The wireless controller can keep the Wireless Rogue AP Containment in Pending state because of these reasons:
The Wireless Rogue AP Containment feature allows Catalyst Center to contain the wireless clients connected to a rogue AP.
Containment is illegal in some countries because it disrupts the communication between the clients attached to a rogue AP. Catalyst Center warns you about the legal consequences while initiating Wireless Rogue AP Containment.
This procedure describes how to start and stop Wireless Rogue AP Containment on wireless clients connected to a rogue AP.
Procedure
|
1. |
From the main menu, choose . |
|
2. |
To use Wireless Rogue AP Containment, click a rogue AP MAC address listed under the Threat MAC address column, marked as Honeypot, Interferer, or Neighbor classification types.
Note
Cisco Catalyst 9800 Series Wireless Controller has a limit of only 625 configurations for rogue containment at a time. When the limit is reached, containment won't work for any new rogues on those devices.
The Threat 360 window opens.
Note
A rogue AP MAC address comprises multiple rogue BSSIDs.
|
|
3. |
From the Action drop-down list, select Start Containment and Configuration Preview.
A warning dialog box opens with information about the legal consequences and a list of rogue BSSIDs to be contained on the wireless controller and Configuration Preview.
Note
|
|
4. |
By default, the Rogue BSSID list appears.
In the Configuration Preview tab, review the configurations and click Yes.
Note
The Configuration Preview tab appears only when the Configuration Preview is enabled. For information on how to enable Configuration Preview, see the "Enable Visibility and Control of Configurations" topic in the Cisco Catalyst Center Administrator Guide.
|
|
5. |
The Threat 360 window displays the Wireless Rogue AP Containment status accordingly:
-
Banner with a blue check mark indicates that the Wireless Rogue AP Containment request is in progress.
-
Banner with a green check mark indicates that the Wireless Rogue AP Containment request is submitted successfully to the strongest detecting AP. A red vertical line appears next to the strongest detecting AP based on the RSSI value.
-
Banner with a red check mark indicates that the Wireless Rogue AP Containment request has failed.
Note
After containment is initiated, it takes some time for the Containment Status column to get an update with another wireless containment status.
In the Threat 360 window, hover your cursor over the i icon next to the Containment column. A tooltip stating This always shows current Wireless Containment Status appears.
|
|
6. |
Catalyst Center allows you to monitor the Containment Status of a wireless rogue AP in the Rogue and aWIPS dashboard threat table within Assurance.
Hover your cursor over the i icon adjacent to the Containment Status column to view these possible values.
Table 1.
Wireless containment status possible values
| Wireless containment status |
Meaning |
| Contained |
Rogue AP actively contained by the wireless controller. |
| Pending |
Wireless controller has kept this rogue in containment Pending state. |
| Open |
Rogue AP is not contained. |
| Partial |
Some of the rogue BSSIDs are in Open state and the rest of them are either in the Contained or the Containment Pending state. |
Note
For a rogue AP with wireless containment status as Partial, an i icon appears adjacent to Partial state under the Containment column in the Threat 360 window. Hover your cursor over the i icon to view the current wireless containment status of the Rogue SSIDs.
The wireless controller can keep the Wireless Rogue AP Containment in Pending state because of these reasons:
-
Resource outage: After the rogue BSSID containment request is submitted, the wireless controller puts the rogue BSSID containment either in Containment or Containment Pending state because of the three rogue BSSIDs per radio limitation for client-serving radios, and six rogue BSSIDs per radio limitation for monitor mode. When the radio exceeds the specified limitation, the next submitted rogue BSSID for containment goes to the Pending state by the wireless controller until one of the rogue BSSIDs goes out of Contained state.
-
Protected Management Frames (PMF): The wireless controller does not initiate containment when the Protected Management Frames (PMF) are enabled on rogue BSSIDs and the containment status is in Pending state. When the PMF is disabled, the wireless controller initiates the containment.
-
Dynamic Frequency Selection (DFS): The wireless controller keeps the containment status in the Pending state and does not attempt to contain the rogue BSSID if it broadcasts on the Dynamic Frequency Selection (DFS) channels. After the rogue BSSID moves out of the DFS channel, the wireless controller initiates the containment.
|
|
7. |
To bring back all the rogue BSSIDs of the wireless rogue AP marked in Contained, Pending or Partial state to Open state, click the corresponding rogue AP MAC address listed under the Threat MAC address column.
The Threat 360 window opens.
|
|
8. |
From the Action drop-down list, select Stop Containment.
Note
-
A blue check mark appears as a banner on the Threat 360 window, indicating the progress of the Stop Containment process on the wireless rogue AP.
-
A green check mark appears as a banner on the Threat 360 window, indicating the progress of the Stop Containment process on the wireless rogue AP.
|