Back to All Scenarios
PASSEDnetwork / rogue_ap_detected
Wireless Rogue AP Detected
The WLC detects a rogue access point broadcasting a corporate SSID ('Corp-WiFi') in the parking lot. The rogue AP is performing an evil twin attack, capturing credentials from employees who auto-connect. WIDS alerts trigger but containment is not automatic.
Pattern
WIRELESS_CONTROLLER
Severity
CRITICAL
Confidence
95%
Remediation
Auto-Heal
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | WIRELESS_CONTROLLER | WIRELESS_CONTROLLER | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 8 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Auto-Heal — Corax resolves autonomously |
Scenario Conditions
Cisco 9800 WLC with WIDS enabled. Rogue AP broadcasting 'Corp-WiFi' SSID. Located via triangulation in parking lot (outside building). 12 clients auto-associated to rogue. Manual containment required.
Injected Error Messages (1)
Rogue AP detected — Cisco WLC WIDS alert: unauthorized AP broadcasting SSID 'Corp-WiFi' on channel 6, BSSID: aa:bb:cc:dd:ee:ff, classification: Malicious (SSID spoofing), triangulated location: parking lot sector B, 12 clients associated to rogue, potential credential harvesting, containment status: pending admin action
Neural Engine Root Cause Analysis
This is a security incident, not a technical failure. A malicious rogue access point is broadcasting the legitimate corporate SSID 'Corp-WiFi' in the parking lot, likely conducting an evil twin attack to harvest user credentials. The Cisco WLC WIDS system has correctly identified this as a malicious SSID spoofing attempt with 12 clients already associated to the rogue AP. The WLC monitoring appears functional as it's successfully detecting and reporting the threat.
Remediation Plan
1. Immediately initiate RF containment of the rogue AP (BSSID: aa:bb:cc:dd:ee:ff) through the WLC to disrupt the attack. 2. Send security alert to IT security team and facility management about unauthorized device in parking lot sector B. 3. Verify legitimate corporate APs are functioning normally and clients can connect to authentic Corp-WiFi network. 4. Monitor for client reconnections to legitimate APs. 5. Dispatch physical security to locate and remove the rogue device. 6. Consider temporarily changing corporate WiFi credentials if credential harvesting is suspected.
Tested: 2026-03-30Monitors: 1 | Incidents: 1Test ID: cmncjm5ht02laobqeip4ntre0