A Cisco WLC (Wireless LAN Controller) has mechanisms to detect and classify rogue APs. Based on further analysis of that detection, a WLAN administrator might elect to contain a rogue device. As such, containing devices on another party’s network could have legal consequences. But let's suppose one decides to contain a rogue device, what happens exactly ?
At that point, the Cisco WLC can have up to four LAPs, depending on configuration, to contain the rogue AP. This is achieved as follows. The Cisco LAP will impersonate the rogue AP and use its BSSID MAC address. Then, the Cisco LAP will issue periodic deauthentication frames to the broadcast address. This means clients behind that rogue AP (in range with the Cisco LAP) will deauthenticate.
In the above figure, the Cisco LAP reused a LinkSys AP BSSID (00:22:6B:73AA:5A) and issued its deauthentication frames to broadcast FF:FF:FF:FF:FF:FF.
Did you know you can achieve the same results with aircrack-ng ? In a future post, I will discuss how to do packet injection. It is really useful to validate WiPS signatures.
