Question on Rogue Detection

Similar Messages

• Rogue detection with Prime 2.1

  Hi@all,
  i know many questions in the last days, but i must say, the last WCS works better as the compination Prime 2.1 and 5760 ;).
  My problem, we have a huge campus and at peaks ~ 1500 rogue-aps. 
  In my new configuration (2x 5760 and Prime 2.1), the wlc see the rogue-aps but in the security dashboard at the prime no rogue are listet.
  The 5760 are in the same mobility/rf-group, the polling interval at the Prime are 15 minutes.
  Maybe some one has a similar problem and could help.
  regards
    René

  Hi
  Do you see the rogue AP on 5760 itself ? "show wireless wps rogue ap summary" output shows you the identified rogue APs. If you can't see anything there, then you may not enable Rogue AP detection on your controller. See whether in your 5760 configuration, the first line below is configured (which will enable rogue detection). Second line is to increase the threshold to minimize false detection. Refer 5760 RRM config guide for more details.
  wireless wps ap-authentication
  wireless wps ap-authentication threshold 50
  This document describe some of the best practices of 5760 configuration including rogue detection as well.
  Cisco 5760 IOS Wireless LAN Controller Configuration Best Practices
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Rogue detection

  Hi,
  I would need some clarifications about rogue AP detection. First, in order to configure the passive rogue detection is it necessary to just setup a rogue detector AP or I also need to enable RLDP? Second, in your experience how much is it reliable?
  Thanks,
  Matteo

  Hi Matteo:
  Passive rogue detection is just on--no rogue detector AP required!  Just like anything else in life, the more resources you put toward something, the better it's going to be.  If you have AP Authentication or MFP configured (which you should anyway), you'll have fewer false alarms and the routines will know not to call your own APs rogues.  RLDP will tell you if a rogue AP is just cabled up in your network but doesn't have any clients yet and will allow you to do switchport tracing to find one from the switch side.  Rogue Detector APs don't handle client traffic, they just dedicate themselves to listening and reporting rogue activity back to the controller.  In a world where budgets are tight, we hear that it can be tough to get funding for APs that don't service clients.  Again, you don't *have* to do any of it, just the more you put in, the more accurate your results will be.
  As for inaccuracies, that usually comes from folks having things misconfigured in their network or not having enough configured (i.e. choosing to not do RLDP or Rogue Detectors.)
  Sincerely,
  Rollin Kibbe
  Network Management Systems Team

• Rogue Detection and SPT issues

  Deployed wireless a few months. From a client to infrastrure standpoint, majority of users are happy with the ability to go wireless with their personal and work devices.
  The problem we're facing is proper identification of rogue's AP's on our wired network (hot spots aren't important)
  I've setup a few linksys AP's connected to our access switches and found WLC/PRIME finds the rogue AP's but when a SPT is performed, both WLC/PRIME state it's not on the wired network (which is not true). If I do a manual trace, in Prime,  it will work but I can't do a manual trace everytime I get an alert (we're in a major US city). Further investigation shows the lan and wlan mac address of this linksys router is +/- from one another (confirmed by with arp table on access switch and going into prime and looking at the alert).. Which in this case, Prime should see it as WIRED and mark it as a ROGUE and alert me
  Found a document
  http://www.cisco.com/en/US/customer/docs/wireless/prime_infrastructure/1.3/configuration/guide/admin.html#wp1603927 stating only the following switches are supported: 3750, 3560, 3750E, 3560E, and 2960.
  I can't see how these are the only supported devices, most are older than the 4510. I posted this in another thread and a rep provided me the link
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml
  Read this and even went further and read ROGUE MANAGMENT WHITE PAPER
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml
  This does not mention a limitation of switches support. States if CDP and SNMP is enable, along with the local access switches added to PRIME it should work
  Here is the currently list of deployed devices, code and basic configuration
  Access Switches - 4510 - image: cat4500e-universalk9.SPA.03.02.02.SG.150-2.SG2.bin
  WLC - 5500 - image 7.4.103.9
  AIR-CAP3602I-A-K9 - 152 deployed, 151 are configured for Local Mode, 1 is configured as Rogue Detector (trunked with all access vlan's passing thru)
  RLDP is enabled on all Local Mode AP's - which after reading is not best practice because of time slicing and the fact is degrades client quality and can kick users off
  Basically looking for feedback from others who have deployed wireless and have succesfully configured their environement for ROGUE AP DETECTION with SPT.. What are your thoughts and what do you run?
  Thanks in advance

  Mark:
  Complaints about the performance of Switchport Tracing are pretty common.  The best way to build this out is to start with your planted rogue AP is connected to the same switch that your Prime Infrastructure server connects to--or the first wired switch that ESX/ESXi host connects to--and validate that it works there, make whatever changes you need to get it working, then move the planted rogue AP to the next switch and so on.  The logging modules Configuration, General, Monitor, GUI, System and Tools should cover everything you need to know why Switchport Tracing isn't giving the results you expect.  This "start small and work your way up" helps you learn lessons about what needs to be configured on all your switches to have it working the way you want it to.
  Configuring Switchport Tracing

• Question about device detection

  iTunes doesn't detect my device (iPhone and iTouchP), so it's not possible to sync anything.  How can this get fixed?
  Thanks,
  karennyc

  iOS: Device not recognized in iTunes for Windows - Support - Apple
  support.apple.com/kb/ts1538
  iOS: Device not recognized in iTunes for Mac OS X - Support - Apple
  support.apple.com/kb/ts1591
  Just See these artcile's according to the OS you have on your computer.
  CHEERS !

• WLSE adjust beacon count for rogue detection

  Hi all,
  Does anyone know if there is any way to adjust how many beacons it takes for a device to be displayed as a rogue in device faults? I've been all over the settings area and cannot find anything regarding it.
  WLSE is version 2.9
  Here's what's happening:
  campus of about 300 1210G AP's
  friendly's are showing up as rogues after seeing a single packet. This is typically a malformed packet, meaning it is incomplete ie. the ssid is incomplete
  ALL friendly's are managed by WLSE and are in the database.
  What I would like to do is have it require seeing 2-5 beacons before it is tagged as a rougue and entered into the faults table.
  Thanks,
  Brian

  Hi,
  I recommend that you do not load 12.3.(2)ja code, there are several bugs associated with this code. One being trouble acquiring a DHCP address and the other is AP will reboot whenever they feel like it. The DHCP problem I have not experienced, but there is a bug listed with TAC and several people on the discussion pages have had this problem. I have just started to see my AP's reboot that have this code and there are several others on the discussion page that are saying they are having the problem with 1100 ap's. I have over three hundred ap's (1200,1100,350), most running 12.2.(15)ja without any problems other than the WLSE rogue issue.

• Rogue Detector question

  I have 2 controllers 2106 both with the same mobility group, I have 3 APs in one controller and 3 APs on the other. I have just one rogue detector. Do I need a rogue detector on both or just in one controller?

  Rogue detection is not bound by any regulations and no legal adherence is required for its operation. However, rogue containment usually introduces legal issues that can put the infrastructure provider in an uncomfortable position if left to operate automatically. Cisco is extremely sensitive to such issues and provides these solutions. Each controller is configured with a RF Group name.Once a Lightweight AP registers with a controller, it embeds an authentication Information Element (IE) that is specific to the RF Group configured on the controller in all its beacons/probe response frames. When the Lightweight AP hears beacons/ probe response frames from an AP either without this IE or with wrong IE, then the Lightweight AP reports that AP as a rogue, records its BSSID in a rogue table, and sends the table to the controller. There are two methods, namely Rogue Location Discovery Protocol (RLDP) and passive operation. These two are described in detail in the link below.
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml
  As you can see from above all APs listen for rogues based on the above criteria but this is costly in resource overhead and is better solved by placing certain APs in rogue detection mode. This will become even more invaluable with the advent of the IDS/IPS solution.

• Wireless Authentication/Security Design questions

  Wireless newbie here...I was required to quicky stand up a wireless deployment at a new warehouse/office building. I have the basic network up and working. My remote AP's have associated with the 2106 in the main office and users can associate and authenticate with the 1130G AP's and can access the office network. I did the basic configs and am now looking to tighten up security. My questions are as follows:
  1) The user clients are Dell Laptops with integrated wireless. They authenticate using LEAP..how do I migrate to EAP or do I need to. I have a Cisco ACS doing RADIUS authentication now.
  2) Should I be using some kind of supplicant client on the laptops?
  3) How do I filter mac's so rogue AP's and rogue clients cant try and associate.
  4) Am I correct in assuming the connections between the 1130 AP's and 2106 are secured and if so do I need to tweak anything to tighten them up?
  5) I have an AP in the main office building that I want to setup to detect rogue AP's. Do I have it associate as a regular AP and push some kind of policy to turn it into a detector?
  I have attached a diagram to help explain. Any help would be appreciated.
  v/r
  Chad

  1. LEAP is a form of EAP, so you must already have something terminating your EAP sessions. The WLC can do this to some extent, or ACS. Which one you chose will be based upon your requirements for manageability, scalability and feature-richness. I would suggest that PEAP-MSCHAPv2 provides a good balance of usability and security, and is significantly better than LEAP.
  2. No, stick with Windows XP SP2 supplicant. This can be configured using domain policy (2k3 SP1 or better) and is pretty good. Just make sure your laptops have new Intel drivers on them. Dell in particular have been quite bad with sending out old drivers in the builds.
  3. MAC authentication is now lergely regarded as a waste of time. It is so easy to spoof a MAC address it's ridiculous, and it's a fair amount of work for the admin(s).
  4. The LWAPP tunnel encrypts all management / config / security related traffic between the AP and WLC, while user data is simply encapsulated in LWAPP, so it can potentially be read if packets are captured.
  5. All APs will do rogue detection, don't really need to have dedicated APs unless you're REALLY paranoid. Main benefit is quicker detection, but drawback is that the 'detector' AP won't serve clients.
  Regards,
  Richard

• Puzzler - Is there a way to detect when an external headphone or speaker is plugged in?

  I have a puzzler, and my initial question is simply, is there a way to see via Windows if/when an external headphone or microphone is plugged in, or is that all an electrical circuit independent of the OS?
  Background: (not necessarily the question I'm asking, but providing anyway):
  The background is this:  Dozens, Hundreds, I think Thousands of owners of Toshiba Satellite owners with Conexant sound devices (including myself) the world over have this problem where the sound stops working about 1 to 2 minutes into playing non-stop
  sounds/music/videos.  In spite of all the experts telling these poor people to run a system restore and wipe out the past years of files and everything on their computer, the problem prevails no matter what.  Some have even installed Linux, and the
  problem persists. To me, it seems that the problem doesn't occur if the only sounds are the occasional bing or bong from a system warning, it seems to fail after 1 to 2 minutes of continuous play (but this particular observation is mine only, nobody else has
  taken the time to point that out).
  A few have claimed success via blowing the jacks out with compressed air, but that's not repeatable universally.  Most people end up keeping external speakers plugged in permanently. In other words, it seems a lot like a hardware problem; However,
  {edit 3}, my addition of "Edit 2" below makes it seem less like hardware.
  One interesting thing:  Headphones/speakers work permanently, there's no problem.  More curiously, when the sound goes out, plugging any form of headphone/microphone jack into
  EITHER the headphone
  OR the microphone jack turns the sound back on too.  This includes male-to-male extension cable with nothing installed.  If nothing is on the other end, the sound will go out
  again shortly, but jiggling or removing the male to male turns it back on.
  EDIT 2: When the sound goes out, another way to get it back: From system tray, right click the speaker item and choose SOUNDS.  The virtual VU meter shows that audio is playing (in tandem with the song, etc.), and is still showing audio
  playing.  The tabs available are Playback, Recording, Sounds, and Communications.  When the sound does stop (assuming I was watching Playback), I click the Recording tab (just the tab header), and sound starts again.
  P.S. What's the difference between "High Definition Audio Controller" under System Devices, and "Conexant SmartAudio HD" under "Sound, Video, and Game Controllers", in Device Manager?  The "conexant smartaudio hd"
  points to the latest Conexant driver, the "High Definition Audio Controller" points to a default windows driver.  Just curious
  I've Binged this extensively:  Toshiba doesn't acknowledge the problem and nobody has fully solved the issue. I'm just curiously trying a few things myself, and I'm not sure if there's a way for the system to tell me an external mic/speaker has been
  plugged in.
  So to recap:  My main question, can I detect when the computer thinks a headphone or microphone is plugged in? (My theory, if I can prove that the computer THINKS something is plugged in, it's a start). 
  Only secondarily, if anyone's interested, feel free to suggest ideas (here's what dozens of other posts have disproven: System restore; windows reinstall; outdated sound driver; outdated video driver; remove and re-detect sound and device via device manager;
  malware; BIOS upgrade; Flash and/or the Flash/Firefox/Hardware Acceleration issue (problem happens with MP3, Flash, WMA, HTML5, Games, everything).
  Thanks in advance!
  EDIT: One person (theirs was under warranty, mine's not) ended up getting a new motherboard & speaker via Toshiba warranty, diagnosis ""machine intermittent no sound due to PCB faulty".  I'm still interested in troubleshooting,
  though.  Link:
  One lucky person, who got their motherboard replaced (they were under warranty, most of us aren't)

  Hi,
  If there are any headphone or speaker plugged in and detected, it will show in audio device manager console.
  Type mmsys.cpl in Run, it will open Sound console.
  Have you tried Hardware and Sound troubleshooter?
  Andy Altmann
  TechNet Community Support

• AP goes off channel while identifying rogue ap threats

  I'm having a problem where client connections get dropped, when the AP identifies a rougue ap threat.  In some cases, the client is dropped ever 5 minutes for up to 30 minutes.  My clients are connected over a RADIUS setup authenticating with an IAS service.
  Found this on Cisco Support site:
  Cisco lightweight access points are known to go off channel for up to 30 seconds (typically 1 to 2 seconds) while identifying rogue access point threats, when the Cisco lightweight access point has RLDP enabled. This can cause client connections to be dropped occasionally (CSCar10047).
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/r1x4x31.html
  Should RLDP be disabled enabled?  Is there any work-around for this?
  My WLAN Environment:
  - Controller - WLC2106; software version 6.0.182.0
  - (3) 1242ag Access Points
  - (1) 1131ag Access Points
  Thanks in advance.

  As a troubleshooting step, I have disabled RLDP on all Wireless Networks.
  (Cisco Controller) config> rogue detection disable all
  I'll monitor and report back after 4 business days.

• Finding rogue APs that are on wired network

  I am beginning to think that there is no way to gaurantee that a rogue AP is connected to your wired network. I have read up on RLDP and "rogue detection". I was excited because I thought rogue detection would accomplish this. However, when I connect an autonomous AP to my wired network it does not get identified as being on my wired network despite the "rogue detector" being in place and connected to a trunk port with all network vlans on it. In thinking through this I believe this is because the radio mac and ethernet macs are different on the autonomous AP. The ethernet mac of the autonomous rogue AP is in the rogue detector dB, not the radio mac. So when the detecting APs sends the radio mac to the rogue detector it doesn't get flagged. Can anyone confirm this? And if so offer any insight to a workaround. I was able to get a "rogue client" flagged as a threat connecting via this AP, because it arp entry is in the rogue detectors dB. But I can't get the AP flagged. If this is the case then rogue detection is more or less useless to me because I care about rogues on my network (obvious security breach) not rogues in other businesses in my area. I rather now when the rogue AP goes in and not have to wait until a rogue client connects to it. Please advise....
  Regards Chuck

  Network Chemistry makes a free tool (as well as a more advanced product you can buy) that might fit the bill for you. It relies on people properly classifying the devices on their own network with the free tool to build a database of device types based on the vendor ID digits of mac addresses, as well as some snmp scanning (I think). A link is below. I don't have a lot of experience with the tool, only because I'm not entirely convinced of it's accuracy, but to be honest, I've never really used it in a production environment
  Good luck!
  -Chris
  http://www.networkchemistry.com/products/roguescanner.php

• Rogue reporting in WCS

  Can anybody tell me what the difference is between the following 2 default Security reports:
  Rogue APs
  Rouge APs Event
  WE run both of these nightly, but the Rogue APs Event report usually is about 20 pages or so, and the information there has way more than what I see when I compare to my controller. The Rogue APs report usually matches what I see on my controller regarding current rogues. Does the Rogue APs Event report just detail everything that the access points have seen in the reporting time period? Some clarification on this would be greatly appreciated.
  Thank you.

  Rogues Detected by APs Report displays information about specific rogue access points detected on the network, rather than having to look into each rogue alarm and manually assemble a list. The data that is returned includes but is not limited to the following: the name of the detecting access point, the MAC address of the rogue, and the location of the rogue.
  and Security Summary Report shows the number of association failures, rogues access points, ad hocs, and access point connections or disconnections over one month.

• Error! cannot enable extended adj rogue

  I need a little help.
  When enabling Adjacent Channel Rogue (Management>Trap Controls>Security), I get the following error:
  Error! cannot enable extended adj rogue.
  Why do I get this error?
  Reading the WLC help pages, I did not see any documentation on this error nor enabling Adjacent Channel Rogue.
  Searching the Cisco Wireless LAN Controller Configuration Guide, Release 7.4, I did read any documentation on this error nor enabling Adjacent Channel Rogue.

  I never use it, but it probably give you an error because you are not either using monitor mode APs or RLDP enabled. You don't want to enable RLDP either just to let you know. Here is more info on rogue detection and does explain the caveats to using RLDP.
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml
  Sent from Cisco Technical Support iPhone App

• Don't see any rogue ap with cisco AP 1522

  Hi,
        I'm not able to detect any rogue ap using 1522AG ap.
  The ap are in bridge mode (not able to change this operational mode) and rogue detection is enabled on the ap.
  Waiting for any hints ...
  Thanks, luigi cacco.

  My info were outdated. The 1522 can detect rogue in recent software version. But :
  CSCtn50893   1520 Stopped Detecting Rogues
  4402 7.0.98.
  1522's are in a college environment and typically report hundreds of rogue ap's.
  Without any changes, the 1522's stopped detecting and reporting rogue ap's.
  The customer has toggled the IDS(Rogue and Signature Detection) value,
  rebooted controller, still doesn't work.
  1142's associated to the same controller have always and continue to detect and report rogue ap's.
  Fixed in 7.0.116

• Firefox has detected the server is redirecting the request for this address in a way that will never complete. This is happening in my email program with comcast but does not happen with IE e

  Question
  firefox has detected the server is redirecting the request for this address in a way that will never complete. This is happening in my email program with comcast but does not happen with IE e edit

  Thanks to cor-el for the suggestion given in the link. Sadly I have to report:
  1) It is not a bookmark problem and it makes no difference whether I put
  www.adobe.com or 192.150.18.117 in the address bar.
  2) Cookies are allowed and there are no exceptions set
  3) All cookies have been deleted
  4) network.http.sendRefererHeader is already set to 2
  That deals with the items in the linked document.
  Additional information:
  5) I can get into the adobe site from a clean "in memory" installation of PuppyLinux using Seamonkey using the same router and dhcp setup.
  6) un-installing all Mozilla products - rebooting and re-installing makes no difference even when I remove the mozilla folder from docs&settings.
  so as I said in previous post (as annonymous) not a lot makes sense.
  Bear in mind that I have no problem running tracert in a command window
  Tracing route to www.adobe.com [192.150.18.117] over a maximum of 30 hops:
  1 11 ms 10 ms 9 ms 10.0.0.1
  2 13 ms 12 ms 11 ms glo-2-dsl.as9105.net [212.74.111.191]
  3 13 ms 12 ms 11 ms ge1-2-27.glo0.as9105.net [212.74.106.106]
  4 14 ms 12 ms 13 ms pos0-0.bri1.as9105.net [212.74.108.162]
  5 17 ms 16 ms 17 ms ge0-0-0.he-lon0.as9105.net [212.74.109.14]
  6 17 ms 17 ms 16 ms 10.72.11.75
  7 16 ms 17 ms 17 ms xe-0-3-0-10.lon20.ip4.tinet.net [213.200.77.177]
  8 91 ms 92 ms 99 ms xe-5-1-0.was12.ip4.tinet.net [89.149.184.34]
  9 92 ms 92 ms 93 ms xe-0.equinix.asbnva01.us.bb.gin.ntt.net [206.223.115.12]
  10 162 ms 170 ms 162 ms as-3.r20.snjsca04.us.bb.gin.ntt.net [129.250.2.167]
  11 166 ms 166 ms 165 ms ae-1.r07.snjsca04.us.bb.gin.ntt.net [129.250.5.53]
  12 162 ms 163 ms 161 ms xe-0-2-0-3.r07.snjsca04.us.ce.gin.ntt.net [128.241.219.86]
  13 166 ms 163 ms 161 ms 192.150.18.11
  14 166 ms 166 ms 165 ms www.adobe.com [192.150.18.117]
  Trace complete.
  and I can ping the site.
  so where now ?