Rogue APs/Clients

Similar Messages

• How to Prevent or Block Rogue APs from Joining Your Wired or Wireless WLANs

  Hi all, I deployed a WLAN with 1 WLC 4400 and 5 1252AP. I do not see the way to Block Rogue APs from Joining the Wired or Wireless WLANs

  PART 1
  There are three parts to this:
  1. detect - automatic
  2. classify - by default APs are untrusted/unknown, various methods can be configured to classify them as trusted and threat (connected to wired network).
  3. over the air contain (aka mitigate) - in 4.x this is manual, in 5.x you can configure auto-containment
  First you need to detect. WLC does this automatically out of the box. It listens the air for unknown APs, clients and ad-hocs. Are you seeing Rogue APs under Monitor > Rogues > Rogue APs?
  Next, you can manually classify rogue APs as "known" (internal or external). Starting with 5.0 you can also build rogue rules based on RSSI, SSID, Clients, etc. If an AP is classified as "known" (internal or external), WCS stops alerting you.
  Another key classification piece is to detect whether or not the rogue AP is physically connected to your network which is a high security risk. There are three ways WLC can detect it and neither of them is automatic. You must configure these methods manually.
  1. Rogue AP Detector, aka ARP sniffing. You have to dedicate one AP as "Rogue Detector" (change AP mode from local to rogue detector). Configure the port the AP is connected to as switchport mode trunk (normally it's switchport mode access). Rogue Detector AP turns off and doesn't use its radios. When WLC detects rogue APs it can also detect the MAC addresses of any clients associated to that rogue APs, and the rogue detector AP simply watches each hardwire trunked VLAN for ARP requests coming from those rogue AP clients. If it sees one, WLC automatically classifies the rogue AP as "threat" indicating that the rogue AP is physically connected to your network. It doesn't actually do anything with the rogue AP, it simply classifies it and alerts you. Also, keep in mind that this method doesn't work if the rogue AP is a Wireless Router, because Wireless Routers NAT and ARP requests don't propagate to the wire.
  2. RLDP. Rogue Location Discovery Protocol. This feature is by default turned off and can be enabled under Security > Wireless Protection Policies > Rogue Polices. This feature works only when the rogue SSID is open, meaning that it's not using WEP/WPA/802.1x. When you enable RLDP, your WLC will pick some AP (you can't pick manually) which hears Rogue AP traffic, it will temporarily shut off its radio, turn it into a client, and instruct it to associate to the Rogue AP as client (this is where the requirement comes in for the Rogue SSID to be open authentication). Once associated, AP gets a DHCP IP through Rogue AP, it then sends a special small UDP port 6352 RLDP packet to every possible WLC's IP address (mgmt ip, ap manager ip, dynamic int IPs). If WLC gets one of those packets, it means that rogue AP is physically connected to your network. This method will work when Rogue AP is a Wireless Router. But this method is not recommended. It has an adverse effect on your wireless clients because RLDP AP goes offline for a period of time disconnecting your clients and forcing them to associate to another AP. Also, keep in mind, that WLC runs this RLDP process *once* per detected rogue AP. It doesn't periodically do this, it only does it once. In some later WLC versions, you can configure RLDP to run only on "monitor mode" APs, eliminating impact on your clients. Also, you can manually trigger RLDP for a rogue AP from CLI "config rogue ap rldp initiate ". You can "debug dot11 rldp" to see the process.
  3. Switchport Tracing (need WCS, and WLC 5.1). This is a later feature that requires WCS. You can add your Catalyst switches to WCS, and WCS will look at CDP information and MAC tables on your switches to detect whether or not Rogue AP is connected to your network. This works with secured and NAT rogues. You can also *manually* instruct WCS to shut down the switchport that Rogue AP is connected to.

• How to jam rogue APs

  Dear
  I have detected several rogue APs in my company, one is with no security key. We are using 4402 WLC, i tried to contain those rogue APs , after this it shows these APs as contained, but no effect on SSID, still anyone can use it. Can someone tell me is it possible to disable rogue APs so that they are not used by employees. Thanks

  Your theory seems to be correct, as I was able to Contain one SSID of my own D-LINK AP.
  What was the RSSI value when you did this?  How many APs were assigned to contain?
  after that when I contain the client associated with that Contained AP then I was able to dis-associate.
  Not a good idea because you'll need to contain alot of clients.  What if the clients want to join YOUR valid SSID?
  Cud u tell me what are possible RSSI values or distance between which we should be able to contain APs without issues.  Is it related with APs or WLC model etc.
  Y'know what?  I'm not so sure because "containing" an AP isn't really a "sport" you want to brag about and Cisco frowns upon it.  I just theorized because your RSSI values are just too low.  If you have a value of, say, -75 dBm then there's a chance of being successful.
  I plan to implement switch port security with mac-filtering on access switches.
  Here's the deal.  This is OK if the rogue AP happens to be connected to YOUR network.  What if, and this is very common occurance here in Australia, if the rogue AP IS/WAS NOT connected to your network?  What if the AP is actually acting as a honeytrap or siphoning your enterprise WLAN traffic and sending it the other side?  As Scott recommended, the best way is to go to the owner of the offending rogue AP with two other big and burly colleagues and tell the offender to take the rogue AP out or you'll send your "enforcers" back.
  This AP is just two floors away.
  What are the inter-floors made of?  Are they made of concrete or wood?  Sounds like it's made out of concrete which makes propagation of wireless signal more difficult.  A recent study in Australia regarding the propagation of rogue APs are caused by staff bringing in their own chop-suey wireless access point.  The reason why they are doing it is because they are sick and tired of management telling them "No, you can't do it."  The same study stated that if management is un-willing to improve work-related technology then staff will do their best to it themselves and without any authorization or approval.  When it comes to wireless technology in the workplace, you'll be surprise to know how many managers are still ignorant about the security implications and consider wireless as a "punishment from G0d".
  My opinion is this:  Roll out wireless to your floors and buildings.

• Possibility to schow all Rogue APs in the WCS Map

  Hi All, one Customer uses WCS 4.0.81.0 /w Location for Management. It seems to be not possible to show ALL detected Rogue APs on a Map, only one selected AP from the List. Is there a possibility to show all Rogue APs at on Map? Regards, Michael

  Hello,
  If you want to see all rogue AP at the same time, then you need the Cisco Location Appliance. WCS with license for location but without location appliance only allows you to locate one rogue AP at the time.
  Rgds,
  Gaetan

• Alerting of "Malicious" Rogue APs

  Hi,
  In WCS, I see that we can set a severity level for rogue APs, which is minor by default.  What I'd like to do is set APs classificed as Malicious Rogues (based on the rogue policies), to have a different severity -- critical to be specific.  The goal here is to have an email trigger based on rogue AP detection, but only for those classified as malicious.  How do I accomplish this?
  I'm running WCS 7.0, w/  a WLC 4404 on 6.0 code.
  Thanks,
  David Swafford, Network Engineer, CareSource
  Cisco Certified Network Professional  |  Cisco NAC Specialist  |  EC-Council Certified Ethical Hacker

  A possible alternative solution would be to have WCS send SNMP traps to a 3rd-party monitoring system, which could be configured to trigger an alert if it receives a notification indicating a new rogue AP has been detected and classified as malicious.  This is from the WCS MIB file:
  cWNotificationSpecialAttributes OBJECT-TYPE
      SYNTAX          OCTET STRING (SIZE  (1..1024))
      MAX-ACCESS      read-only
      STATUS          current
      DESCRIPTION
          "This object represents the specialized attributes required
          to describe the network condition identified by
          cWNotificationType. These include SNR, RSSI, channel information
          etc. This value is formatted as 'name=value' pairs in CSV
          format. For example, rogueAP Alert's special attributes are sent
          as 'detectingAPRadioType=a0,YCoordinate=0, state=11,
          rogueApType=0, spt Status=0, ssId=wpspsk, on80211A=0,
          numOfDetectingAps=0, on80211B=1, XCoordinate=0,
          classificationType=3, channelNumber=6, containmentLevel=0,
          rssi=-51, rogueApMacAddr=00:1b:2b:35:6a:f3, onNetwork=0, total
          RogueClients=0'. This string can be parsed to get different
          name-value pairs."
      ::= { cwNotificationHistoryEntry 12 }
  I haven't actually gotten around to trying this yet.  Hopefully I'll have time during the holiday season.  If anyone else gets it to work in the meantime, let me know!

• How to avoid interferences caused by rogues APs

  Hi Everybody,
  I have a WLC running well with 10 LAPs.
  The problem that I have approximatively 60 Rogues APs and I have a lot of perturbations in signals (noise, interference, ...) caused by theses APs.
  How to avoid these interferences ?? is it the classification Malicieous APs ??

  wow! belay that...DO NOT CONTAIN THE ROGUES!
  Unless you can prove they are in your network and shouldn't be, there can be legal ramifications for doing so.
  What you need to do first, is adjust the sensiitivity for rogues.  by default it's -128, change that to -75.  Once you've done this, then you can evalutate which rogues are in your network, or belong to neighboring businesses.  For neighboring, go talk to their IT staff and see if you can get them to lower power so you aren't interferring with each other, cause if you see them, they probably see you as well.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• What tools for locating rogue APs and adhoc clients ?

  Hi all. I was wondering how you locate your rogues. I have WCS with location detection; however, I still have to go out and hunt down the device. It can be difficult when there is a high density of laptops. Right now, I try to attach to unsecured devices and use the Cisco wireless survey utility to home in on the rogue. Please let me know if you use something better. This seems to work better than using netstumbler, but it has the disadvantage of requiring that you attach to it first. If security is enabled, I have to resort to netstumbler. I would appreciate hearing what techniques and tools work for you.
  Randy

  I have not found and new tools/techniques as of yet. The way I see it the flow goes like this:
  1. You detect the rogue over the air waves. WLCs and WCS do a good job of this.
  2. With WCS and location detection, you get the aproximate location of the rogue.
  3. Then you have to go get the rogue. Sometimes they are easy to find, sometimes they are really hard to even when the location data is good. They could be under or behind a desk, or in an adjacent office.
  I have not tried one of the spectrum cards from Cisco. Perhaps that would work better for finding the device once you know roughly where to look.
  It seems that most rogues are not APs, but are routers using NAT. That hides the clients wireless mac addresses from the LAN side of your switched network so I don't think it is easy to locate the rogue on the LAN switch based upon what the AP's hear over the air waves - at least that is my experience.
  Randy

• Finding rogue APs that are on wired network

  I am beginning to think that there is no way to gaurantee that a rogue AP is connected to your wired network. I have read up on RLDP and "rogue detection". I was excited because I thought rogue detection would accomplish this. However, when I connect an autonomous AP to my wired network it does not get identified as being on my wired network despite the "rogue detector" being in place and connected to a trunk port with all network vlans on it. In thinking through this I believe this is because the radio mac and ethernet macs are different on the autonomous AP. The ethernet mac of the autonomous rogue AP is in the rogue detector dB, not the radio mac. So when the detecting APs sends the radio mac to the rogue detector it doesn't get flagged. Can anyone confirm this? And if so offer any insight to a workaround. I was able to get a "rogue client" flagged as a threat connecting via this AP, because it arp entry is in the rogue detectors dB. But I can't get the AP flagged. If this is the case then rogue detection is more or less useless to me because I care about rogues on my network (obvious security breach) not rogues in other businesses in my area. I rather now when the rogue AP goes in and not have to wait until a rogue client connects to it. Please advise....
  Regards Chuck

  Network Chemistry makes a free tool (as well as a more advanced product you can buy) that might fit the bill for you. It relies on people properly classifying the devices on their own network with the free tool to build a database of device types based on the vendor ID digits of mac addresses, as well as some snmp scanning (I think). A link is below. I don't have a lot of experience with the tool, only because I'm not entirely convinced of it's accuracy, but to be honest, I've never really used it in a production environment
  Good luck!
  -Chris
  http://www.networkchemistry.com/products/roguescanner.php

• Rogue APs

  Hi All,
  I have a couple of question in regards to rogues and rf grouping.
  Does the controller count the rougues access points when calculating channels assignments in the network?
  The current setup has each floor in a separate RF group, does the APs in a RF group consider another AP from a different RF group a foreign Access Point? also when it is beneficial to have each floor in a separate RF group?
  Thank you all

  Hi,
  A WLC on a mobility group may see APs joining other WLCs on same mobility group as rogue devices IF they are in different RF groups.
  This depends on the AP authentication configuration. (security -> Wireless Protection Policies -> AP Authentication).
  If the value is set to "None" then different RF groups do not matter. If the value is set to "AP Authentication" then if two APs are in two RF groups the WLC will probably raise the rogue flag.
  The above was true before different RF groups on same WLC were possible.
  I don't honestly know the behavior when two different  RF groups are configured on the same WLC. (You may try changing the AP Authentication config and feed us back ).
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• WLSE Not showing the RSSI the AP reported Rogue APs in my scanning-only mod

  Hi guys
  I have a WLSE version 2.15.1 which is configured to detect Rogue AP, APs are 1242, when I see the Unknown AP detail the RSSI has a value of 0 for all Rogue AP detected any help or suggestions, I will be very useful.
  Thank you.
  Greetings

  If the RSSI value is zero, then the AP is not active at all. Do you see the same value for all the APs. Does the WLSE provide correct RSSI values for the known APs?

• Cisco Prime Infrastructure 1.2 - web browser freezes when managing rogue APs alarms

  Hello all,
  has anybody faced a freezing problem when you click in Cisco Prime Infrastructure 1.2 down on alarm bar and then to Rogue AP alarms and then try to add an annotitation or change a rogue alarm to Friendly?
  I tried it on different PC, different browsers (Firefox 14.0.1. Chrome ...) and the problem is still there.
  Has anybody an idea?
  Thanks.
  Regards
  Karel

  I just tried it from my lab VM and had no problems.  I use Chrome and the browser does sometimes not refresh for a while but that is just when I start to  click around.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Shutting down Rogue APs

  Besides simply classifying devices as rogues, is there a way to shut them down or overwhelm them with deauthentication or disaccociation floods, something of the sort?

  You can contain the rogue, but then you can get in trouble for that since it is a DoS attack. 
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Rogue AP detection

  The WLSE have detected rouge APs. Theses APs are high RSSI and have variable channel set. How can i handle it? As i know. WLSE is not able to protect my APs from rogue APs attack, only detect it. Should i use wire LAN? any other solution clear this rogue AP's channel interference? Any advice please. Thanks.

  You've got to be careful here .... the WLSE can "shut down" rogue APs by either sending a disconnect to the client, or dropping the offending switch port.
  The problem is that the "rogue" APs could be other businesses nearby; if you shut down all the "rogue" APs you may be killing another business' wireless system.
  You can tell the WLSE that a specific "rogue" is known and acceptable, and it will ignore it for the purposes of reporting.
  If you APs or antennas are at some altitude (mine are on the fifth & sixth floor), you can pick up other wireless systems from a mile away ... if I tell my system to shut down all rogues, I can be killing systems for quite a distance.
  IMHO, It would be a good idea to bring up a wireless "Sniffer" and identify the traffic; if it's truely rogue/malicious traffic, then shut it down .... but if it's a neighbor, just tell the system to ignore it.
  The "Sniffer" can also give you a good idea of which channels are least congested and have the least interference so you can make adjustments to your system.
  At the least, bring up something like Netstumbler (it's free, runs on Windows) or Kismet (it's also free, runs on *nix).
  You can also run some radio scans from the WLSE. I prefer using an external system.
  Good Luck
  Scott

• Doing the impossible? Finding rogues from the wired side

  Wondering if anyone has found a valid tool (beyond the sourceforge APTools kind of stuff) to assist in finding APs by culling through the ARP tables on routers etc... brutal stuff here I know. Also- anything in a wireless frame/packets common to all APs (all vendors as part of 802.11) that can be filtered on at the router to possibly block traffic from rogue APs? I think not, but I'm scratchin at anything here...
  Lee Badman
  CWNA Network Engineer

  Hi ,
  In AP350 has fnew feature which may help you .
  The process takes place as follows:
  1. A client with a LEAP profile attempts to associate to a access point A.
  2. Access point A does not handle LEAP authentication successfully, perhaps because the access point does not understand LEAP or cannot communicate to a trusted LEAP authentication server.
  3. The client records the MAC address for access point A and the reason why the association failed.
  4. The client associates successfully to access point B.
  5. The client sends the MAC address of access point A and the reason code for the failure to access pont B.
  6. Access point B logs the failure in the system log.
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/accsspts/ap350rn/rn1200.htm

• RD (Rogue Detector) or RLDP (Rogue Location Discovery Protocol)

  Hi all,
  Cisco documentaion states that there are two ways for detecting Rogues.
  Rogue Detector Access Point
  You can make an AP operate as a rogue detector, which allows it to be placed on a trunk port so that it can hear all wired-side connected VLANs. It proceeds to find the client on the wired subnet on all the VLANs. The rogue detector AP listens for Address Resolution Protocol (ARP) packets in order to determine the Layer 2 addresses of identified rogue clients or rogue APs sent by the controller. If a Layer 2 address that matches is found, the controller generates an alarm that identifies the rogue AP or client as a threat. This alarm indicates that the rogue was seen on the wired network.
  Rogue Location Discovery Protocol (RLDP)
  RLDP is an active approach, which is used when rogue AP has no authentication (Open Authentication) configured. This mode, which is disabled by default, instructs an active AP to move to the rogue channel and connect to the rogue as a client. During this time, the active AP sends deauthentication messages to all connected clients and then shuts down the radio interface. Then, it will associate to the rogue AP as a client.
  The AP then tries to obtain an IP address from the rogue AP and forwards a User Datagram Protocol (UDP) packet (port 6352) that contains the local AP and rogue connection information to the controller through the rogue AP. If the controller receives this packet, the alarm is set to notify the network administrator that a rogue AP was discovered on the wired network with the RLDP feature.
  So how do you turn on the latter (RLDP)?
  Many thx indeed
  Ken
  The following modes of operations exist:
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_qanda_item09186a00806a4da3.shtml
  Q. What are the different modes in which a lightweight access point (LAP) can operate?
  A. An LAP can operate in any of these modes:
  •Local mode—This is the default mode of operation. When an LAP is placed into local mode, the AP will transmit on the normally assigned channel. However, the AP also monitors all other channels in the band over a period of 180 seconds to scan each of the other channels for 60ms during the non-transmit time. During this time, the AP performs noise floor measurements, measures interference, and scans for IDS events.
  •REAP mode—Remote Edge Access Point (REAP) mode enables an LAP to reside across a WAN link and still be able to communicate with the WLC and provide the functionality of a regular LAP. REAP mode is supported only on the 1030 LAPs.
  •H-REAP Mode— H-REAP is a wireless solution for branch office and remote office deployments. H-REAP enables customers to configure and control access points (APs) in a branch or remote office from the corporate office through a WAN link without the need to deploy a controller in each office. H-REAPs can switch client data traffic locally and perform client authentication locally when the connection to the controller is lost. When connected to the controller, H-REAPs can also tunnel traffic back to the controller.
  •Monitor mode—Monitor mode is a feature designed to allow specified LWAPP-enabled APs to exclude themselves from handling data traffic between clients and the infrastructure. They instead act as dedicated sensors for location based services (LBS), rogue access point detection, and intrusion detection (IDS). When APs are in Monitor mode they cannot serve clients and continuously cycle through all configured channels listening to each channel for approximately 60 ms.
  Note: From the controller release 5.0, LWAPPs can also be configured in Location Optimized Monitor Mode (LOMM), which optimizes the monitoring and location calculation of RFID tags. For more information on this mode, refer to Cisco Unified Wireless Network Software Release 5.0.
  Note: With controller release 5.2, the Location Optimized Monitor Mode (LOMM) section has been renamed Tracking Optimization, and the LOMM Enabled drop-down box has been renamed Enable Tracking Optimization.
  Note: For more information on how to configure Tracking Optimization, read the Optimizing RFID Tracking on Access Points section.
  •Rogue detector mode—LAPs that operate in Rogue Detector mode monitor the rogue APs. They do not transmit or contain rogue APs. The idea is that the rogue detector should be able to see all the VLANs in the network since rogue APs can be connected to any of the VLANs in the network (thus we connect it to a trunk port). The switch sends all the rogue AP/Client MAC address lists to the Rogue Detector (RD). The RD then forwards those up to the WLC in order to compare with the MACs of clients that the WLC APs have heard over the air. If MACs match, then the WLC knows the rogue AP to which those clients are connected is on the wired network.
  •Sniffer mode—An LWAPP that operates in Sniffer mode functions as a sniffer and captures and forwards all the packets on a particular channel to a remote machine that runs Airopeek. These packets contain information on timestamp, signal strength, packet size and so on. The Sniffer feature can be enabled only if you run Airopeek, which is a third-party network analyzer software that supports decoding of data packets.
  •Bridge Mode— Bridge mode is used when the access points are setup in a mesh environment and used to bridge between each other.

  Found this in another post here on the forum :
  There are 3 ways to detect rogue Aps:
  1. Ap in monitor mode (sits and scans all channels. Can detect rogue Aps under 30 seconds
  2. RLDP (done passively from normal Aps. Can take up to 15 minutes to detect rogue AP)
  3. Rogue Detector (looks for broadcast packets from wireless clients on wired network)
  For case number 2, a normal AP would be one in local or h-reap connected mode that normally have clients attached, but that are going off channel occasionally to scan for rogues / noise.  The process of trying to validate that there is a network attached rogue (RDLP enabled) could likely be service interrupting depending on your AP layout.
  -John