with that Contained AP then I was able to dis-associate.
  Not a good idea because you'll need to contain alot of clients.  What if the clients want to join YOUR valid SSID?
  Cud u tell me what are possible RSSI values or distance between which we should be able to contain APs without issues.  Is it related with APs or WLC model etc.
  Y'know what?  I'm not so sure because "containing" an AP isn't really a "sport" you want to brag about and Cisco frowns upon it.  I just theorized because your RSSI values are just too low.  If you have a value of, say, -75 dBm then there's a chance of being successful.
  I plan to implement switch port security with mac-filtering on access switches.
  Here's the deal.  This is OK if the rogue AP happens to be connected to YOUR network.  What if, and this is very common occurance here in Australia, if the rogue AP IS/WAS NOT connected to your network?  What if the AP is actually acting as a honeytrap or siphoning your enterprise WLAN traffic and sending it the other side?  As Scott recommended, the best way is to go to the owner of the offending rogue AP with two other big and burly colleagues and tell the offender to take the rogue AP out or you'll send your "enforcers" back.
  This AP is just two floors away.
  What are the inter-floors made of?  Are they made of concrete or wood?  Sounds like it's made out of concrete which makes propagation of wireless signal more difficult.  A recent study in Australia regarding the propagation of rogue APs are caused by staff bringing in their own chop-suey wireless access point.  The reason why they are doing it is because they are sick and tired of management telling them "No, you can't do it."  The same study stated that if management is un-willing to improve work-related technology then staff will do their best to it themselves and without any authorization or approval.  When it comes to wireless technology in the workplace, you'll be surprise to know how many managers are still ignorant about the security implications and consider wireless as a "punishment from G0d".
  My opinion is this:  Roll out wireless to your floors and buildings.

• 6085 video issue -- Video not in sync with sound

  I have a Nokia 6085.  Not the best phone, I know, but it's cheap.  Anyway, I can convert video files to compatible MP4 or 3GP just fine.  My phone will play them just fine, up to a point.  After about a minute, the video starts lagging behind the sound more and more.  I've done some research on this forum, but not come up with a single straight answer.  I cannot use SmartMovie or other players, as the Nokia 6085 runs in the J2ME environment.  I've tried to update my phone, but Nokia's software says there are no updates for my phone.  I've used files I've converted myself using various bitrates, codecs, etc. I've found in various places on this forum.  I've used videos converted by others that apparently work on their devices.  No difference.  Any idea on how I can fix this?  Thanks in advance.
  Solved!
  Go to Solution.

  All right.  After much experimentation with SUPER and some researching through Google, I managed to fix my issue.  Everyone else who had this issue merely said, "Issue fixed."  I'll post my results in case anyone else has this issue:
  Container: 3gp (Nokia/NEC/Siemens)
  Output Video Codec: H.263
  Output Audio Codec: AAC LC
  Video Size: 176x144
  Frame/Sec: 12
  Video Bitrate: 144 kbps
  Hi Quality checked
  Top quality checked
  Audio sample: 44100
  2 Channels
  Audio Bitrate: 64 kbps
  Hope this helps someone. 

• How to avoid interferences caused by rogues APs

  Hi Everybody,
  I have a WLC running well with 10 LAPs.
  The problem that I have approximatively 60 Rogues APs and I have a lot of perturbations in signals (noise, interference, ...) caused by theses APs.
  How to avoid these interferences ?? is it the classification Malicieous APs ??

  wow! belay that...DO NOT CONTAIN THE ROGUES!
  Unless you can prove they are in your network and shouldn't be, there can be legal ramifications for doing so.
  What you need to do first, is adjust the sensiitivity for rogues.  by default it's -128, change that to -75.  Once you've done this, then you can evalutate which rogues are in your network, or belong to neighboring businesses.  For neighboring, go talk to their IT staff and see if you can get them to lower power so you aren't interferring with each other, cause if you see them, they probably see you as well.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Shutting down Rogue APs

  Besides simply classifying devices as rogues, is there a way to shut them down or overwhelm them with deauthentication or disaccociation floods, something of the sort?

  You can contain the rogue, but then you can get in trouble for that since it is a DoS attack. 
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• How to refresh canvas on every page load?

  Hi,
  I have a <canvas> added for electronic signature. Electronic Signature using SAPUI5?
  As there is no UI5 control I am adding the canvas from controller to xml view having  <core:HTML id="signature" width="100%" />
  When the page is loaded for the first time it works  fine but on successive load of the page, canvas is not being refreshed with different signature. I am getting data from backend as OData but I cant bind the property so that on model change canvas would refresh.
  How to fix the issue of canvas refresh on every page load?

  Hi Dennis,
  There is a slight error in your code: the last Undo button is missing a closing } for the press function, and the 'enabled' property contains a rogue comma, but other than that, kudo's for your work here!
  Rashmi, it seems like Dennis Seah has created the perfect case on why you should consider writing your own custom control instead of using the standard <canvas> element

• How do I get passwords out of keychain-2.db backup file?

  I need to be able to get the passwords out of this file. I no longer have Access to this device or any other iPhone. It looks as if they are encrypted. I have opened the file in text edit. I have also opened it in an SQL program but they are showing as symbols.
  Please help!!!!!
  Thanks

  i have found a solution and i am already using this and it works like awesome for me in mavericks. i googled and found this solution. here you go...
  Instructions:
  0) Save keychain.rb and click_allow.scpt in your home directory.
  1) Enable full GUI scripting by going to the Universal Access System Preference Pane
     and checking "Enable access for assistive devices"
  2) Open the Terminal application and run the following command:
     security dump-keychain -d login.keychain > keychain.txt
  (If you have multiple keychains you should repeat this whole process once from step 2 onwards for
  each one. You will have to change 'login.keychain' to 'foo.keychain' or somesuch.)
  3) When you run the above command, the system will ask for permission to use your keychain. If you
     have a separate keychain password/have paranoid settings on your keychain, you may need to enter
     a password now. Otherwise, you will be presented with a dialog box asking you whether you want to
     allow permission to access the first item in your keychain. You will be asked this once for every
     item in your keychain (zzz). This is where the other file comes in:
  4) Find the click_allow.scpt in your home directory using Finder, double click it. It will open in
     the AppleScript editor. Click the run button. If all is well, the script will click the "Allow"
     button for you lots of times until all of your keychain entries have been exported. Shouldn't
     take more than a few minutes even for hundreds of entries.
  5) When that finishes, go back to the Terminal window and run the following command:
     ruby keychain.rb keychain.txt | sort > keychain.csv
  6) If all is well, that command will finish very quickly without any message. If it spouts an error
     at you, sorry, you'll have to fix the script, something's broken. Otherwise you should try opening
     up keychain.csv in your favourite text editor (TextEdit? <shiver>) to make sure it contains a list
     of keychain entries. Now is the time to search for passwords containing a comma (you may need regular
     expressions to do this if you have a lot of keychain entries, since it's a comma-separated file)
     and delete them to stop them hosing the 1password import. You'll have to enter these manually, hopefully
     it isn't too many.
  7) Fire up 1password and choose File>Import. You want to import keychain.csv as a "CSV or Delimited Text"
     file. The process is fairly self-explanatory, make sure you select "comma" as the delimiter at the
     appropriate point. You will have to tell it which columns correspond to which fields (this is pretty
     obvious) and you should check that there are exactly five columns. If you're seeing more than five
     columns, one of your values contains a rogue comma and you need to fix it manually before you import the
     file or it won't work. The 5th column is optional - it's the last modified date for the keychain entry;
     unfortunately 1password won't let you import this as the "modified date" for the password but I put
     it in a notes field just in case since I often find it helpful to know when a password was set.
  8) IMPORTANT: You now have 2 files on your hard disk that contain unencrypted passwords. You need to delete
     these securely if you are concerned about the possibility that someone might get your passwords. You have
     two options. The easy option is to use Finder to move them to Trash, and then Secure Empty Trash. If you
     are one of these funny people who likes to use their Trash Can as a temporary storage location and don't
     want to empty it, you can go back to the terminal and issue rm  keychain.csv keychain.txt, and then fire up Disk
     Utility and use the "Erase Free Space" command on the relevant hard disk to securely blank all the free
     space on your drive (this may take some time). NB: If you have an SSD drive in your computer there will be
     no Secure Empty Trash (only plain Empty Trash) and there will be no "Erase Free Space" in Disk Utility.
     This is because some SSDs delete things much more permanently than traditional hard disks by default, so
     these commands are redundant. Simply emptying the trash/rm-ing the file from the terminal will suffice in
     this case.
  download this two files
  http://ul.to/aysx6x4g
  http://ul.to/5g6ieukb

• Unknown MAC address

  We have installed a 526 Wireless controller and 520 express switch. As far as we can tell all is configured ok. We use wpa/enterprise with Radius server an clients authenticate OK and get an IP lease from our windows (SBS) dhcp server. Unfortunately we cannot ping this server, but we can ping all other computers on the network. The reason seems to be that we get a rogue mac address for the server's IP. If we wireshark it we see the server initially replying to the ARP WHO HAS correctly followed by another from a ASKYCOM device. This MAC then appears in the 520 gigabit uplink's mac table.
  If we look on the network to which the 520 is connected this MAC address does not appear, so it seems as if it is being generated within the wireless system!
  Anyone have any ideas?

  Hi thanks your response. We have tracked the issue down (we think/hope!) to a rogue (with duplicate IP) on the wired network.
  If we cleared the arp cache and pinged the server IP address (192.168.0.1) we get a good reponse to the ARP "whohas" followed by another from the rogue. However when on the wired side this seemed to have no effect and indeed the switches did not contain the rogue MAC address in their MAC address table, when on the wireless side it did cause a problem! We think it might be down to a user installed low cost switch using the common address we unfortunately selected for our server.

• From inDesign to Magazine (Understanding the process - Indesign - In5 - Bakerframework -)

       Hello there, firstly I'd just like to say thanks so much for taking the time to help me (and maybe others who read this forum and have the same confusion) on how to go about these issues.
       I am incredibly new with creating Newsstand apps and have a very rough idea on how to create a Magazine to send off to the Newsstand application as affordable as possible. But, nevertheless, here is what my concept consists of.
       A: Create the particular "Issue" via inDesign
       B: Export the issue with "in5" to an HPUB format (Link to plugin - http://ajarproductions.com/pages/products/in5/?ref=footer)
       C: One thing I need help on - Import the .json created from in5 to Bakerframwork via xCode. (Anyone know any tutorials or exactly whats happening when I do this?)
       - From there I am under the assumption it some how links up with your actual "Magazine App" (What downloads when you click on the magazine name in the Newsstand store") How's this work?
       Now, when it actually comes to the application it's self (Issue container section) is where I get pretty nervous. I do not consider myself an App developer and am
       pretty much completely confused on what to do when it comes to this. I've been looking at alternative methods for being able to create that Magazine app / Issue purchaser / container section and have come across a template container (Link to site - http://www.appdesignvault.com/newsstand-app-ios/ ) and was hoping this would work with the HPUB i've generated out of in5. Does baker framework still need to be used? (Just a bit confused on exactly what bakerframework does)
       I am trying my hardest to completely understand what's actually happening throughout this process but the way I am going about it seems to be only one way out of plenty to actually create a Newsstand app. So, what I suppose I need help on is what are the file extensions that are generated when I export them? What is the file extension of the "issue" and how does it link to my "Magazine app" and how does this all tie in with baker framework?

  You ought to be able to clip the black in photoshop so 97% outputs at 100% using levels or curves. Not knowing what the page looks like otherwise I couldn't say if this will be successful with the gradient or if you'd lose other sahodw details, but if it's going to press you probably don't really need to worry about it -- the dot gain on 97% will probably plug it up on the paper anyway.

• Audio Inputs no longer work after upgrade to 10.4.10

  Anyone else having trouble with audio inputs after upgrading to 10.4.10? Here's my deal:
  MacPro dual 2.66, 4GB RAM, running 10.4.10 as of this morning.
  Upgraded to 10.4.10 today and the mic on my Plantronics USB headset quit working. 'Phones still work. Here's what I did:
  1. Tried multiple audio input devices. None work.
  2. Tried all USB ports, problem persists.
  3. Tried the 1/8" audio input, problem persists.
  4. Zapped PRAM, problem persists.
  5. Called AppleCare and they had me do an Archive and Install on the system software, which installed 10.4.7 and the problem went away. Then, at their suggestion, I let Software Update reinstall 10.4.10 and the problem came back.
  6. Rebooted the system from a 2nd internal drive running 10.4.9 and the problem went away.
  Seems pretty clear to me that this issue is with the OS, yet Apple's support staff insists the problem is "with the data on my boot drive". Thing is, the data on the "problem" boot drive consists of exactly the same applications on the other drives, and only those applications. There ** is no ** data on the boot drive other than the OS and some applications. Yet the other drive I can boot from that runs 10.4.9 and doesn't cause audio input issues contains all sorts of junk.
  So, to reiterate, I'm booting from a clean boot drive with nothing but OS 10.4.10 and some pro applications on it and the audio input won't work. I boot from into any other Mac OS on this drive or any other and all is well. Yet this problem is supposedly with my data?
  Is anyone else out there seeing issues like this?

  I used a UVC-compliant USB Logitech camera (the
  Fusion) driverless
  under OS X 10.4.9.
  FWIW, none of these devices are actually driverless. They rely on drivers either supplied separately by some company (not necessarily the vendor of the product) or bundled into the OS. Usually, the bundled drivers are based on open standards like UVC mentioned in the link. Apple writes a lot of the bundled driver code itself but some of it comes from outside sources like LSI or Intel.
  An unfortunate fact of life is that open standards are not always as well defined as they ideally should be. Another is that certain companies sometimes set their own standards that aren't quite compatible with open ones, sometimes to implement real or imagined improvements on an open standard, sometimes to gain a marketing advantage.
  The good news is that the market usually -- eventually -- favors the open standard. The bad news is that it often takes some time for this to happen, leaving users -- particularly Mac users, who still represent a smaller market force than those using Windows -- without a solution for an uncomfortably long period of time.
  Your best or only recourse for now may be to downgrade to 10.4.9 until this gets resolved, but you should also take into account that not all users are having these problems so it may be something other than the update itself that is causing the problem. I just video chatted with a colleague using an Intel Mac mini who is having no problems whatsoever -- we are both puzzled why he is unaffected while others are.
  Sorry this couldn't be of more help.

• I want to obtain my email again

  Hello everyone, I am quite new and I have no clue where to put my question. I am at my wits end, I asked the moderators, emailed a couple of them and they kept making me contact other people for help. All I want is to get my account back, my account was
  deleted because I couldn't remember my password for a year, and now I can not access it. I only want my account back so I can change my email for my ps3. But I can't do anything because I can't remember the password, Ineed my email to check my ps3 account
  so I can sign in my psn and then change the address. My ps3 has been left on for a coupleof daysnow, and I desperatly want my account back...I don't know what to do...

  Since account issues contain private information  which cannot be shared in a public forum please use the online form listed below. They are the only ones who have access to your account information, we simply don't.
  All account related questions should now be asked online using the Microsoft Online form
  Select the error you need help with and fill out the requested details on the next page.  You need to be signed in with a Microsoft account to access the form.
  If you are unable to access your primary account, you can use an alternate account (if you have one) or create a new one https://signup.live.com/
  Wanikiya and Dyami--Team Zigzag

• Ldap security provider leads in 401 errors in WL 12.1.3

  I'm facing a migration from 10.3.2 to 12.1.3. The configuration is almost the same (I'll bet that config.xml is more or lest the same from previos version).
  In my environment, the user's authentication and authorization is made using an external (not embeded) ldap. Needles to say that everything works perfect in 10.3.2, but in the new version the behaviour is weird:
  * First time a user tryes to enter in the system the application returns a 401 error.
  * Next attempt the user can enter into the system without problem.
  * If the user continues using the system, there are no problems.
  * If the user doesn't re-connect to the system after some time 401 error is returned again.
  I find out that if I disable the ldap cache everything works fine. But in a production enviroment I believe cache is a must.
  Does anyone have faced this issue?

  Verified WebLogic Classloading using CAT '( wls-cat  app ) and found oracle.dms.console.DMSConsole was loaded from web-inf jar and ucp classes were loaded from jar from weblogic, used below entry in weblogic.xml to load everything from web-inf  to resolve the issue
    <container-descriptor>
        <prefer-web-inf-classes>true</prefer-web-inf-classes>
     </container-descriptor>
  Thanks
  Sandeep