Classification of Rouge APs

Hi,
We have a list of 50 or so rouge APs seen reported as unclassified, and having just upgraded the 5508 to 7.4.100, I also see more options for dealing with rouges. Problem is I don't know much about these options or what is a best practice.
Starting with classification, what's the advantage of classifying them? How is it done?
What are some basic recommendations for settings under Security->Wireless Protection Policies->Rouge Policies?
Should the Cisco AP's use MFP and/or Client Protection?
Thanks.

I keep MFP as optional but let's talk about classification. Here is a document regarding classification.
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080ad6b8d.shtml
No I don't use it like that:). What I do is set rules to specify Friendly rouge but which really aren't friendly per say. I will set a rule for any non AP being detected by a signal of -60 or -65 or hotter. Now this will place APs that have hot signal in this classification and then I can actually see how many APs are seeing this AP. if its that hot, most likely it's inside your walls.
So that's what I do:)
Sent from Cisco Technical Support iPhone App

Similar Messages

  • WCS displaying Rouge AP which are actual our APs.

    Hi
    Can anyone help?
    Using WCS 6.0.181 and WISM  5.2.193
    WCS is displaying our own APs as Rouges, at the time we are only broadcasting one SSID.  Now we have added another SSID and these to are coming up as Rouge APs.
    Does anyone have any idea what the fault could be?
    Many Thanks
    Craig

    It is possible that there is a real rogue that is spoofing the mac address of your APs.
    Are the rogue alerts apeparing for all your access points ? Using the very same ap radio mac ?
    Nicolas

  • NCS Rouge report lists own AP

    Hi!
    I had a problem, we hav 10+ WLCs in 2 mobility groups, but managed by one NCS. If i make a report about the rouge APs, it contains the APs from the other WLCs also from the other and the same mobility group. How can i make it that the report not include the APs from our infrastructure?
    I have to manually define these APs as friendly on all WLCs?
    TY!

    Is anybody have the same problem? It's irritating, i have to filter all riport in axcel to delete our own SSIDs.

  • Rogue AP detection

    The WLSE have detected rouge APs. Theses APs are high RSSI and have variable channel set. How can i handle it? As i know. WLSE is not able to protect my APs from rogue APs attack, only detect it. Should i use wire LAN? any other solution clear this rogue AP's channel interference? Any advice please. Thanks.

    You've got to be careful here .... the WLSE can "shut down" rogue APs by either sending a disconnect to the client, or dropping the offending switch port.
    The problem is that the "rogue" APs could be other businesses nearby; if you shut down all the "rogue" APs you may be killing another business' wireless system.
    You can tell the WLSE that a specific "rogue" is known and acceptable, and it will ignore it for the purposes of reporting.
    If you APs or antennas are at some altitude (mine are on the fifth & sixth floor), you can pick up other wireless systems from a mile away ... if I tell my system to shut down all rogues, I can be killing systems for quite a distance.
    IMHO, It would be a good idea to bring up a wireless "Sniffer" and identify the traffic; if it's truely rogue/malicious traffic, then shut it down .... but if it's a neighbor, just tell the system to ignore it.
    The "Sniffer" can also give you a good idea of which channels are least congested and have the least interference so you can make adjustments to your system.
    At the least, bring up something like Netstumbler (it's free, runs on Windows) or Kismet (it's also free, runs on *nix).
    You can also run some radio scans from the WLSE. I prefer using an external system.
    Good Luck
    Scott

  • Poor performance for my wlan in conference rooms

    Hi,
    I have real problems in my conference rooms. I have deployed about 25 aps for my building. I have 1242, 1131, 3501 and 1142's. I have a 2 story building. I've used the WCS maps feature to provide me with a coverage area map. I think that the upstairs and downstairs AP's are interfering with each other. It was suggested I put 3 AP's into one conference room, each with it's own a/b or g radio. How do I pinpoint what is causing the problems with connectivity in my conference rooms?     
    Also, have you tried manually adjusting power levels? I believe once I start with that, I'll have to touch each and every ap, if I start messing with that. Any suggestions?
    Thanks            

    Remeber that when working with wireless we should always do a site survey to determine the current rf the site has, where to locate the access points , how many access points to get and where to install each ap so that the overlap between the aps is not more then 15%.
    Also once the APs are installed you can use the wlc options and heck how many rouges aps the wlc aps are seeing since this rouges would affect your aps and auto rrm will not be able to know what channel to use on the aps managed by your wlc so you would need to configure it manully, also you can go to the monitro tab, select the ap by ap to see how each ap sees the signal to another ap managed y the wlc.
    For auto rrm to work on the wlc you need that each ap sees atleast 3 more aps with a good signal to be able to set the correct power and channel to use.
    Sent from Cisco Technical Support iPhone App

  • Rogue reporting in WCS

    Can anybody tell me what the difference is between the following 2 default Security reports:
    Rogue APs
    Rouge APs Event
    WE run both of these nightly, but the Rogue APs Event report usually is about 20 pages or so, and the information there has way more than what I see when I compare to my controller. The Rogue APs report usually matches what I see on my controller regarding current rogues. Does the Rogue APs Event report just detail everything that the access points have seen in the reporting time period? Some clarification on this would be greatly appreciated.
    Thank you.

    Rogues Detected by APs Report displays information about specific rogue access points detected on the network, rather than having to look into each rogue alarm and manually assemble a list. The data that is returned includes but is not limited to the following: the name of the detecting access point, the MAC address of the rogue, and the location of the rogue.
    and Security Summary Report shows the number of association failures, rogues access points, ad hocs, and access point connections or disconnections over one month.

  • WLSE Mail Alert Problem

    Hi
    we get alerts when there are rouge aps or ad hoc neterks. Problem is when the ssid is not broadcasted, in the wlse there is just /x/X os something like that instead of a ssid.
    when i get an email from the wlse and the ssid is seen then its correct:
    Subject: 020cf1f918b6[020cf1f918b6] P2 notification. FaultId : 145.
    Unknown Station IBSSNetwork is: IBSSDetected. Ad-hoc network creation
    detected: CMS
    FaultId: 145
    DeviceId: 3210
    DeviceIP: 020cf1f918b6
    DeviceName: 020cf1f918b6
    MO: Unknown Station
    Change: Ad-hoc network creation detected: CMS
    ChangeSeverity: P2
    StateChange: IBSSNetwork is IBSSDetected
    AlarmState: Active
    OverallSeverity: P2
    DeviceType: L2Device
    but when the ssid is not broadcasted:
    Subject: 020cf1e8e5a8[020cf1e8e5a8] P2 notification. FaultId : 135.
    Unknown Station IBSSNetwork is: IBSSDetected. Ad-hoc network creation
    detected:
    Mime-Version: 1.0
    Content-Type: multipart/mixed;
    boundary="29647319.1129639614015.JavaMail.casuser@wlse"
    --29647319.1129639614015.JavaMail.casuser@wlse
    Content-Type: text/plain; charset=us-ascii
    Content-Transfer-Encoding: 7bit
    FaultId: 135
    DeviceId: 3067
    DeviceIP: 020cf1e8e5a8
    DeviceName: 020cf1e8e5a8
    MO: Unknown Station
    Change: Ad-hoc network creation detected:
    ChangeSeverity: P2
    StateChange: IBSSNetwork is IBSSDetected
    AlarmState: Active
    OverallSeverity: P2
    DeviceType: L2Device
    EstimatedLocation: Location could not be determined. Device was reported by client stations only.
    --29647319.1129639614015.JavaMail.casuser@wlse--
    so the mail get junked. is there a workaround that the email looks correct?
    regards

    I am not sure what Version of WLSE you are running, but I would recommend updating to 2.12.

  • WLC 5508, LAP1262, Security Features Design

    Dears,
    I am planning to get the following Hardware;
    AIR-CT5508-50-K9
    5508 Series Controller for up to 50 APs
    AIR-LAP1262N-E-K9
    802.11a/g/n Ctrlr-based AP; Ext Ant; E Reg Domain
    During my design, i am considering to get the following security features.
    NOTE: I don't have WCS and Mobility Services Engine (MSE).
    Managing Access Points at remote/WAN office.
    wIPS configuration (without WCS and MSE)
    How Rouge APs will be detected and Prevented. Can Automated prevention be implemented.
    Is wIPS (with WLC 5508) support to detect and prevent Rouge AP.
    Is Proxy Redirection supported on WLC so that the traffic from Wireless clients will automatically be redirected to Proxy (without adding the proxy in explorers of Wireless Clients).
    Unfortunatelly i dont have LAB to test these features, so please respond.......

    Dear Scott,
    Thanks for your detailed response. I still have confusion regarding the Point5. Find the following details;
    Current Design:
    All the Internet traffic (http, https) for Wired and Wireless users is forwarded to proxy server (microsoft ISA/10.1.100.1)) for internet access.
    For this purpose, all users have to add proxy to their explorers.
    New Design/Requirements for Wireless Guest Users:
    For the Wireless Guests users to get internet, they will have to add the proxy in their Explorers.
    I would like to provide them Internet Access without additing proxy in their Explorers (not to bother them with configuring their laptops).
    Is it possible, if WLC can automatically redirect the Internet traffic from Guests users to proxy Server (10.1.100.1).

  • Troubleshooting WCS Event log

    Dear Sir,
    Many error message be appeared in WCS.
    In that time , my customer claims that many subscribers can't use wireless. I am not sure whether it relationship with the error message.
    Please see attach files and help me resolve it .
    If you need more infomation, please tell me
    Thanks
    Best Rgds

    Lets focus on 1 issue at a time ... Find this client(00:12:0e:71:a4:a7) and see why its having issues with radius. This will clear some log issues.
    167 Sat Mar 14 21:20:36 2009 RADIUS server 172.25.200.183:1812 failed to respond to request (ID 8) for client 00:12:0e:71:a4:a7 / user 'unknown'
    2) You have a few rouge aps. Identify these as freinds or foes and this will remove these from your list

  • Alerting of "Malicious" Rogue APs

    Hi,
    In WCS, I see that we can set a severity level for rogue APs, which is minor by default.  What I'd like to do is set APs classificed as Malicious Rogues (based on the rogue policies), to have a different severity -- critical to be specific.  The goal here is to have an email trigger based on rogue AP detection, but only for those classified as malicious.  How do I accomplish this?
    I'm running WCS 7.0, w/  a WLC 4404 on 6.0 code.
    Thanks,
    David Swafford, Network Engineer, CareSource
    Cisco Certified Network Professional  |  Cisco NAC Specialist  |  EC-Council Certified Ethical Hacker

    A possible alternative solution would be to have WCS send SNMP traps to a 3rd-party monitoring system, which could be configured to trigger an alert if it receives a notification indicating a new rogue AP has been detected and classified as malicious.  This is from the WCS MIB file:
    cWNotificationSpecialAttributes OBJECT-TYPE
        SYNTAX          OCTET STRING (SIZE  (1..1024))
        MAX-ACCESS      read-only
        STATUS          current
        DESCRIPTION
            "This object represents the specialized attributes required
            to describe the network condition identified by
            cWNotificationType. These include SNR, RSSI, channel information
            etc. This value is formatted as 'name=value' pairs in CSV
            format. For example, rogueAP Alert's special attributes are sent
            as 'detectingAPRadioType=a0,YCoordinate=0, state=11,
            rogueApType=0, spt Status=0, ssId=wpspsk, on80211A=0,
            numOfDetectingAps=0, on80211B=1, XCoordinate=0,
            classificationType=3, channelNumber=6, containmentLevel=0,
            rssi=-51, rogueApMacAddr=00:1b:2b:35:6a:f3, onNetwork=0, total
            RogueClients=0'. This string can be parsed to get different
            name-value pairs."
        ::= { cwNotificationHistoryEntry 12 }
    I haven't actually gotten around to trying this yet.  Hopefully I'll have time during the holiday season.  If anyone else gets it to work in the meantime, let me know!

  • How to avoid interferences caused by rogues APs

    Hi Everybody,
    I have a WLC running well with 10 LAPs.
    The problem that I have approximatively 60 Rogues APs and I have a lot of perturbations in signals (noise, interference, ...) caused by theses APs.
    How to avoid these interferences ?? is it the classification Malicieous APs ??

    wow! belay that...DO NOT CONTAIN THE ROGUES!
    Unless you can prove they are in your network and shouldn't be, there can be legal ramifications for doing so.
    What you need to do first, is adjust the sensiitivity for rogues.  by default it's -128, change that to -75.  Once you've done this, then you can evalutate which rogues are in your network, or belong to neighboring businesses.  For neighboring, go talk to their IT staff and see if you can get them to lower power so you aren't interferring with each other, cause if you see them, they probably see you as well.
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • How to Prevent or Block Rogue APs from Joining Your Wired or Wireless WLANs

    Hi all, I deployed a WLAN with 1 WLC 4400 and 5 1252AP. I do not see the way to Block Rogue APs from Joining the Wired or Wireless WLANs

    PART 1
    There are three parts to this:
    1. detect - automatic
    2. classify - by default APs are untrusted/unknown, various methods can be configured to classify them as trusted and threat (connected to wired network).
    3. over the air contain (aka mitigate) - in 4.x this is manual, in 5.x you can configure auto-containment
    First you need to detect. WLC does this automatically out of the box. It listens the air for unknown APs, clients and ad-hocs. Are you seeing Rogue APs under Monitor > Rogues > Rogue APs?
    Next, you can manually classify rogue APs as "known" (internal or external). Starting with 5.0 you can also build rogue rules based on RSSI, SSID, Clients, etc. If an AP is classified as "known" (internal or external), WCS stops alerting you.
    Another key classification piece is to detect whether or not the rogue AP is physically connected to your network which is a high security risk. There are three ways WLC can detect it and neither of them is automatic. You must configure these methods manually.
    1. Rogue AP Detector, aka ARP sniffing. You have to dedicate one AP as "Rogue Detector" (change AP mode from local to rogue detector). Configure the port the AP is connected to as switchport mode trunk (normally it's switchport mode access). Rogue Detector AP turns off and doesn't use its radios. When WLC detects rogue APs it can also detect the MAC addresses of any clients associated to that rogue APs, and the rogue detector AP simply watches each hardwire trunked VLAN for ARP requests coming from those rogue AP clients. If it sees one, WLC automatically classifies the rogue AP as "threat" indicating that the rogue AP is physically connected to your network. It doesn't actually do anything with the rogue AP, it simply classifies it and alerts you. Also, keep in mind that this method doesn't work if the rogue AP is a Wireless Router, because Wireless Routers NAT and ARP requests don't propagate to the wire.
    2. RLDP. Rogue Location Discovery Protocol. This feature is by default turned off and can be enabled under Security > Wireless Protection Policies > Rogue Polices. This feature works only when the rogue SSID is open, meaning that it's not using WEP/WPA/802.1x. When you enable RLDP, your WLC will pick some AP (you can't pick manually) which hears Rogue AP traffic, it will temporarily shut off its radio, turn it into a client, and instruct it to associate to the Rogue AP as client (this is where the requirement comes in for the Rogue SSID to be open authentication). Once associated, AP gets a DHCP IP through Rogue AP, it then sends a special small UDP port 6352 RLDP packet to every possible WLC's IP address (mgmt ip, ap manager ip, dynamic int IPs). If WLC gets one of those packets, it means that rogue AP is physically connected to your network. This method will work when Rogue AP is a Wireless Router. But this method is not recommended. It has an adverse effect on your wireless clients because RLDP AP goes offline for a period of time disconnecting your clients and forcing them to associate to another AP. Also, keep in mind, that WLC runs this RLDP process *once* per detected rogue AP. It doesn't periodically do this, it only does it once. In some later WLC versions, you can configure RLDP to run only on "monitor mode" APs, eliminating impact on your clients. Also, you can manually trigger RLDP for a rogue AP from CLI "config rogue ap rldp initiate ". You can "debug dot11 rldp" to see the process.
    3. Switchport Tracing (need WCS, and WLC 5.1). This is a later feature that requires WCS. You can add your Catalyst switches to WCS, and WCS will look at CDP information and MAC tables on your switches to detect whether or not Rogue AP is connected to your network. This works with secured and NAT rogues. You can also *manually* instruct WCS to shut down the switchport that Rogue AP is connected to.

  • 2106 Not detecting that Rouge is on network

    I have a very basic WLAN setup with a 2106 controller and 3 (will be 4) 1140 APs.
    As part of securing the network I have been testing the rouge detection. The system has no trouble detecting and shutting down honeypots. I would like to also automatically shut down Rouge on Wire points. The system sees my test AP just fine. And I have it completely open (no security). But the system never detects that the rouge is on our network so no action is taken.
    I can connect just fine to the test AP with no encription using DHCP and communicate with everything on the network just fine.
    Is there some setting I am missing that allows the APs to detect that an AP is on wire?

    Hi Matthew,
    I've moved your topic to the Other Wireless - Mobility subjects community, where the experts on your product are.
    You mistakenly posted in the Small Business Wireless community, which is for Cisco Small Business Wirless products.
    Regards,
    Cindy Toy
    Cisco Small Business Community Manager
    for Cisco Small Business Products
    www.cisco.com/go/smallbizsupport

  • Need help: Few of APs suddenly fail for user connection establish

    Hi there,
    Need advice in this probe. Our campus internal wireless system is working fine until weeks ago this issue occurred.
    Our campus is running on LWAPP AP1242, WISM ver 5.1, and external Radius server using 802.1x.
    Client will authenticate to the SSID via 802.1x ext server that is compliment with WLC. The client around certain APs had a problem to authenticate even the signal of the SSID was so strong. The user had register to the radius server and they had succesful connected to others AP before with same system.
    This certain APs were random, each day more than hours it fail to establish connection to the SSID. After several hours, it is back to normal( working fine). For those APs that suspected, i had change to totally new AP assuming that the previous had a hardware prob. But it keep happen to the new AP that been install.
    Then i suspected that external radius might be the reason, so i configure one SSID with open access for that AP. But i fail to connect the SSID with open access during the problem. After hours it then successful connected to open access.
    Why this suddenly happen? It is all working fine, and suddenly this occured. If this because of the rouge AP jamming signal? configuration? SSIDs brodcast? Firmware issue?

    1. Maybe someone with a similar system is detecting your AP's as rogue AP's and is containing them.
    - Not really sure with that, how can we detect it? By enable rouge detection, the area involve with this issue, showing not much rouge around.
    2. Among the clients having issues; what band are they using b/g, a, both?
    - 11b will the minority. 11g will the largest user.
    3. Do you have a load restriction policy defined? When an ap reaches its max load it will drop additional clients trying to associate.
    - Not really. Threshold client per AP will 70 user. We had identify only 30 user that assct with single AP.
    4. What type of wireless cards are the clients using? Are they all the same or all different?
    - we handle around 2000 user during peak time. So wireless card will be mix. - Intel card will be the most.
    Additional inquiries
    - by allowing client to use only one single vlan for ip assignment, help to handle this issue?. Currently we are using AP group via different segment of vlan.
    - By disable WLAN override on each AP, help to handle this issue?

  • No key field found for creation of DataSource - Classification Datasource

    Hello,
    While trying to create a clasiffication datasource based on 0PLANT_ATTR, when i assign a characteristic and push the DataSource button, i get the following message:
    No key field found for creation of DataSource
    Diagnosis
    During generation of a classification or configuration DataSource, only those key fields for the object table (field "Obj.Tabelle") that are already present in the basis DataSource transferred to the extract structure.  This is the case when none of the key fields of the object table were found in the structure of the basis DataSource.
    System response
    A DataSource cannot be created without key fields. The action was cancelled.
    Procedure
    Check whether you have selected the correct basis DataSource and object table. For more information, please see SAP Note 569849.
    Do you know what can be the problem?
    Thank you and regards

    Hi Alberto,
    plants are a special case. The key which is used for the classification 
    of plants (object type BETR) is not the same as the key which is used in
    datasource 0PLANT_ATTR.
    BETR has key LOCNR (Site). That's a customer related to a plant. The    
    customer number will be extracted in field LOCNR.
    0PLANT_ATTR extracts the plant in its key field WERKS.
    Transaction CTBW and the generic extraction program for classifications 
    don't know the relationship between LOCNR and WERKS. So they cannot map     
    them.
    I do recommend a solution which would add the mapping between
    LOCNR and WERKS:
    1. Create please the classification datasource as intended, but use     
    datasource 0RT_LOC_MGR_ATTR as basis datasource. It's the only          
    datasource of the content where LOCNR is a key field. So                
    0RT_LOC_MGR_ATTR is used as a dummy here, to allow transaction CTBW to  
    create the classification datasource. It's not necessary to extract     
    data with datasource 0RT_LOC_MGR_ATTR.
    2. Extend please the extract structure of the created classification    
    datasource. Add please field WERKS using component type WERKS_D. Make   
    this field visible.
    3. Fill field WERKS in the extractor user exit EXIT_SAPLRSAP_002. WERKS 
    can be read from table KNA1 by using the customer number extracted to   
    LOCNR to select on field KNA1-KUNNR.
    4. Transaction CTBW_META on the BW system isn't able to append the      
    characteristics from the classification datasource to infosource        
    0PLANT, because the keys are different. So create please a new info     
    source with CTBW_META. This allows CTBW_META to create the info objects 
    for the characteristics used in the classification datasource.
    5. Add please the characteristics used in the classification datasource 
    to infosource 0PLANT manually. You will find the info object names of   
    the characteristics by looking up the characteristic datasources which  
    are assigned to the classification datasource in transaction CTBW. From 
    these names you can derive the info object names:                       
    1CL_A... -> C_A...
    6. Disconnect the infosource which has been created with CTBW_META from 
    the classification datasource.
    7. Connect please the classification datasource to infosource 0PLANT    
    Use following info object:
    info object   field
    0PLANT       WERKS
    The info object names for the characteristics are explained in step 5.
    8. Add an infopackage to infosource 0PLANT for the classification       
    datasource.
    Now the extraction of classifications of sites should work.
    Best regards,
    Rolf
    P.S. I saw the system messed it up and doesn't display any new and empty lines. Sorry, I hope you still can read it.
    Edited by: Rolf Doersam on Mar 26, 2010 6:56 PM

Maybe you are looking for

  • Problems still after adding Media Feature Pack (win8.1, 64bit, c660d)

    Hi guys! I.m just after installing win8.1 pro N to my Toshiba Satellite C660D laptop, it was a clean install directly from win7 (so no 8 meanwhile), i updated everything just after install, also the newest Media Feature Pack (6.3-KB2835517-x64) updat

  • What dual band wifi adapter for HP ENVY x360 15-u205na

    What dual band wifi adapter is compabible with the HP ENVY x360 15-u205na please.  It is somewhat disappointing that a current laptop is still only single band 2.4Ghz, if I had known before purchasing the HP it would certainly have changed my purchas

  • Time machine email backup showing incorrect emails

    I have been using time machine to backup my emails. The great thing about time machine is that I could always go back in time and restore yesterdays emails after I had just deleted them by accident. Since I upgraded to Yosemite I notice that in time

  • Letters and envelopes issues

    1. I cannot paste names and addresses from my address book into the recipient fields of most envelope and letter style templates offered in Pages (version 2.0.2) even though the Address Book field is enabled in every case. I can do so only in the "fo

  • Iphoto library missing

    When I opened iphoto 6, it asked me if I wanted to update caches,but I chose "later". However, it shows no photos even though files are still there. I relaunched iphoto using alt key and it asked me to either create new library or choose library. I s