Hello Everyone,
I'm hoping someone can shed some light on this as I've had a long standing ticket with TAC and I'm still a bit confused. So here it goes:
I've just recently turned on the WIP detection with dedicated Air Monitors. I know that some would argue that having an AP do both AP/AM function is more ideal, but it is what it is. In either case, in my controlled testing, rogue detection and containment works great as designed (I've also learned throught testing and working with TAC that manually classifying a neighbor AP as rogue can also be affected by my IPS :)...This is frowned upon and I don't intend to manually classify unless I'm certain that it's a rogue within my airspace).
What I need help with is understanding why my guest ssid/AP is being tarpitted and client deauthed when clients connect to it. Whenever I connect to my guest ssid, it doesn't matter which client, I get a Tarpit message followed by a Deauth message. Client gets disassociated with the current AP but is still able to utilize network services like http/https.
TAC thinks that there's another AP out there that is spoofing my client's connections, but I've scanned through our airspace using a Spectrum Analyzer and could not find one. My suspicion is because I'm using a separate AP as an Air Monitor and not the dual role of AP/AM, that it somehow is misclassifying my client connecting to a valid open ssid for my guest and thus generating those log messages. I may be far off, but I need to understand this before implementing the WIP feature enterprise-wide.
I'm more than happy to provide more information (non-sensitive of course) to anyone who cares :).
Thanks and I look forward to your input