M and MSM Series
cancel
Showing results for 
Search instead for 
Did you mean: 

Own APs detected as Rogue?

 
Frequent Advisor

Own APs detected as Rogue?

We have a setup of two teamed MSM765 controllers and ~60 access points.

We have a lot of alarms claiming that authenticated clients associated with a rogue access point.
Example: 

 

Authorized client (mac='xx:xx:xx:xx:xx:xx') associated to an unauthorized device detected. BSSID: (mac='98:4B:xx:xx:xx:x1'), Band: (value='2.4GHz'), Classification: (value='Rogue'), SNRs: (value='xx:xx:xx:xx:xx:xx,13;xx:xx:xx:xx:xx:xx,6;xx:xx:xx:xx:xx:xx,5;').

The "funny" part is on the mac address of the so-called unauthorized device: It is always a BSSID of our own access points, and it's always the second BSSID of those APs.  (Hence the "1" in the last part of the mac address above. Though, that could be coincidence, since this second BSSID is used a lot more than the first one).
And if I look up that mac address on Security => Neighborhood, it is correctly displayed as "Authorized (controlled)"-

The alarms are usually cleared after a few seconds, yet they spam our logs and make it nearly impossible to remain cautious about _real_ rogue APs.

So it looks like either the system is flappingly detecting our own APs as rogue or it doesn't really recognize the second BSSID as authorized.

We've recently upgraded from 6.6.5.0 to 6.6.7.0, but I can't really say whether this has occurred before.

 

Any ideas?

3 REPLIES 3
Highlighted
Frequent Advisor

Re: Own APs detected as Rogue?

In the meatime I tried a factory reset on one of the affected APs, and a remove&rediscover. No change, after finishing it reappeared directly.

Highlighted
Frequent Advisor

Re: Own APs detected as Rogue?

Nobody has an idea? I have the suspicion that these false positive detections are the reason for intermittent connectivity problems we see on the client devices (they are connected to the wifi, but can't make a TCP connection to other network devices/internet)

Highlighted
Frequent Advisor

Re: Own APs detected as Rogue?

Opened support case: 5321881246