topic Re: How to manage unclassified rogue AP's? in Wireless

How to manage unclassified rogue AP's?

jmprats — Sun, 04 Jul 2021 06:53:19 GMT

What am I supposed to do with unclassified rogue AP?

I understand that if they don't look a thread I can mark them as "Friendly External" to no receive more alarms about them. Is it ok?

The problem is what happens if this external Friendly AP change the SSID for a Managed SSID (an SSID is using our controller). Then, this AP is a threat, but is not longer detected for the controller

Is it a bug?

or am I not managing unclassified Rogue correctly?

Re: How to manage unclassified rogue AP's?

Scott Fella — Wed, 10 Apr 2013 11:24:07 GMT

I don't even bother with these alerts to be honest. You can mark them friendly just so you don't get the alerts if you want. Just depends on what you want to see or ignore:)

Sent from Cisco Technical Support iPhone App

Re: How to manage unclassified rogue AP's?

jmprats — Wed, 10 Apr 2013 11:30:57 GMT

Yes, but the problem is that if the Friendly AP changes its SSID by one SSID of your network (managed SSID) is not detected as Malicious.

And with this change this Friendly AP is a thread and should be detected as Malicious but it's not

How to manage unclassified rogue AP's?

Saravanan Lakshmanan — Sun, 19 May 2013 06:48:54 GMT

this issue seen on what WLC code?

display the screenshot of Rogue rules.

How to manage unclassified rogue AP's?

jmprats — Mon, 20 May 2013 06:54:23 GMT

Version code 7.0.235.3

How to manage unclassified rogue AP's?

Saravanan Lakshmanan — Mon, 20 May 2013 09:32:32 GMT

Are you manually classifying as Friendly External?

If yes then #1 is applicable and what you're seeing is expected. If not then #3 is not happening in your case and how long did you wait once the ssid of the rogue changed to the WLC's management?

#Try, If the AP is removed from friendly rogue list(monitor> Rogue> friendly APs) then does it classifies back to original status friendly or malicious as expected. in this case it should classify as malicious once removed from friendly list based on #2.

http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_0110.html#d116047e9015a1635

When the controller receives a rogue report from one of its managed access points, it responds as follows:

The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the controller classifies the access point as Friendly.
If the unknown access point is not in the friendly MAC address list, the controller starts applying rogue classification rules.
If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically only if the rogue is in the Alert state.
The controller applies the first rule based on priority. If the rogue access point matches the criteria specified by the rule, the controller classifies the rogue according to the classification type configured for the rule.
If the rogue access point does not match any of the configured rules, the controller classifies the rogue as Unclassified.
The controller repeats the previous steps for all rogue access points.

Olá jmprats.appling that rule

Bruno Dinis — Wed, 11 Jun 2014 10:15:32 GMT

Olá jmprats.

appling that rule every rogue AP with a signal stronger that -70dBm will be automatically classified as Malicious?

The identification of Rogue

Moin Ilyas — Thu, 10 Jul 2014 08:06:56 GMT

The identification of Rogue AP is done by WLC, whereas we could classify the AP either manually or based on set of rules.

The controller would still be able to identify that AP as a Rogue AP. The reason is that the Wireless LAN Controller would look for the Basic Service Set Identifier (BSSID) for that particular AP.