Cisco wifi rogue detection

The valid range for the time in sec parameter is 10 seconds to seconds. The default value is 10 seconds. This feature is applicable only to the monitor mode APs. Specify the minimum RSSI value that rogues should have for APs to detect them and for the rogue entries to be created in the controller by entering this command:.

The valid range for the rssi in dBm parameter is — dBm to 0 dBm. The default value is 0 dBm. There can be many rogues with very weak RSSI values that do not provide any valuable information in rogue analysis. Therefore, you can use this option to filter rogues by specifying the minimum RSSI value at which APs should detect rogues.

Specify the time interval at which rogues have to be consistently scanned for by APs after the first time the rogues are scanned for by entering this command:. The valid range for the time in sec parameter is seconds to seconds. The default value is 0. Using the transient interval values, you can control the time interval at which APs should scan for rogues. APs can also filter rogues based on their transient interval values.

Unnecessary memory allocation for transient rogues are avoided. If you want the controller to automatically contain certain rogue devices, enter these commands. When you enter any of these commands, the following message is displayed: Using this feature may have legal consequences.

The 2. If you want the controller to only generate an alarm when such a rogue is detected, enter the config rogue ap ssid alarm command. If you want the controller to only generate an alarm when such a rogue is detected, enter the config rogue ap valid-client alarm command. If you want the controller to only generate an alarm when such a network is detected, enter the config rogue adhoc alert command.

The default value is 1. Configure ad hoc rogue classification by entering these commands:. Configure RLDP scheduling by entering this command:. When you configure RLDP scheduling, it is assumed that the scheduling will occur in the future, that is, after the configuration is saved. Save your changes by entering this command:. Rogue client detection on non monitor AP on serving channel was not done until 8.

From Release 8. Skip to content Skip to search Skip to footer. Book Contents Book Contents. Find Matches in This Book. PDF - Complete Book Updated: June 10, Chapter: Managing Rogue Devices. The following are some guidelines to manage rogue devices: The containment frames are sent immediately after the authorization and associations are detected.

Client card implementations might mitigate the effectiveness of ad hoc containment. Note A rogue AP or client or adhoc containment configuration is not saved after the reload. Note No separate command exists for controlling rogue client traps.

Note The RLDP packets are unable to reach the controller if filtering rules are placed between the controller 's network and the network where the rogue device is located. Detecting Rogue Devices The controller continuously monitors all the nearby access points and automatically discovers and collects information on rogue access points and clients.

The containment operation occurs in the following two ways: The container access point goes through the list of containments periodically and sends unicast containment frames. Cisco Prime Infrastructure Interaction and Rogue Detection Cisco Prime Infrastructure supports rule-based classification and uses the classification rules configured on the controller.

The controller sends traps to Cisco Prime Infrastructure after the following events: If an unknown access point moves to the Friendly state for the first time, the controller sends a trap to Cisco Prime Infrastructure only if the rogue state is Alert.

This section contains the following subsections: Configuring Rogue Detection GUI Procedure Step 1 Make sure that rogue detection is enabled on the corresponding access points. This is the default value. Step 4 In the Expiration Timeout for Rogue AP and Rogue Client Entries text box, enter the number of seconds after which the rogue access point and client entries expire and are removed from the list.

Note If a rogue access point or client entry times out, it is removed from the controller only if its rogue state is Alert or Threat for any classification type. Note The minimum value of 10 seconds is applicable only to APs in monitor mode. Note This feature is applicable to all the AP modes. Step 9 In the Rogue Detection Transient Interval text box, enter the time interval at which a rogue should be scanned for by the AP after the first time the rogue is scanned.

This feature has the following advantages: Rogue reports from APs to the controller are shorter. The network administrator configures the channels to scan, and configures the time period in which all stations are scanned. The AP listens for 50 ms for rogue client beacons, then returns to the configured channel in order to service clients again. This active scanning, combined with neighbor messages, identifies which APs are rogues and which APs are valid and part of the network. The scanning time period through these channels can be configured in the same window, under Monitor Intervals 60 to secs along with the noise measurement interval.

By default, the listening interval for off-channel noise and rogues is seconds. This means that each channel is scanned every seconds. This is an example of the DCA channels that are scanned every seconds:. As illustrated, a high number of channels configured to be scanned combined with the short scanning intervals, leaves less time for the AP to actually service data clients.

The Lightweight AP waits in order to label clients and APs as rogues because these rogues are possibly not reported by another AP until another cycle is completed. The same AP moves to the same channel again in order to monitor for rogue APs and clients, as well as noise and interference. The controller now begins to determine if these rogues are attached to the local network or simply to a neighboring AP. In either case, an AP that is not part of the managed local wireless network is considered a rogue.

A Lightweight AP goes off-channel for 50 ms in order to listen for rogue clients, monitor for noise, and channel interference. Any detected rogue clients or APs are sent to the controller, which gathers this information:. You can make an AP operate as a rogue detector, which allows it to be placed on a trunk port so that it can hear all wired-side connected VLANs. It proceeds to find the client on the wired subnet on all the VLANs.

If a Layer 2 address that matches is found, the controller generates an alarm that identifies the rogue AP or client as a threat. This alarm indicates that the rogue was seen on the wired network. Rogue APs are not considered to be a threat if they are not connected to the wired segment of the corporate network. Blog Home. Introduction This is the second in a series of blog posts that focus on wireless security and technology at Cisco Meraki.

What is a Rogue Access Point? This act introduces multiple threat vectors to the company, such as: Insecure wireless standards — the rogue AP might only support a deprecated and insecure encryption standard, such as WEP. Or even worse, be purposefully configured with open association and authentication.

Inappropriate attachment — the user could also physically attach the AP to a network port in a secure area of the network, or in an area without appropriate firewalling between it and sensitive information.

What makes a rogue access point rogue? However, older APs without a dedicated listening radio can also be configured to utilize their access radios at specific times to scan for rogue access points, as shown below: Air Marshal listens for The controller does not remove rogue entries with these rogue states: Contained, Contained Pending , Internal, and External.

There is no additional configuration required in WLC to enable this feature. Click a particular rogue entry in order to get the details of that rogue. Here is an example of a Rogue detected on wired network:. If the rogue is in any other channel, the controller is not able to identify the rogue if you do not have monitor mode APs in the network. Issue this command in order to verify:. Beacons from the rogue AP may not be reachable to the AP that detected rogues.

This can be verified by the capture of the packets with a sniffer close to the AP-detector rogue. The number and location of rogue detector APs can vary from one per floor to one per building and depends on the layout of the wired network. It is advisable to have at least one rogue detector AP in each floor of a building. Because a rogue detector AP requires a trunk to all layer 2 network broadcast domains that should be monitored, placement is dependent on the logical layout of the network.

If you have known rogue entries, add them in the friendly list or enable validation with AAA and ensure known client entries are there in the Authentication, Authorization and Accounting AAA database. Rogue entry in a rogue detector can be seen with this command in the AP console. For wired rogues, the flag moves to set status.

As a result, ensure the AP is not already containing the maximum number of devices permitted. In this scenario, the client is in a containment pending state. Rogue detection and containment within the Cisco centralized controller solution is the most effective and least intrusive method in the industry.

The flexibility provided to the network administrator allows for a more customized fit that can accommodate any network requirements. Skip to content Skip to search Skip to footer. Available Languages. Download Options. Updated: October 30, Contents Introduction. Cisco Prime Infrastructure. Components Used The information in this document is based on these software and hardware versions: Cisco Unified Wireless Lan Controllers , and Series that runs version 8.

Wave 2 APs , , and series. Wave 1 APs , and series. Rogue Overview Any device that shares your spectrum and is not managed by you can be considered a rogue.

When it is detected on the wired network. Ad-hoc rogues. Setup by an outsider, most times, with malicious intent. Rogue Detection A rogue is essentially any device that shares your spectrum, but is not in your control. Off-Channel Scanning This operation is performed by Local and Flex-Connect in connected mode mode APs and utilizes a time-slicing technique which allows client service and channel scanning with the usage of the same radio.

There is a maximum database size for rogue records that is variable across controller platforms: - Detection and containment of up to Rogue APs and Rogue Clients - Detection and containment of up to Rogue APs and Rogue Clients - Detection and containment of up to Rogue APs and Rogue Clients Rogue Detector AP A rogue detector AP aims to correlate rogue information heard over the air with ARP information obtained from the wired network.

Scalability Considerations A rogue detector AP can detect up to rogues and rogue clients. HA Facts If you manually move any rogue device to contained state any class or friendly state, this information is stored in the standby Cisco WLC flash memory; however, the database is not updated.

When the FlexConnect AP moves to a standalone mode, the next tasks are performed: The containment set by the controller continues. When the standalone FlexConnect AP moves back to the connected mode, then the below tasks are performed: All containment gets cleared. Containment initiated from the controller will take over. Rogue Mitigation Rogue Containment Containment is a method that uses over-the-air packets to temporarily interrupt service on a rogue device until it can physically be removed.

Rogue Containment Details A containment initiated on a rogue AP with no clients will only use de-authentication frames sent to the broadcast address: A containment initiated on a rogue AP with client s will use de-authentication frames sent to the broadcast address and to the client s address: Containment packets are sent at the power level of the managed AP and at the lowest enabled data rate.

Containment sends a minimum of 2 packets every ms: Note : A containment performed by non-monitor mode APs is sent at an interval of ms instead of the ms interval used by monitor mode APs.. Auto-Containment In addition to manually initiation of containment on a rogue device via PI or the WLC GUI, there is also the ability to automatically launch containment under certain scenarios.

Configure Configure Rogue Detection Rogue detection is enabled in the controller by default. As Example: Step 1. Change the timeout for rogue APs.

Step 2. Enable the detection of ad-hoc rogue networks. Are you sure you want to continue? These are the Auto Contain Parameters: Parameter Description Auto Containment Level Drop-down list from which you can choose the rogue auto containment level from 1 to 4.

Rogue on Wire Check box that you enable to automatically contain the rogues that are detected on the wired network.