Rogue APs

Similar Messages

• Possibility to schow all Rogue APs in the WCS Map

  Hi All, one Customer uses WCS 4.0.81.0 /w Location for Management. It seems to be not possible to show ALL detected Rogue APs on a Map, only one selected AP from the List. Is there a possibility to show all Rogue APs at on Map? Regards, Michael

  Hello,
  If you want to see all rogue AP at the same time, then you need the Cisco Location Appliance. WCS with license for location but without location appliance only allows you to locate one rogue AP at the time.
  Rgds,
  Gaetan

• Alerting of "Malicious" Rogue APs

  Hi,
  In WCS, I see that we can set a severity level for rogue APs, which is minor by default.  What I'd like to do is set APs classificed as Malicious Rogues (based on the rogue policies), to have a different severity -- critical to be specific.  The goal here is to have an email trigger based on rogue AP detection, but only for those classified as malicious.  How do I accomplish this?
  I'm running WCS 7.0, w/  a WLC 4404 on 6.0 code.
  Thanks,
  David Swafford, Network Engineer, CareSource
  Cisco Certified Network Professional  |  Cisco NAC Specialist  |  EC-Council Certified Ethical Hacker

  A possible alternative solution would be to have WCS send SNMP traps to a 3rd-party monitoring system, which could be configured to trigger an alert if it receives a notification indicating a new rogue AP has been detected and classified as malicious.  This is from the WCS MIB file:
  cWNotificationSpecialAttributes OBJECT-TYPE
      SYNTAX          OCTET STRING (SIZE  (1..1024))
      MAX-ACCESS      read-only
      STATUS          current
      DESCRIPTION
          "This object represents the specialized attributes required
          to describe the network condition identified by
          cWNotificationType. These include SNR, RSSI, channel information
          etc. This value is formatted as 'name=value' pairs in CSV
          format. For example, rogueAP Alert's special attributes are sent
          as 'detectingAPRadioType=a0,YCoordinate=0, state=11,
          rogueApType=0, spt Status=0, ssId=wpspsk, on80211A=0,
          numOfDetectingAps=0, on80211B=1, XCoordinate=0,
          classificationType=3, channelNumber=6, containmentLevel=0,
          rssi=-51, rogueApMacAddr=00:1b:2b:35:6a:f3, onNetwork=0, total
          RogueClients=0'. This string can be parsed to get different
          name-value pairs."
      ::= { cwNotificationHistoryEntry 12 }
  I haven't actually gotten around to trying this yet.  Hopefully I'll have time during the holiday season.  If anyone else gets it to work in the meantime, let me know!

• How to avoid interferences caused by rogues APs

  Hi Everybody,
  I have a WLC running well with 10 LAPs.
  The problem that I have approximatively 60 Rogues APs and I have a lot of perturbations in signals (noise, interference, ...) caused by theses APs.
  How to avoid these interferences ?? is it the classification Malicieous APs ??

  wow! belay that...DO NOT CONTAIN THE ROGUES!
  Unless you can prove they are in your network and shouldn't be, there can be legal ramifications for doing so.
  What you need to do first, is adjust the sensiitivity for rogues.  by default it's -128, change that to -75.  Once you've done this, then you can evalutate which rogues are in your network, or belong to neighboring businesses.  For neighboring, go talk to their IT staff and see if you can get them to lower power so you aren't interferring with each other, cause if you see them, they probably see you as well.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• How to Prevent or Block Rogue APs from Joining Your Wired or Wireless WLANs

  Hi all, I deployed a WLAN with 1 WLC 4400 and 5 1252AP. I do not see the way to Block Rogue APs from Joining the Wired or Wireless WLANs

  PART 1
  There are three parts to this:
  1. detect - automatic
  2. classify - by default APs are untrusted/unknown, various methods can be configured to classify them as trusted and threat (connected to wired network).
  3. over the air contain (aka mitigate) - in 4.x this is manual, in 5.x you can configure auto-containment
  First you need to detect. WLC does this automatically out of the box. It listens the air for unknown APs, clients and ad-hocs. Are you seeing Rogue APs under Monitor > Rogues > Rogue APs?
  Next, you can manually classify rogue APs as "known" (internal or external). Starting with 5.0 you can also build rogue rules based on RSSI, SSID, Clients, etc. If an AP is classified as "known" (internal or external), WCS stops alerting you.
  Another key classification piece is to detect whether or not the rogue AP is physically connected to your network which is a high security risk. There are three ways WLC can detect it and neither of them is automatic. You must configure these methods manually.
  1. Rogue AP Detector, aka ARP sniffing. You have to dedicate one AP as "Rogue Detector" (change AP mode from local to rogue detector). Configure the port the AP is connected to as switchport mode trunk (normally it's switchport mode access). Rogue Detector AP turns off and doesn't use its radios. When WLC detects rogue APs it can also detect the MAC addresses of any clients associated to that rogue APs, and the rogue detector AP simply watches each hardwire trunked VLAN for ARP requests coming from those rogue AP clients. If it sees one, WLC automatically classifies the rogue AP as "threat" indicating that the rogue AP is physically connected to your network. It doesn't actually do anything with the rogue AP, it simply classifies it and alerts you. Also, keep in mind that this method doesn't work if the rogue AP is a Wireless Router, because Wireless Routers NAT and ARP requests don't propagate to the wire.
  2. RLDP. Rogue Location Discovery Protocol. This feature is by default turned off and can be enabled under Security > Wireless Protection Policies > Rogue Polices. This feature works only when the rogue SSID is open, meaning that it's not using WEP/WPA/802.1x. When you enable RLDP, your WLC will pick some AP (you can't pick manually) which hears Rogue AP traffic, it will temporarily shut off its radio, turn it into a client, and instruct it to associate to the Rogue AP as client (this is where the requirement comes in for the Rogue SSID to be open authentication). Once associated, AP gets a DHCP IP through Rogue AP, it then sends a special small UDP port 6352 RLDP packet to every possible WLC's IP address (mgmt ip, ap manager ip, dynamic int IPs). If WLC gets one of those packets, it means that rogue AP is physically connected to your network. This method will work when Rogue AP is a Wireless Router. But this method is not recommended. It has an adverse effect on your wireless clients because RLDP AP goes offline for a period of time disconnecting your clients and forcing them to associate to another AP. Also, keep in mind, that WLC runs this RLDP process *once* per detected rogue AP. It doesn't periodically do this, it only does it once. In some later WLC versions, you can configure RLDP to run only on "monitor mode" APs, eliminating impact on your clients. Also, you can manually trigger RLDP for a rogue AP from CLI "config rogue ap rldp initiate ". You can "debug dot11 rldp" to see the process.
  3. Switchport Tracing (need WCS, and WLC 5.1). This is a later feature that requires WCS. You can add your Catalyst switches to WCS, and WCS will look at CDP information and MAC tables on your switches to detect whether or not Rogue AP is connected to your network. This works with secured and NAT rogues. You can also *manually* instruct WCS to shut down the switchport that Rogue AP is connected to.

• How to jam rogue APs

  Dear
  I have detected several rogue APs in my company, one is with no security key. We are using 4402 WLC, i tried to contain those rogue APs , after this it shows these APs as contained, but no effect on SSID, still anyone can use it. Can someone tell me is it possible to disable rogue APs so that they are not used by employees. Thanks

  Your theory seems to be correct, as I was able to Contain one SSID of my own D-LINK AP.
  What was the RSSI value when you did this?  How many APs were assigned to contain?
  after that when I contain the client associated with that Contained AP then I was able to dis-associate.
  Not a good idea because you'll need to contain alot of clients.  What if the clients want to join YOUR valid SSID?
  Cud u tell me what are possible RSSI values or distance between which we should be able to contain APs without issues.  Is it related with APs or WLC model etc.
  Y'know what?  I'm not so sure because "containing" an AP isn't really a "sport" you want to brag about and Cisco frowns upon it.  I just theorized because your RSSI values are just too low.  If you have a value of, say, -75 dBm then there's a chance of being successful.
  I plan to implement switch port security with mac-filtering on access switches.
  Here's the deal.  This is OK if the rogue AP happens to be connected to YOUR network.  What if, and this is very common occurance here in Australia, if the rogue AP IS/WAS NOT connected to your network?  What if the AP is actually acting as a honeytrap or siphoning your enterprise WLAN traffic and sending it the other side?  As Scott recommended, the best way is to go to the owner of the offending rogue AP with two other big and burly colleagues and tell the offender to take the rogue AP out or you'll send your "enforcers" back.
  This AP is just two floors away.
  What are the inter-floors made of?  Are they made of concrete or wood?  Sounds like it's made out of concrete which makes propagation of wireless signal more difficult.  A recent study in Australia regarding the propagation of rogue APs are caused by staff bringing in their own chop-suey wireless access point.  The reason why they are doing it is because they are sick and tired of management telling them "No, you can't do it."  The same study stated that if management is un-willing to improve work-related technology then staff will do their best to it themselves and without any authorization or approval.  When it comes to wireless technology in the workplace, you'll be surprise to know how many managers are still ignorant about the security implications and consider wireless as a "punishment from G0d".
  My opinion is this:  Roll out wireless to your floors and buildings.

• What tools for locating rogue APs and adhoc clients ?

  Hi all. I was wondering how you locate your rogues. I have WCS with location detection; however, I still have to go out and hunt down the device. It can be difficult when there is a high density of laptops. Right now, I try to attach to unsecured devices and use the Cisco wireless survey utility to home in on the rogue. Please let me know if you use something better. This seems to work better than using netstumbler, but it has the disadvantage of requiring that you attach to it first. If security is enabled, I have to resort to netstumbler. I would appreciate hearing what techniques and tools work for you.
  Randy

  I have not found and new tools/techniques as of yet. The way I see it the flow goes like this:
  1. You detect the rogue over the air waves. WLCs and WCS do a good job of this.
  2. With WCS and location detection, you get the aproximate location of the rogue.
  3. Then you have to go get the rogue. Sometimes they are easy to find, sometimes they are really hard to even when the location data is good. They could be under or behind a desk, or in an adjacent office.
  I have not tried one of the spectrum cards from Cisco. Perhaps that would work better for finding the device once you know roughly where to look.
  It seems that most rogues are not APs, but are routers using NAT. That hides the clients wireless mac addresses from the LAN side of your switched network so I don't think it is easy to locate the rogue on the LAN switch based upon what the AP's hear over the air waves - at least that is my experience.
  Randy

• Finding rogue APs that are on wired network

  I am beginning to think that there is no way to gaurantee that a rogue AP is connected to your wired network. I have read up on RLDP and "rogue detection". I was excited because I thought rogue detection would accomplish this. However, when I connect an autonomous AP to my wired network it does not get identified as being on my wired network despite the "rogue detector" being in place and connected to a trunk port with all network vlans on it. In thinking through this I believe this is because the radio mac and ethernet macs are different on the autonomous AP. The ethernet mac of the autonomous rogue AP is in the rogue detector dB, not the radio mac. So when the detecting APs sends the radio mac to the rogue detector it doesn't get flagged. Can anyone confirm this? And if so offer any insight to a workaround. I was able to get a "rogue client" flagged as a threat connecting via this AP, because it arp entry is in the rogue detectors dB. But I can't get the AP flagged. If this is the case then rogue detection is more or less useless to me because I care about rogues on my network (obvious security breach) not rogues in other businesses in my area. I rather now when the rogue AP goes in and not have to wait until a rogue client connects to it. Please advise....
  Regards Chuck

  Network Chemistry makes a free tool (as well as a more advanced product you can buy) that might fit the bill for you. It relies on people properly classifying the devices on their own network with the free tool to build a database of device types based on the vendor ID digits of mac addresses, as well as some snmp scanning (I think). A link is below. I don't have a lot of experience with the tool, only because I'm not entirely convinced of it's accuracy, but to be honest, I've never really used it in a production environment
  Good luck!
  -Chris
  http://www.networkchemistry.com/products/roguescanner.php

• WLSE Not showing the RSSI the AP reported Rogue APs in my scanning-only mod

  Hi guys
  I have a WLSE version 2.15.1 which is configured to detect Rogue AP, APs are 1242, when I see the Unknown AP detail the RSSI has a value of 0 for all Rogue AP detected any help or suggestions, I will be very useful.
  Thank you.
  Greetings

  If the RSSI value is zero, then the AP is not active at all. Do you see the same value for all the APs. Does the WLSE provide correct RSSI values for the known APs?

• Rogue APs/Clients

  A couple of quick questions here (5508 WLC, 1142N APs).
  I understand if I enable the AP mode to Rogue Detector from the details page of the AP, the AP stops accepting requests and is now looking for rogue items on the wired network. Is this the same when I enable Rogue Location Discovery Protocol? Will I lose the wireless functionality of all of my APs on the controller?
  Next question, when I look at the Rogue Summary on the Monitoring page I see three Adhoc Rogue devices. When I select the Detail link only one shows. I remember the other two were HP mutifuction devices with WIFI enabled but I cannot retrieve that information anymore. Ideas?
  Thank you,

  Q1 ans:
  #Both are different technique to find rogue on wire.
  #Rogue detector is an AP mode that is applicable per AP.
  #RLDP is an global feature that is applicable on AP modes - local, hreap & monitor. Security>> WPS>> General>> RLDP>> drop down menu.
  #AP on Rogue Detector mode(listens arp on wire) is not similar to RLDP(that uses wireless).
  #AP on Rogue Detector mode will not enable their Radios, so wireless client connection is not possible. The AP will be connected to trunk port of the switch and listens for arp entries on all VLANs, it compares the arp entry against Rogue AP & client info collected by WLC through APs, if it matches then it will make rogue on wire. its not very accurate method.
  #AP on RLDP serves client but don't enable this feature on Local/hreap mode AP servicing voice clients(since AP goes off channel and connect to rogue AP that interrupts client service), use dedicated Monitor mode AP for this purpose. When RLDP feature is enabled cisco AP act as wireless client and connect to rogue AP and ping the management interface of WLC, on reply the Rogue AP will be marked as 'Rogue on wire'.
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml
  Q2 ans:
  Check First & Last Time Reported On WCS/NCS that stores the history of Rogues.
  If you've external trap server setup then it should be there as well.
  Security>> WPS>> General>> Expiration Timeout for Rogue AP and Rogue Client entries - configurable between 240 & 3600 secs. If the rogue is not reported/refreshed with in this time frame then it will get deleted from WLC.
  Q3 ans:
  It is suggested to talk to them to reduce their AP power levels if they're seen very high.
  If your client talks to their AP(which is detected as Rogue by WLC) then your own client will be marked as rogue client.
  Enable MFP - global Infrastructure mfp for AP & per wlan mfp for Client as mandatory to avoid attacks.

• Cisco Prime Infrastructure 1.2 - web browser freezes when managing rogue APs alarms

  Hello all,
  has anybody faced a freezing problem when you click in Cisco Prime Infrastructure 1.2 down on alarm bar and then to Rogue AP alarms and then try to add an annotitation or change a rogue alarm to Friendly?
  I tried it on different PC, different browsers (Firefox 14.0.1. Chrome ...) and the problem is still there.
  Has anybody an idea?
  Thanks.
  Regards
  Karel

  I just tried it from my lab VM and had no problems.  I use Chrome and the browser does sometimes not refresh for a while but that is just when I start to  click around.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Shutting down Rogue APs

  Besides simply classifying devices as rogues, is there a way to shut them down or overwhelm them with deauthentication or disaccociation floods, something of the sort?

  You can contain the rogue, but then you can get in trouble for that since it is a DoS attack. 
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Rogue AP

  Hi all
  I work in a company where we rented offices and we offer internet service for all (VOiP and internet). The place where I work has 2 buildings and each building has 2 Cisco WLC 4400. We have about 100 Acces point in total (connected to the WLC) to give free and public internet service . The problem we have is that companies connect their LAN AP and makes the free wireless network go very slow. If we enter to the WLC appear around 300 Rogue Aps per building, it's a lot!. We think that the problem of slowness is this. Is there any possibility that our APs not see the APs of the other companies? How can we fix the internet speed of our APs? 
  thank you very much

  The signal strength of the Rogue APs doesn't affect any of your issues. 
  What you and your management should think about is the age of your APs.  1020 is long, long End-of-Support.  The firmware you are using is ... ancient.  
  1020 supports 802.11b.  So this means you're maximum 11 Mbps.  And when everyone says 11 Mbps, this is expressed in HALF duplex or one-way traffic only.   In reality, you'll be lucky to get 5 Mbps.  
  Now, let's say you've got one person with a brand-spanking-new iPhone 6 ... One guy alone with a smartphone can really, really slow down your wireless.  
  If the model of your AP is that old and the firmware of your WLC is equally as old, then I shudder to think about the age of your LAN/WAN infrastructure.  This also means any opportunist salesperson can potentially sell you EVERYTHING: 
  1.  LAN & WAN:  Maybe it's time to upgrade your current LAN switches because high-speed 802.11n and 802.11ac wave1, wave 2 will require 1 Gbps.  802.11ac wave 1 and wave 2 would benefit if you have 10 Gbps uplink to core network. 
  2.  Security:  IDS/IPS and Firewall.  If you've got guest wifi, you'll need to incorporate these. 
  3.  Network Monitoring:  If you've got executives who like to look at performance numbers, colors, graphs, etc. then CPI is your tool to manage your LAN/WAN and wireless as well as generate mind-numbing reports for bean counters to salivate upon. 
  4.  Wireless:  You need to upgrade your APs.  You will also need to upgrade your WLC.  No question about it.  
  5.  IP Telephony:  If your LAN supports PoE/PoE+ then IP telephony is your best bet.  You can even link IP telephony with wireless as Cisco has two models of wireless handsets:  792X and 9971.
  6.  Video Conferencing:  Do your executives like to do video conferencing?  You can also "link" this with IP Telephony as Cisco has a few desk phones which can also do video conferencing. 
  7.  Instant Messenger:  Cisco is pouring a lot of resources into the improvement of Jabber.  
  8.  Digital Media Streaming:  Does your company consider putting some kind of network-based Digital Media Streaming in your office?

• Rogue Ap' s and clean air

  Hi 
  Is there a relation between rogue access point detection and clean air , Rogue access point detection is based on the clean air technology  ?

  No, its not.
  Along with what Salodh suggested, following details might help.
  Rogue APs are:
  APs which are not recognised by our controller.
  APs not been created and managed by our controller.
  The controller put those APs in a category called Rogue.
  Disclaimer: Proper Authorization required to attack a Rogue AP. For Example its our building, our floor and a rogue AP shows up in the middle of it, at that point we might have the authorization to disrupt the services of that AP.
  On the other hand,
  CleanAir Technology identifies and resolves RF interference challenges.
  The term Air Quality Index ranges from 1 to 100 (where 100 means that the Radio Frequency doesn't have much interference and 1 means that AP needs to make changes)
  When and AP detects interference, it rates it by Interference Severity Levels (1=Low Interference Severity and 100=Terrible Interference)
  The Interference Severity reduces the AQI levels.
  AQI Sensitivity Levels:
  High sensitivity: If AQI drops below 60, take action to move channels.
  Medium Sensitivity: If AQI drops below 50, take action to move channels.
  Low Sensitivity: If AQI drops below 35, take action to move channels.

• Rogue AP detection

  The WLSE have detected rouge APs. Theses APs are high RSSI and have variable channel set. How can i handle it? As i know. WLSE is not able to protect my APs from rogue APs attack, only detect it. Should i use wire LAN? any other solution clear this rogue AP's channel interference? Any advice please. Thanks.

  You've got to be careful here .... the WLSE can "shut down" rogue APs by either sending a disconnect to the client, or dropping the offending switch port.
  The problem is that the "rogue" APs could be other businesses nearby; if you shut down all the "rogue" APs you may be killing another business' wireless system.
  You can tell the WLSE that a specific "rogue" is known and acceptable, and it will ignore it for the purposes of reporting.
  If you APs or antennas are at some altitude (mine are on the fifth & sixth floor), you can pick up other wireless systems from a mile away ... if I tell my system to shut down all rogues, I can be killing systems for quite a distance.
  IMHO, It would be a good idea to bring up a wireless "Sniffer" and identify the traffic; if it's truely rogue/malicious traffic, then shut it down .... but if it's a neighbor, just tell the system to ignore it.
  The "Sniffer" can also give you a good idea of which channels are least congested and have the least interference so you can make adjustments to your system.
  At the least, bring up something like Netstumbler (it's free, runs on Windows) or Kismet (it's also free, runs on *nix).
  You can also run some radio scans from the WLSE. I prefer using an external system.
  Good Luck
  Scott