Rogue detection

Hi,
I would need some clarifications about rogue AP detection. First, in order to configure the passive rogue detection is it necessary to just setup a rogue detector AP or I also need to enable RLDP? Second, in your experience how much is it reliable?
Thanks,
Matteo

Hi Matteo:
Passive rogue detection is just on--no rogue detector AP required! Just like anything else in life, the more resources you put toward something, the better it's going to be. If you have AP Authentication or MFP configured (which you should anyway), you'll have fewer false alarms and the routines will know not to call your own APs rogues. RLDP will tell you if a rogue AP is just cabled up in your network but doesn't have any clients yet and will allow you to do switchport tracing to find one from the switch side. Rogue Detector APs don't handle client traffic, they just dedicate themselves to listening and reporting rogue activity back to the controller. In a world where budgets are tight, we hear that it can be tough to get funding for APs that don't service clients. Again, you don't *have* to do any of it, just the more you put in, the more accurate your results will be.
As for inaccuracies, that usually comes from folks having things misconfigured in their network or not having enough configured (i.e. choosing to not do RLDP or Rogue Detectors.)
Sincerely,
Rollin Kibbe
Network Management Systems Team

Similar Messages

Rogue detection with Prime 2.1

Hi@all,
i know many questions in the last days, but i must say, the last WCS works better as the compination Prime 2.1 and 5760 ;).
My problem, we have a huge campus and at peaks ~ 1500 rogue-aps.
In my new configuration (2x 5760 and Prime 2.1), the wlc see the rogue-aps but in the security dashboard at the prime no rogue are listet.
The 5760 are in the same mobility/rf-group, the polling interval at the Prime are 15 minutes.
Maybe some one has a similar problem and could help.
regards
René

Hi
Do you see the rogue AP on 5760 itself ? "show wireless wps rogue ap summary" output shows you the identified rogue APs. If you can't see anything there, then you may not enable Rogue AP detection on your controller. See whether in your 5760 configuration, the first line below is configured (which will enable rogue detection). Second line is to increase the threshold to minimize false detection. Refer 5760 RRM config guide for more details.
wireless wps ap-authentication
wireless wps ap-authentication threshold 50
This document describe some of the best practices of 5760 configuration including rogue detection as well.
Cisco 5760 IOS Wireless LAN Controller Configuration Best Practices
HTH
Rasika
**** Pls rate all useful responses ****

Question on Rogue Detection

Hi All,
I have a question regarding rogue detection configuration on WLC.
we know that rogue detection can be enabled on a per AP basis under the advanced tab of each AP, starting from code 6.0, and it also supports rogue detection in RF groups when we configure protection type as "AP Authentication" under WLC security tab, which will make APs to authentication frames based on the RF group name, if name is different, then the AP is considered as a rogue.
so the question is if we only enable rogue detection on the AP level, however leave the AP authentication selected as "none", how does the AP detect rogues? does that mean if any signal detected is not from the APs connected to the WLC, then this will be considered as a rogue?
also in the configuration guide, under the section "enable rogue access point detection in RF groups", it says rogue detection will need the AP to be configured as either local or monitor mode, when we also have AP authentication enabled. however if an AP is under h-reap mode, we still able to enable/disable rogue detection under the advanced tab, so how does H-REAP mode APs detect rogues? is that the same method as when AP authentication selected as "none"
thanks in advance for your help.

I've done some tests as well:
I have multiple WLCs on same mobility and same RF groups. AP Auth type set to "none" on all o ft hem. I took one WLC (I'll call it thereafter "My WLC") and changed its RF group name. I also cahnged its AP auth policy to "AP Authentication". All WLCs have same SSIDs configured. I added one extra test SSID on "MY WLC".
The results are:
- The WLC with different RF group name did not mention other APs as rogues. Other APs did not mention my WLC APs as rogues as well.
- There is very high number of AP impersonation detected by "My WLC". other WLCs did not detect ap impersonation. This indicates that other APs on other WLCs try to contain "My WLC" APs. However, "My WLC" does not seem to try impersonating other APs. (it worths to notice that number of APs on "My WLC" is much less than APs on other WLCs).
- When using "AP authentication", there is a new IE appears in the SSID beacons.
The highlighted in blue is that information that could not be interpretted (as seen in highlighted yellow above). This information differs based no the SSID. Different SSID name shows different information. This IE seems to carry the information about the RF group name. If this does not appear when using "none" as AP auth policy then WLCs can not distinguish different RF group names if ap auth set to "none". (because I could not find any RF group info anywhere in the beacon packet. If you know it is exist somewhere else please let us know. So far I assume it is included in this vendor specific IE).
- When I changed the AP auth to "none" the number of AP impersonation reported started to decrease gradually. I'll keep monitoring to see what it will be after couple of hours.
- Config guide is very useful. However, sometimes it is extremley stupid. Why?
well, because if you go to the part that talks about configuring MFP (http://tiny.cc/un6thw), and if you go to Step 5, you will find that the optoin metnioned in step 5 is not available in the AP. It tells you that to enable or disable MFP validation for specific AP you can do this from under Advanced tab. However, this option is not available under Advanced tab. I had a big discussion with TAC about this very long time ago. prompted to doc guys about it but so far nothign changed.
HTH
Amjad

Rogue Detection and SPT issues

Deployed wireless a few months. From a client to infrastrure standpoint, majority of users are happy with the ability to go wireless with their personal and work devices.
The problem we're facing is proper identification of rogue's AP's on our wired network (hot spots aren't important)
I've setup a few linksys AP's connected to our access switches and found WLC/PRIME finds the rogue AP's but when a SPT is performed, both WLC/PRIME state it's not on the wired network (which is not true). If I do a manual trace, in Prime, it will work but I can't do a manual trace everytime I get an alert (we're in a major US city). Further investigation shows the lan and wlan mac address of this linksys router is +/- from one another (confirmed by with arp table on access switch and going into prime and looking at the alert).. Which in this case, Prime should see it as WIRED and mark it as a ROGUE and alert me
Found a document
http://www.cisco.com/en/US/customer/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1603927 stating only the following switches are supported: 3750, 3560, 3750E, 3560E, and 2960.
I can't see how these are the only supported devices, most are older than the 4510. I posted this in another thread and a rep provided me the link
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml
Read this and even went further and read ROGUE MANAGMENT WHITE PAPER
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml
This does not mention a limitation of switches support. States if CDP and SNMP is enable, along with the local access switches added to PRIME it should work
Here is the currently list of deployed devices, code and basic configuration
Access Switches - 4510 - image: cat4500e-universalk9.SPA.03.02.02.SG.150-2.SG2.bin
WLC - 5500 - image 7.4.103.9
AIR-CAP3602I-A-K9 - 152 deployed, 151 are configured for Local Mode, 1 is configured as Rogue Detector (trunked with all access vlan's passing thru)
RLDP is enabled on all Local Mode AP's - which after reading is not best practice because of time slicing and the fact is degrades client quality and can kick users off
Basically looking for feedback from others who have deployed wireless and have succesfully configured their environement for ROGUE AP DETECTION with SPT.. What are your thoughts and what do you run?
Thanks in advance

Mark:
Complaints about the performance of Switchport Tracing are pretty common. The best way to build this out is to start with your planted rogue AP is connected to the same switch that your Prime Infrastructure server connects to--or the first wired switch that ESX/ESXi host connects to--and validate that it works there, make whatever changes you need to get it working, then move the planted rogue AP to the next switch and so on. The logging modules Configuration, General, Monitor, GUI, System and Tools should cover everything you need to know why Switchport Tracing isn't giving the results you expect. This "start small and work your way up" helps you learn lessons about what needs to be configured on all your switches to have it working the way you want it to.
Configuring Switchport Tracing

WLSE adjust beacon count for rogue detection

Hi all,
Does anyone know if there is any way to adjust how many beacons it takes for a device to be displayed as a rogue in device faults? I've been all over the settings area and cannot find anything regarding it.
WLSE is version 2.9
Here's what's happening:
campus of about 300 1210G AP's
friendly's are showing up as rogues after seeing a single packet. This is typically a malformed packet, meaning it is incomplete ie. the ssid is incomplete
ALL friendly's are managed by WLSE and are in the database.
What I would like to do is have it require seeing 2-5 beacons before it is tagged as a rougue and entered into the faults table.
Thanks,
Brian

Hi,
I recommend that you do not load 12.3.(2)ja code, there are several bugs associated with this code. One being trouble acquiring a DHCP address and the other is AP will reboot whenever they feel like it. The DHCP problem I have not experienced, but there is a bug listed with TAC and several people on the discussion pages have had this problem. I have just started to see my AP's reboot that have this code and there are several others on the discussion page that are saying they are having the problem with 1100 ap's. I have over three hundred ap's (1200,1100,350), most running 12.2.(15)ja without any problems other than the WLSE rogue issue.

AP goes off channel while identifying rogue ap threats

I'm having a problem where client connections get dropped, when the AP identifies a rougue ap threat. In some cases, the client is dropped ever 5 minutes for up to 30 minutes. My clients are connected over a RADIUS setup authenticating with an IAS service.
Found this on Cisco Support site:
Cisco lightweight access points are known to go off channel for up to 30 seconds (typically 1 to 2 seconds) while identifying rogue access point threats, when the Cisco lightweight access point has RLDP enabled. This can cause client connections to be dropped occasionally (CSCar10047).
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/r1x4x31.html
Should RLDP be disabled enabled? Is there any work-around for this?
My WLAN Environment:
- Controller - WLC2106; software version 6.0.182.0
- (3) 1242ag Access Points
- (1) 1131ag Access Points
Thanks in advance.

As a troubleshooting step, I have disabled RLDP on all Wireless Networks.
(Cisco Controller) config> rogue detection disable all
I'll monitor and report back after 4 business days.

Finding rogue APs that are on wired network

I am beginning to think that there is no way to gaurantee that a rogue AP is connected to your wired network. I have read up on RLDP and "rogue detection". I was excited because I thought rogue detection would accomplish this. However, when I connect an autonomous AP to my wired network it does not get identified as being on my wired network despite the "rogue detector" being in place and connected to a trunk port with all network vlans on it. In thinking through this I believe this is because the radio mac and ethernet macs are different on the autonomous AP. The ethernet mac of the autonomous rogue AP is in the rogue detector dB, not the radio mac. So when the detecting APs sends the radio mac to the rogue detector it doesn't get flagged. Can anyone confirm this? And if so offer any insight to a workaround. I was able to get a "rogue client" flagged as a threat connecting via this AP, because it arp entry is in the rogue detectors dB. But I can't get the AP flagged. If this is the case then rogue detection is more or less useless to me because I care about rogues on my network (obvious security breach) not rogues in other businesses in my area. I rather now when the rogue AP goes in and not have to wait until a rogue client connects to it. Please advise....
Regards Chuck

Network Chemistry makes a free tool (as well as a more advanced product you can buy) that might fit the bill for you. It relies on people properly classifying the devices on their own network with the free tool to build a database of device types based on the vendor ID digits of mac addresses, as well as some snmp scanning (I think). A link is below. I don't have a lot of experience with the tool, only because I'm not entirely convinced of it's accuracy, but to be honest, I've never really used it in a production environment
Good luck!
-Chris
http://www.networkchemistry.com/products/roguescanner.php

Rogue reporting in WCS

Can anybody tell me what the difference is between the following 2 default Security reports:
Rogue APs
Rouge APs Event
WE run both of these nightly, but the Rogue APs Event report usually is about 20 pages or so, and the information there has way more than what I see when I compare to my controller. The Rogue APs report usually matches what I see on my controller regarding current rogues. Does the Rogue APs Event report just detail everything that the access points have seen in the reporting time period? Some clarification on this would be greatly appreciated.
Thank you.

Rogues Detected by APs Report displays information about specific rogue access points detected on the network, rather than having to look into each rogue alarm and manually assemble a list. The data that is returned includes but is not limited to the following: the name of the detecting access point, the MAC address of the rogue, and the location of the rogue.
and Security Summary Report shows the number of association failures, rogues access points, ad hocs, and access point connections or disconnections over one month.

Error! cannot enable extended adj rogue

I need a little help.
When enabling Adjacent Channel Rogue (Management>Trap Controls>Security), I get the following error:
Error! cannot enable extended adj rogue.
Why do I get this error?
Reading the WLC help pages, I did not see any documentation on this error nor enabling Adjacent Channel Rogue.
Searching the Cisco Wireless LAN Controller Configuration Guide, Release 7.4, I did read any documentation on this error nor enabling Adjacent Channel Rogue.

I never use it, but it probably give you an error because you are not either using monitor mode APs or RLDP enabled. You don't want to enable RLDP either just to let you know. Here is more info on rogue detection and does explain the caveats to using RLDP.
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml
Sent from Cisco Technical Support iPhone App

Don't see any rogue ap with cisco AP 1522

Hi,
I'm not able to detect any rogue ap using 1522AG ap.
The ap are in bridge mode (not able to change this operational mode) and rogue detection is enabled on the ap.
Waiting for any hints ...
Thanks, luigi cacco.

My info were outdated. The 1522 can detect rogue in recent software version. But :
CSCtn50893 1520 Stopped Detecting Rogues
4402 7.0.98.
1522's are in a college environment and typically report hundreds of rogue ap's.
Without any changes, the 1522's stopped detecting and reporting rogue ap's.
The customer has toggled the IDS(Rogue and Signature Detection) value,
rebooted controller, still doesn't work.
1142's associated to the same controller have always and continue to detect and report rogue ap's.
Fixed in 7.0.116

Rogue Detector question

I have 2 controllers 2106 both with the same mobility group, I have 3 APs in one controller and 3 APs on the other. I have just one rogue detector. Do I need a rogue detector on both or just in one controller?

Rogue detection is not bound by any regulations and no legal adherence is required for its operation. However, rogue containment usually introduces legal issues that can put the infrastructure provider in an uncomfortable position if left to operate automatically. Cisco is extremely sensitive to such issues and provides these solutions. Each controller is configured with a RF Group name.Once a Lightweight AP registers with a controller, it embeds an authentication Information Element (IE) that is specific to the RF Group configured on the controller in all its beacons/probe response frames. When the Lightweight AP hears beacons/ probe response frames from an AP either without this IE or with wrong IE, then the Lightweight AP reports that AP as a rogue, records its BSSID in a rogue table, and sends the table to the controller. There are two methods, namely Rogue Location Discovery Protocol (RLDP) and passive operation. These two are described in detail in the link below.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml
As you can see from above all APs listen for rogues based on the above criteria but this is costly in resource overhead and is better solved by placing certain APs in rogue detection mode. This will become even more invaluable with the advent of the IDS/IPS solution.

AIR-CAP3502I-E-K9 does not join preferred controller

I have an AIR-CAP3502I-E-K9 AP that is configured for two WLAN controllers with preferred order. However the AP does not join the primary controller, but uses the secondary one instead. I have a bunch of these AIR-CAP3502I-E-K9s , majority work fine, but three of them not.
I have tried commands according to
https://supportforums.cisco.com/docs/DOC-24917
In the controller's GUI the order is properly configured. I also tried to use 'Clear All Config" option on the controller and configured the AP from the scratch, but this did not help.
Here is what I have
XXXX#sh capwap client config
configMagicMark         0xF1E2D3C4
chkSumV2                30883
chkSumV1                1073
swVer                   7.2.111.3
adminState              ADMIN_ENABLED(1)
name                    XXXX
location                YYYY
group name
mwarName                ZZZZ1
mwarIPAddress           192.168.1.1
mwarName                ZZZZ2
mwarIPAddress           192.168.1.2
mwarName
mwarIPAddress           0.0.0.0
ssh status              Enabled
Telnet status           Enabled
numOfSlots              2
spamRebootOnAssert      1
spamStatTimer           180
randSeed                0xBAC2
transport               SPAM_TRANSPORT_L3(2)
transportCfg            SPAM_TRANSPORT_DEFAULT(0)
initialisation          SPAM_PRODUCTION_DISCOVERY(1)
ApMode                  Local
ApSubMode               Not Configured
AP Rogue Detection Mode Enabled
OfficeExtend AP         [0] Disabled
OfficeExtend AP JoinMode[0] Standard
Discovery Timer         10 secs
Heart Beat Timer        30 secs
Led State Enabled       1
Primed Interval         0
AP ILP Pre-Standard Switch Support Disabled
AP Power Injector Disabled
Infrastructure MFP validation Disabled
Configured Switch 1 Addr 192.168.1.2
Configured Switch 2 Addr 192.168.1.1
non-occupancy channels:
Ethernet (Duplex/Speed) auto/auto
*Mar 1 00:14:23.001: %CAPWAP-3-ERRORLOG: Selected MWAR 'ZZZZ2'(index 1).
*Mar 1 00:14:23.001: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Aug 22 12:21:57.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.2 peer_port: 5246
*Aug 22 12:21:57.581: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.1.2 peer_port: 5246
*Aug 22 12:21:57.581: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.2
My primary one is 192.168.1.1 and secondary is 192.168.1.2, but the AP joins always the secondary one.
The lines above
Configured Switch 1 Addr 192.168.1.2
Configured Switch 2 Addr 192.168.1.1
seem to be suspicious, I would expect the reverse order, but do not know how the code did it.
The only guess is that in the very beginning the AP joined 192.168.1.2, and this was the controller I configured the AP initially from. The AP seems to maybe somehow remember this.
OS version is
swVer                   7.2.111.3
Thanks,
Vlad

Yes, this is what I am trying all the time - configure the AP to point to the WLCs I want it to join.
Firstly I did through GUI, did not work.
Secondly I used 'Clear All Config" option on the controller and configured the AP from the scratch through GUI, did not work.
Thirdly I tried through command line on the AP, did not work.
I used these commands
XXXX#capwap ap primary-base ZZZZ1 192.168.1.1
XXXX#capwap ap secondary-base ZZZZ2 192.168.1.2
XXXX#sh capwap client config
configMagicMark         0xF1E2D3C4
chkSumV2                30883
chkSumV1                1072
swVer                   7.2.111.3
adminState              ADMIN_ENABLED(1)
name                    XXXX
location                YYYY
group name
mwarName                ZZZZ1
mwarIPAddress           192.168.1.1
mwarName                ZZZZ2
mwarIPAddress           192.168.1.2
mwarName
mwarIPAddress           0.0.0.0
ssh status              Enabled
Telnet status           Enabled
numOfSlots              2
spamRebootOnAssert      1
spamStatTimer           180
randSeed                0xBAC2
transport               SPAM_TRANSPORT_L3(2)
transportCfg            SPAM_TRANSPORT_DEFAULT(0)
initialisation          SPAM_PRODUCTION_DISCOVERY(1)
ApMode                  Local
ApSubMode               Not Configured
AP Rogue Detection Mode Enabled
OfficeExtend AP         [0] Disabled
OfficeExtend AP JoinMode[0] Standard
Discovery Timer         10 secs
Heart Beat Timer        30 secs
Led State Enabled       1
Primed Interval         0
AP ILP Pre-Standard Switch Support Disabled
AP Power Injector Disabled
Infrastructure MFP validation Disabled
Configured Switch 1 Addr 192.168.1.2
Configured Switch 2 Addr 192.168.1.1
non-occupancy channels:
Ethernet (Duplex/Speed) auto/auto
XXXX#sh log
Syslog logging: enabled (1 messages dropped, 8 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level debugging, 61 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 67 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: disabled
    Trap logging: level emergencies, 0 message lines logged
        Logging to 255.255.255.255(global) (udp port 514, audit disabled, link down), 0 message lines logged, xml disabled,
               filtering disabled
Log Buffer (1048576 bytes):
*Mar 1 00:00:09.424: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
*Mar 1 00:00:09.434: *** CRASH_LOG = YES
*Mar 1 00:00:09.434: 64bit PCIE devicesSecurity Core found.
Base Ethernet MAC address: E0:5F:B9:A8:00:7F
*Mar 1 00:00:12.482: %LINK-3-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:13.731: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
*Mar 1 00:00:13.797: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:16.996: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
*Mar 1 00:00:17.052: %LWAPP-3-CLIENTEVENTLOG: Read and initialized AP event log (contains, 1024 messages)
*Mar 1 00:00:17.068: status of voice_diag_test from WLC is false
*Mar 1 00:00:19.182: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3500 Software (AP3G1-K9W8-M), Version 12.4(25e)JA2, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 14-Sep-12 19:13 by prod_rel_team
*Mar 1 00:00:19.182: %SNMP-5-COLDSTART: SNMP agent on host XXXX is undergoing a cold start
*Mar 1 00:13:33.342: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:13:33.342: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:13:33.493: status of voice_diag_test from WLC is false
*Mar 1 00:13:33.632: %SSH-5-ENABLED: SSH 2.0 has been enabledlwapp_crypto_init: MIC Present and Parsed Successfully
*Mar 1 00:13:33.956: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:13:34.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:13:34.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:13:36.029: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:13:41.484: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 192.168.1.21, mask 255.255.255.0, hostname XXXX
*Mar 1 00:13:51.981: Logging LWAPP message to 255.255.255.255.
*Mar 1 00:14:01.997: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP.
*Mar 1 00:14:06.099: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:14:07.190: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:14:08.191: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:14:08.288: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:14:09.289: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:14:11.000: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER
*Mar 1 00:14:23.001: %CAPWAP-3-ERRORLOG: Selected MWAR 'ZZZZ2'(index 1).
*Mar 1 00:14:23.001: %CAPWAP-3-ERRORLOG: Go join a capwap controller
*Aug 23 06:07:13.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.2 peer_port: 5246
*Aug 23 06:07:13.578: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.1.2 peer_port: 5246
*Aug 23 06:07:13.578: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.2
*Aug 23 06:07:14.025: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
*Aug 23 06:07:14.091: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Aug 23 06:07:14.094: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller ZZZZ2
*Aug 23 06:07:14.154: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
What I think might be the key to the problem is this
Configured Switch 1 Addr 192.168.1.2
Configured Switch 2 Addr 192.168.1.1
This is not changing no matter what I do.
Thanks,
Vlad

AIR-CAP3702I booting up in mesh mode and not joining our 5508 WLC

I have a batch of 30+ AIR-CAP3702I-A-K9 APs that I need to setup but none of them are joining to the 5508 WLC and when I connect a console cable and view the output from the AP it shows that it is trying to initiate in mesh mode. I have read other forums that are showing that I need to put in the APs MAC address to a filter list on the WLC for it to show up and then I will be able to change it from mesh mode to local mode. The only issue I'm having with that solution is not knowing how it will affect my current production environment off of that 5508 WLC. I have 69 active production APs with clients working off them and there are no MAC filters currently in place on the WLC. By adding a MAC filter entry for the new APs would the WLC create an implicit deny for all other clients that don't have their MAC addresses entered?? If so is there another work around? Can the mode be changed via the CLI on the AP itself to make it local instead of mesh?

sh capwap client rcb
AdminState : ADMIN_ENABLED
SwVer : 7.6.1.118
NumFilledSlots : 2
Name : AP88f0.4290.7184
Location : default location
MwarName : xxxxx
MwarApMgrIp : x.x.x.x !<it has the correct name and IP of the WLC>
MwarHwVer : 0.0.0.0
ApMode : Bridge
ApSubMode : Not Configured
OperationState : JOIN
CAPWAP Path MTU : 576
LinkAuditing : disabled
ApRole : MeshAP
ApBackhaul : 802.11a
ApBackhaulChannel : 0
ApBackhaulSlot : 2
ApBackhaul11gEnabled : 0
ApBackhaulTxRate : 24000
Ethernet Bridging State : 0
Public Safety State : disabled
AP Rogue Detection Mode : Enabled
AP Tcp Mss Adjust : Disabled
AP IPv6 TCP MSS Adjust : Disabled
Predownload Status : None
Auto Immune Status : Disabled
RA Guard Status : Disabled
Efficient Upgrade State : Disabled
Efficient Upgrade Role : None
TFTP Server : Disabled
Antenna Band Mode : Unknown
802.11bg(0) Radio
ADMIN State = ENABLE [1]
OPER State = DOWN [1]
CONFIG State = UP [2]
HW State = UP [4]
Radio Mode : Bridge
GPR Period : 0
Beacon Period : 0
DTIM Period : 0
World Mode : 1
VoceraFix : 0
Dfs peakdetect : 1
Fragmentation Threshold : 2346
Current Tx Power Level : 0
Current Channel : 11
Current Bandwidth : 20
802.11a(1) Radio
ADMIN State = ENABLE [1]
OPER State = DOWN [1]
CONFIG State = UP [2]
HW State = UP [4]
Radio Mode : Bridge
GPR Period : 0
Beacon Period : 0
DTIM Period : 0
World Mode : 1
VoceraFix : 0
Dfs peakdetect : 1
Fragmentation Threshold : 2346
Current Tx Power Level : 1
Current Channel : 165
Current Bandwidth : 20
It is showing the following error on our WLC in the log file:
Tue Jul 15 14:01:26 2014
AAA Authentication Failure for UserName:88f042907184 User Type: WLAN USER
And here are some of the errors it's showing on the AP after bootup:
*Jul 15 17:47:30.471: %CAPWAP-5-SENDJOIN: sending Join Request to x.x.x.x
*Jul 15 17:47:31.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jul 15 17:47:31.031: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jul 15 17:47:31.039: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jul 15 17:47:31.047: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jul 15 17:47:32.067: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jul 15 17:47:33.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jul 15 17:47:35.471: %CAPWAP-5-SENDJOIN: sending Join Request to x.x.x.x
*Jul 15 17:47:35.471: %DTLS-5-ALERT: Received WARNING : Close notify alert from x.x.x.x
*Jul 15 17:47:35.475: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Jul 15 17:47:35.483: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Jul 15 17:47:36.475: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Jul 15 17:47:36.503: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Jul 15 17:47:37.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Jul 15 17:48:15.007: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join timer expired
*Jul 15 17:48:15.007: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join failed expired
*Jul 15 17:48:15.007: %MESH-6-LINK_UPDOWN: Mesh station 88f0.4290.7184 link Down
*Jul 15 17:48:17.007: %LINK-6-UPDOWN: Interface BVI1, changed state to down
*Jul 15 17:48:22.507: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
*Jul 15 17:59:10.099: %CAPWAP-3-ERRORLOG: Invalid event 31 & state 4 combination
*Jul 15 17:59:10.099: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 31, state 4

Ap1142 wlccp not authenticated WLSE

I just added an ap1142 as my primary WDS for a network and it is not able to authenticate to the WLSE.
I am certain my username and password are correct, all other APs that are WDS ( about 20 others) are authenticated and the configuration for wlccp is identical so it must be a bug. I did not start a tac case, couldn't get the tool to recogonize the serial as belonging to my site.
If you have a new ap1142 and use the WLSE could you test it as a WDS and report back?
I have rebooted the WLSE and applied the patch, the ap1142 shows up in inventory and shows as managed. I have deleted that AP and re-managed it as well.
TIA if you are able to help.
Joe

So it finally dawned on me that I should convert my own SSIDs into friendlies (they don't call me slow joe from cocomo for nothin), I think that helps stop the ap from crashing. Yeah the ap was crashing every 3 days, you could log into it but you could not reset the radio or fix it without a reboot. It has not yet crashed since Monday.
I have 5 of them on another network the trunks are perfect, you can connect to the radio but they don't route traffic. It is the weirdest problem...
I am considering making one of them the wdsbackup I think that helps. For certian don't use an ap1142 as the wds in a autonomouse network. It can't be the primary wds due to it failing to log into the wlse.
There are huge bugs in the WLSE. The patch to WLSE to work with this ap needs a lot of work. The ap1142 does not show up in the location manager so you can't place them. It seems the number of rogues detectected has dropped. There used to be 1000 every time now there are about 100... what ever that means.
I figure the N protocol breaks rogue detection? Going to put some duct tape and bailing wire on it and beg for mercy.
I can't wait to upgrade some day to the WCS.

Cisco Wireless Control System need wireless Lan Controller ?

Cisco Wireless Control System need wireless Lan Controller , for Rogue detection

Hi Joao,
The WCS is used in conjuntion with the WLC (Wireless Lan Controller) for Rogue Detection. It is not a must for this function but more of an add-on :)
The Cisco WCS is an optional network component that works in conjunction with Cisco Aironet Lightweight Access Points, Cisco wireless LAN controllers and the Cisco Wireless Location Appliance.
From this doc;
http://www.cisco.com/en/US/products/ps6305/index.html
Overview of WCS
The Cisco Wireless Control System (WCS) is a Cisco Unified Wireless Network Solution management tool that adds to the capabilities of the web user interface and command line interface (CLI), moving from individual controllers to a network of controllers. WCS includes the same configuration, performance monitoring, security, fault management, and accounting options used at the controller level and adds a graphical view of multiple controllers and managed access points.
WCS runs on Windows 2003 and Red Hat Enterprise Linux ES 4.0 and AS 4.0 servers. On both Windows and Linux, WCS can run as a normal application or as a service, which runs continuously and resumes running after a reboot.
The WCS user interface enables operators to control all permitted Cisco Unified Wireless Network Solution configuration, monitoring, and control functions through Internet Explorer 6.0 or later. Operator permissions are defined by the administrator using the WCS user interface Administration menu, which enables the administrator to manage user accounts and schedule periodic maintenance tasks.
WCS simplifies controller configuration and monitoring while reducing data entry errors with the Cisco Unified Wireless Network Controller autodiscovery algorithm. WCS uses the industry-standard SNMP protocol to communicate with the controllers.
From this good doc;
http://www.cisco.com/en/US/products/ps6305/products_configuration_guide_chapter09186a00806b7270.html#wp1131195
Detect and Locate Rogue Access Points
From this WCS doc;
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806f070a.shtml#new5
Rogue Detection under Unified Wireless Networks
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml
Hope this helps!
Rob

Rogue detection

Similar Messages

Maybe you are looking for