Rogue Access Point Detected

Similar Messages

• Rogue Access Points

  Hi everybody,
  I have a question about Rogue Access Points.
  We have a Wlan controller (2504) and it sees rogue access points.
  I know there are some tools, if you tell it that it's a bad rogue access point, it starting to kick people of that access point. Just to be sure that no one is on that access point that can join your network for some reason.
  But with the Cisco 2504 i have some options. As you all will know.
  But i wonder what happens if i set it to malicious. I know what friendly means. I don't want that i screw up that access point of our neighbours. But now it stays there in the rogue list. I tell it's friendly and thats oke but i wonder what happens if i tell the controller that it's malicious and then i say contain.
  I get a warning message from the controller about some legal things etcetc. so i cancelled it.
  Can anyone tell me? :-)
  Thanks!
  Henk Feenstra

  No problem... So if someone contained one of my AP's, I would see it in the log and would know what AP is doing the containing.... Then I would have to walk over to the company and politely asked then to stop:)   This is what you would see:
  1
  Thu Feb 21 18:49:05 2013
  Warning: Our AP with Base Radio MAC f4:ea:67:0e:6f:80 is under attack (contained) by another AP on radio type 802.11b/g
  This is what you will see in the syslog:
  *spamApTask1: Feb 21 18:49:05.141: #LWAPP-1-AP_CONTAINED: spam_lrad.c:33698 AP AIR-CAP3602E-A-K9-MAP is being contained on slot 0
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Pinpoint Rogue Access Points

  All,
  Does anyone know of a way to pinpoint rogue access points be it equipment or software?  Everything I can find so far gets you close but dies not exactly pointpoint the location.
  Thanks in advance!  All replies rated

  WCS along with controllers and a location appliance and properly placed APs can do a very good job placing rogues, clients and tags on maps for location.
  As a start you will want to take a look at the deployment guide for the MSE:
  http://www.cisco.com/en/US/products/ps9742/products_tech_note09186a00809d1529.shtml
  The information in this guide will give a good jumping off point for locating devices using WCS and Location.
  Chapters 5 and 6 of the WCS Configuration Guide also have valuable information:
  http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/WCS60cg.html

• Problems probing for rogue access points

  Hello,
  I have a situation where I am trying to locate a rogue AP in one of my office buildings. When I bring a laptop over there with NetStumbler or Inssider, I get no response from any access points or clients. Its like that throughout the entire building. However when I leave the building, the AP start to come up but I cant get near them.
  I have another build that we have as well and the probing works just fine. Would there be a controller template or access point template that would be causing this problem?
  Here is what I am running:
  Cisco 4400 controller with firmware 4.2.130.0
  Cisco 4400 controller with firmware 5.0.148.0
  Cisco WCS 5.1.64.0
  The access points that are connected to the controller with a firmware of 4.2.130.0 is the one that seems to be stopping my attempts with probing. So far my searching for causes has not turned up anything=(
  Any help would be greatly appreciative.

  What are you seeing in the logs? Are the two controllers being used as primary and secondary? You should keep the code the same, just in case ap's move to the other controller?
  When you see a rouge ap, it will also state which ap's are hearing that rouge ap and the signal strength. If you see it -86db or worse, then it is outside of your building most likely.

• WRT300N Secure (WEP) Access Point detected as unsecured - can't connect

  |I'm using WRT300N (firmware version 1.03.6) router as my wireless network.  It's encrypted (WEP). Couple of of wireless computers (WIndows 2000 & WIndows XP,Sp2, using G adapters) can detect this wireless network correctly and connect to it. However, couple of my computers with Windows XP, SP2 media center 2002 are unable to detect the network correctly.  They detect the correct SSID network but always show it as "unsecured wireless network" whereas it is setup as Encrypted secured network (WEP).  So I can never connect to the network. When I power down my router, these computers then do not see the network, and when I repower the router, the network is detected again but not correctly as I mentioned above.
  The connection setup is identical for the computers which connect correctly. I've reset the Router/modem, restarted the computers, redone the router setup again but no success. 
  Any help will be greatly appreciated.
  Thanks & Regards,
  Irfan R

  First of all, give your network a unique SSID. Do not use "linksys". If you are using "linksys" you may be trying to connect to your neighbor's router. Also set "SSID Broadcast" to "enabled". This will help your computer find and lock on to your router's signal.
  Also, in the computer, go to your wireless software, and go to "Preferred Networks" (sometimes called "Profiles" ). There are probably a few networks listed. Delete any network named "linksys". Also delete any network that you do not recognize, or that you no longer use.  Also, delete your current network (this will clear any old settings).  Reboot computer.  Return to "Preferred Networks".  Re-enter the info (SSID, encryption (if any), and key (if any) )  for your current network. Then select your current network and make it your default network, and set it to automatic login. You may need to go to "settings" to do this, or you may need to right click on your network and select "Properties" or "settings".  Reboot computer.  You should connect automatically to your network.
  If you still have trouble connecting, in the computer, temporarily turn off your software firewall, including Windows Firewall, and see if that helps.
  Hope this helps.
  Message Edited by toomanydonuts on 12-03-2007 11:57 PM

• Access Point Modes

  Dear Folks,
  As I have noticed multiple modes in a LWAPP, which is Monitor , Access Point, Sniffer etc. Could you please provide what all functions does it provide than an Access Point?
  Regards,
  Siddarth

  Hi Siddarth,
  Q. What are the different modes in which a lightweight access point (LAP) can operate?
  A. An LAP can operate in any of these modes:
  Local mode-This is the default mode of operation. When an LAP is placed into local mode, the AP spends 60 milliseconds on channels that it does not operate on every 180 seconds. During this time, the AP performs noise floor measurements, measures interference, and scans for IDS events.
  REAP mode-REAP mode enables an LAP to reside across a WAN link and still be able to communicate with the WLC and provide the functionality of a regular LAP. Currently, REAP mode is supported only on the 1030 LAPs. This functionality is included on a broader range of LAPs in the future.
  Monitor mode-Monitor mode is a feature designed to allow specified LWAPP-enabled APs to exclude themselves from handling data traffic between clients and the infrastructure. They instead act as dedicated sensors for location based services (LBS), rogue access point detection, and intrusion detection (IDS). When APs are in Monitor mode they cannot serve clients and continuously cycle through all configured channels listening to each channel for approximately 60 ms.
  Note: From the controller release 5.0, LWAPPs can also be configured in Location Optimized Monitor Mode (LOMM), which optimizes the monitoring and location calculation of RFID tags. For more information on this mode, refer to Cisco Unified Wireless Network Software Release 5.0.
  Note: With controller release 5.2, the Location Optimized Monitor Mode (LOMM) section has been renamed Tracking Optimization, and the LOMM Enabled drop-down box has been renamed Enable Tracking Optimization.
  Note: For more information on how to configure Tracking Optimization, read the Optimizing RFID Tracking on Access Points section.
  Rogue detector mode-LAPs that operate in Rogue Detector mode monitor the rogue APs. They do not transmit or contain rogue APs. The idea is that the rogue detector should be able to see all the VLANs in the network since rogue APs can be connected to any of the VLANs in the network (thus we connect it to a trunk port). The switch sends all the rogue AP/Client MAC address lists to the Rogue Detector (RD). The RD then forwards those up to the WLC in order to compare with the MACs of clients that the WLC APs have heard over the air. If MACs match, then the WLC knows the rogue AP to which those clients are connected is on the wired network.
  Sniffer mode-An LWAPP that operates in Sniffer mode functions as a sniffer and captures and forwards all the packets on a particular channel to a remote machine that runs Airopeek. These packets contain information on timestamp, signal strength, packet size and so on. The Sniffer feature can be enabled only if you run Airopeek, which is a third-party network analyzer software that supports decoding of data packets.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml
  Hope this helps!
  Rob

• Mac-adress list of manufacturers only for access points

  hello,
  i'm going to look for forbidden access points at the ports of huge network. is there any document that can show me whether a mac adress is an access point or not ?

  If you want to do rogue access point detection then you have a few options:
  1. Scan suspected ranges for port 80 servers as almost every access point has web-based configuration.
  2. Cisco has provided a list of vendor mac address who make Access Points.
  This list is found in their
  "SAFE: Wireless LAN Security in Depth - version 2"
  whitepaper
  Check the link
  "http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a008009c8b3.shtml"
  The list is at the very bottom of the whitepaper
  "Table C-7 MAC OUIs Used by Access Point Vendors"
  "Table C-7 provides a partial list of MAC OUIs used by access point vendors. This table was obtained from the aptools site at aptools.sourceforge.net."

• Installing a Linksys Access Point using a Mac

  I apologize for this topic being irrelevant to AirPort, but I am hoping someone can help...
  I am a University student and trying to help my friend who lives in a dorm. At school there is a high speed local network and internet connection (I'm guessing massive amounts of T1s or T3s)... Left behind by a previous roommate is a Linksys WAP54G v2.0 which is a wireless access point NOT a router...I am told that it used to work, but one day stopped...
  I have already reset the WAP (as they call it not to be confused with cell phone browsers)...now the name displays the default "linksys" title. I plug it in to the ethernet jack and "You are not connected to the internet" according to Safari...
  my question is... how do you access the settings for the WAP.... on MY DSL modem and gateway, for example i type in 192.168.0.1 and I have also set this up with Mac OS X for a gaming adapter but i simply cannot figure out the IP address for this router and the Network Preferences to use when I plug the Linksys WAP into my computer. (I tried the default suggestion in my browser 192.168.1.245 but no luck, do I need to enter this in the Network panel of my System Prefs?)
  I do not have the original setup and install CD available, and if I did, we only use Mac OS X... so does anyone have any ideas? Also... is it even possible to use a "Wireless Access Point" as opposed to a Router on a University campus (High speed LAN connected to WAN)? I don't know how it works with the DHCP... I would like for 3 people to be able to use this access point simultaneously.
  Thank you for any help in advance!

  Linksys WAP54G v2.0 which is a wireless access point NOT a
  router...I am told that it used to work, but one day
  stopped...
  It may be dead so this may be futile...
  From the Linksys product page it doesn't seem to support web configuration and the only way is with their PC utility. That means if you don't have VirtualPC you will need a PC.
  I have already reset the WAP (as they call it not to
  be confused with cell phone browsers)...now the name
  displays the default "linksys" title. I plug it in to
  the ethernet jack and "You are not connected to the
  internet" according to Safari...
  The WAP will need to get an IP from the campus DHCP bridged to your laptop and they probably changed the system to not allow wireless bridges. Does the laptop work when plugged into the dorm jack with ethernet? Did you have to register the MAC address? Can you register the MAC address of the wireless card instead of the ethernet?
  is it even
  possible to use a "Wireless Access Point" as opposed
  to a Router on a University campus (High speed LAN
  connected to WAN)?
  It all depends on their policy. Have you asked them?
  I don't know how it works with the
  DHCP... I would like for 3 people to be able to use
  this access point simultaneously.
  Usually they allow one MAC address per ethernet jack and keep control of it so you can't share it! Depending on their sophistication they may also detect rogue access points. If not you might be able to use a wireless router like an Airport Express. Ask them. There may be a hackers way around but that answer won't be found here.

• N800 no longer detecting any wireless access point

  The device is working fine couple days ago, then today when I turn it on, the "connection manager" can no longer see any wireless access point. Not only my home network, also
  my neighbor's wlan. My laptop can detect 10 networks
  around my house. I try upgrad my os to the latest version and it is still not working. Is anyone has similar experience ? Is it a hardware problem ? Any advice will be
  welcome.

  It happened to my N800 too just a couple of days ago after I installed a number of applications. I have already removed those applications but the N800 still would not detect the access points that it usually detects with no problem.
  It could not detect the WLAN inside our house even if the N800 was physically sitting on top of the router. It would intermittently detect my neighbor's WLAN (the one which I usually use) but it would not log on to it.
  I tried removing the battery hoping to reset it but nothing changed.
  It also would not connect to my PC via USB. The computer could not detect it. This one happened even before I installed those applications.
  Help!!!!

• MFP Anomaly Detected Access Points are moving from one wlc to another and vice versa

  Hi together,
  a customer has lost some Access Points to another WLC with 7.2  and then they come back after 15 minutes to the origin WLC with 7.5
  Attached the messages
  MFP Protection is configured as optional
  152
  Wed Nov 27 05:33:26 2013
  MFP Anomaly Detected - 1 Not encrypted event(s) found as   violated by the radio 58:bf:ea:0f:67:4a and detected by the dot11 interface   at slot 1 of AP 58:bf:ea:0f:67:40 in 300 seconds when observing . Client's   last source mac 70:11:24:e4:43:0f
  153
  Wed Nov 27 05:31:40 2013
  AP Disassociated. Base Radio MAC:88:43:e1:56:91:d0
  154
  Wed Nov 27 05:31:40 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:88:43:e1:56:91:d0 Cause=New Discovery Status:NA
  155
  Wed Nov 27 05:31:33 2013
  AP Disassociated. Base Radio MAC:58:bf:ea:0f:73:d0
  156
  Wed Nov 27 05:31:33 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
  157
  Wed Nov 27 05:31:33 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
  158
  Wed Nov 27 05:31:28 2013
  AP Disassociated. Base Radio MAC:58:bf:ea:0f:fc:20
  159
  Wed Nov 27 05:31:28 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
  160
  Wed Nov 27 05:31:28 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
  161
  Wed Nov 27 05:31:17 2013
  AP Disassociated. Base Radio MAC:b4:e9:b0:e4:02:20
  162
  Wed Nov 27 05:31:17 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
  163
  Wed Nov 27 05:31:17 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
  164
  Wed Nov 27 05:31:15 2013
  AP Disassociated. Base Radio MAC:a4:18:75:eb:da:b0
  165
  Wed Nov 27 05:31:15 2013
  AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
  166
  Wed Nov 27 05:31:15 2013
  AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
  167
  Wed Nov 27 05:28:26 2013
  MFP Anomaly Detected - 35 Not encrypted event(s) found as   violated by the radio d8:24:bd:2f:df:6f and detected by the dot11 interface   at slot 1 of AP d8:24:bd:2f:df:60 in 300 seconds when observing Deauth.   Client's last source mac 00:23:14:a7:e3:54
  168
  Wed Nov 27 05:23:26 2013
  MFP Anomaly Detected - 23 Not encrypted event(s) found as   violated by the radio f8:4f:57:a5:40:b2 and detected by the dot11 interface   at slot 0 of AP f8:4f:57:a5:40:b0 in 300 seconds when observing . Client's   last source mac 44:4c:0c:ba:27:77
  Don´t know at the moment how to handle it.
  Regards
  Alex

  Hi lAlex,
  Disable Client MFP under WLAN advanced tab & see if  this still occur
  Regards
  Rasika
  **** Pls rate all useful responses *****

• Access point not detected

  I have a Palm TX
  My wifi works fine, it detects almost any wifi signal, but it wont detect wifi at my university. First time I used it there I could connect, but suddenly I lost connection and since then I don´t even detect the access points. With other devices I have no problem. Any idea what could be the problem?
  Post relates to: Palm TX

  The issue may have nothing to do with your device at all. I have a friend who has a WiFi router at their house that I can connect to with any other computer just fine, but my LifeDrive has always struggled. I tried changing all combinations of settings on the LifeDrive and even started changing some of the settings on their router to see what the problem was.
  As it turns out, the issue was the mixed broadcast mode of the Linksys router. In the default mixed mode (which broadcasts B, G and N) the LifeDrive simply will not connect. If the mixed mode is reduced to just B and G the life Drive connects effortlessly and instantaneously.
  So the moral of the story is: These older Palm devices simply do not connect well to certain routers and certain broadcast modes. And yet other routers offering the same mixed B, G and N broadcasts will connect just fine. In the places where you don't have access to be able to configure the routers that are making the broadcasts, you are probably SOL.

• Rogue BT FON/BTOpenWorld access points

  Hello. I've just opted into the BT FON community and I'm just a little concerned about using BT FON or BT Openworld Wifi access points, as I can't be sure if they are legitimate BT points, or just an open wifi with that name to harvest email account passwords, etc...-
  Is there anything I can do to check on the validity of the BT FON wifi access point? Or will the BT FON app do this for me? I'm using the iPhone app FYI
  Thanks, Chris .
  Solved!
  Go to Solution.

  christatedavies wrote:
  Thanks Ian.
  So I'm guessing I just have to "hope" its not a dodgy one then? No way of really knowing is there?
  Not really.
  Don't think the Cisco VPN will work on my iPhone though...
  Following the links leads to a download page that says:
  ---x---
  Apple iOS systems (iPhone, iPod Touch or iPad)
  This free VPN configuration profile works with devices operating systems using Apple iOS 3.0 or greater
  ---x---
  I know pretty much nothing about iStuff, but that looks to me as though it might work.

• Help me find the required Wireless Access point

  Dear Friends,
  I am in search of a access point with below specification, so please let me know that which model has this functionalities.
  . Wireless Access Point:
  * No of port should be 10Base-T/100Base-TX Ethernet
  * Standard should be IEEE 802.11g, IEEE802.11b, IEEE 802.3, IEEE 802.3u, IEEE 802.3af(PoE), 802.1q(VLAN) , 802.1X(Security authentication), 802.11i ready (Security WPA2), 802.11e ready (wireless QoS), 802.11F(Wireless roaming)
  * LEDs should be power, PoE, Wireless, Ethernet
  * Web Management should be built-in web user interface for easy browser-based configuration (HTTP/HTTPS)
  * SNMP Support should be SNMP version 1, 2c, 3
  * Operation modes should be access point made, point to point bridge mode, point to point multipoint bridge mode, repeater mode
  * External antennas should be 2 (omni directional) SMA detachable
  * Security should be WEP 64-bit/128-bit, WPA-PSK, WPA2-PSK, WPA-ENT, WPA2-ENT
  * Access Control should be wireless connection control: MAC-based
  * Wireless Security monitor should be Intrusion alarms(e.g. rogue client detected, spoofed MAC address) Denial-of-service alarms (e.g. duration attack, association table full) vulnerability alarms (e.g. access point is not using encryption, access point is broadcasting SSID)
  * Power should be 12V 1A DC input, and IEEE 802.3af compliant PoE. Maximum power draw should be 3.36W

  Hello Shekib,
  All you did was describe the WAP200.
  It fully fits in your description.
  Please check it and see with your eyes.
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps10047/ps10048/data_sheet_c78-501966.html
  I hope i helped you.
  Regards.
  Andrey Cassemiro.

• How many clients support access points 1602, 2602, 3602?

  Hi! How many clients support access point 1602, 2602, 3602. I have found for example that the 1602 supports 32 ClientLink clients and max 128 clients, APs 2602, 3602 supports 128 ClientLink clients and max 200 clients. But is it really? And can we say for example that the AP 2602 will withstand max 200 clients?

  The reason the answer varies so much, is because there are so many variables (this is also why the value ranges so much from one manufacture to the next).  When determining the answer you are looking for you need to consider the following factors and likely more:
  AP model and the features it supports
  single, dual, or tri radio AP
  20, 40, or 80Mhz wide channels
  Device type (b/g, b/g/n, a/b/g/n, a/b/g/n/ac, spatial stream support, and channel width support)
  Security/QOS method(s) employed
  Average distance from the AP
  Obstructions between devices and radios
  Number of competing radios for the same channel
  Data rates configuration
  Rogue detection/mitigation configuration
  Surrounding client density not just the area of concern client density
  Noise floor levels
  Application types/per user network load (is it heavy like YouTube traffic or a drone on the network like Pandora)
  Network latency on the switching side - including the internet circuit
  Application of per SSID, per user, and or per application rate limiting
  The list continues, but I think you get the idea
  I have personally seen 80 devices on a 5Ghz radio of a 3500 access point with several other access points and at least 200 other clients in the area and it was working well.  That being said I would never design to expect that many on a single radio, but I think it is better said that you can safely design for 20-30 clients per 2.4Ghz radio and 25-40 clients per 5Ghz radio.
  The default statement of 20-25 per AP and similar low expectation statements concerning Cisco wireless have been around for many years.  It is now 2014.  About 65% of clients support 5Ghz, ~9% support AC (already), ~90% support some form of N, and ~0.01% support B only.  The landscape of wireless is changing fast making questions like this one have ever changing answers.
  I hope this helps :).
  John

• An Error Occurred while trying to join "my wireless access point"

  Hi,
  I've been using wireless access for a year and never had a problem connecting.
  But starting yesterday I get a +*An Error Occurred while trying to join "my wireless access point", Please try again.+* Message.
  I have 2 Mac's and have no problem connecting with the other one. It’s just the IMac.
  I tried everything including resetting router, changing password, adding a $ to the password, accessing without password, deleting the whole air port and create a new one, but still getting the same message.
  I might need to add, while I was working with the IMac I didn’t use wireless for a few hours, but when I got back to my browser I noticed that I was connected to a different wireless service. (FONFREEINTERNET if it matters) I have no idea why, since I didn’t change it.
  Anyways, I tried to switch back to my access point, but it wouldn’t let me. It’ll just give me the +*An Error Occurred while trying to join "my wireless access point", Please try again.+* Message.
  Funny is when I use the FONFREEINTERNET access point the internet seems to work fine.
  I could look up Google without a problem, but when I tried to connect to Facebook for example it won’t let me. Instead a FONFREEINTERNET page will pop up with some options on how to pay! (by minute/or day/or week…)
  I get the strange feeling that they planted some kind of bug/virus!!!
  I don’t know what else to do.
  Anyone knows that problem? What can I do?
  Any help is greatly appreciated!
  I researched on FONFREEINTERNET, there’s a spot close to my house/guess that’s the one I used…
  http://maps.fon.com/ ZIP CODE 904-0113 and you’ll see a coffee pod, which is about 2 minutes walk from my house.

  Hello Tesserax,
  I get the same error message again...
  I tried the 3 suggested steps again, but unfortunately it did not work.
  After a Restart, Sleep or just the awaking from Screensaver mode I’m disconnected from my wireless Network anymore.
  Even if the Computer was asleep for just a second!
  I am able to fix the problem temporarily with Network Preferences → Assist me → Diagnostics
  Choose Airport → Choose network → Enter Password (Even if I check safe password it’ll ask me every time) → and than usually all lights on the left menu switch from red to green and I get the popup message “A Network Change has been detected. Your Internet seems to work fine.” (similar - I’m at work and don’t remember exactly)
  And it works fine…until the screensaver comes on or it sleeps again
  I have the Problem with my IMac and Mini but the IMac at least remembers my password…
  Any Ideas
  I’m connected through a Buffalo WZR2-G300N wireless router