Retry in progress
You have 1 previous attempt for this scenario. Submitting again will create a new attempt and show a comparison against your most recent response.
Rogue Wireless APDifficulty · easyHigh asset
Wireless IDS flagged a non-corporate AP broadcasting SSID "ACME-Corp" with the same WPA2-Enterprise hint string we use, located just outside Building 4 (cafe area). The rogue AP appears to be running a captive portal that mimics our SSO page.
Four employee laptops auto-connected to the rogue while passing through the cafe today (we saw their MACs in the rogue's beacon-response). Helpdesk has had two reports of "weird login screen on the corporate Wi-Fi".
Please investigate, contain, and harden. The rogue is still active.
— Wireless / Security
Evidence
Wireless IDS + four affected user sign-in logs
# Wireless IDS detection
12:31:14 IDS-WI-04 detected non-corp AP bssid=aa:bb:cc:11:22:33 ssid="ACME-Corp" channel=6 RSSI=-58dBm
location: outside Bldg 4 cafe (estimated)
client probe responses observed: bcd1.7f00.aa01, bcd1.7f00.aa02,
bcd1.7f00.bb12, bcd1.7f00.bb45
captive-portal redirect to https://acme-corp-wifi[.]net/auth
# Entra sign-in for one impacted user (alice)
12:34:20 SUCCESS user=alice@acme-corp.com IP=198.51.100.77 UA="curl/8.4"
(note: alice's normal IP space is 10.x corporate)
# Wi-Fi controller
WLC#show client mac bcd1.7f00.aa01
AP: rogue (not in our managed list)
Connection started: 12:30:48
# 802.1X / WPA2-Enterprise config audit
ssid "ACME-Corp" PEAP-MSCHAPv2 no certificate validation enforced on clientsAffected asset
- Name
- Corporate SSID 'ACME-Corp' + 4 employee accounts
- Type
- Wireless trust boundary + credentials likely captured
- Owner
- Wireless / Security
- Level
- High