https://community.cisco.com/t5/wireless/rogue-ap-policies-and-best-practices/m-p/4863159#M257502 <P>Hi</P> <P>&nbsp;AP Authentication is related to your Access Point, not the rogues. With that feature, you can create authentication for your APs, similar to clients. Sounds like a good idea but can create a lot of problem. I would not recommend. </P> <P>"When I receive a rogue AP minor alarm, and I identify that it is a harmless Wi-fi access point from a business around the building, what happens if I classify it as friendly? "</P> <P>&nbsp;The alarm will not be generated again. If you do not classify as frendly I will be receiving alarms about that AP all the time.</P> <P>"It is a security flaw if I do it?</P> <P>&nbsp;I dont believe so.</P> <P>"In the future, if that WAP becomes dangerous, how would I identify it? A new alert would be reported if for example the SSID was changed?"</P> <P>&nbsp; The only possibility I can see for that AP to become "Dangerous" would be if the AP´s owner start advertising your SSIDs or start the containement for your SSIDs. And this could be identify through others logs also.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 27 Jun 2023 12:27:49 GMT Flavio Miranda 2023-06-27T12:27:49Z https://community.cisco.com/t5/wireless/rogue-ap-policies-and-best-practices/m-p/4863068#M257490 <P>Dear Cisco Community,&nbsp;</P><P>&nbsp;</P><P>I am trying to undesrtand the best practices and the best policies to deal with Rogue APs, and many doubts emerged. Let me just clarify that I am just a beginer.&nbsp;</P><P>&nbsp;</P><P>Under <STRONG>Rogue Policies</STRONG> on the <STRONG>Wireless Controller</STRONG>, the <STRONG>AP Authentication</STRONG>, If I select that option is just to confirm what kind of authentication the rogue AP is using when a new one is detected?</P><P>&nbsp;</P><P>When I receive a rogue AP minor alarm, and I identify that it is a harmless Wi-fi access point from a business around the building, what happens if I classify it as friendly? It is a security flaw if I do it? In the future, if that WAP becomes dangerous, how would I identify it? A new alert would be reported if for example the SSID was changed?</P><P>&nbsp;</P><P>Thank you in advance!</P><P>Best regards!</P> Tue, 27 Jun 2023 09:26:30 GMT https://community.cisco.com/t5/wireless/rogue-ap-policies-and-best-practices/m-p/4863068#M257490 DarioPouseiro 2023-06-27T09:26:30Z https://community.cisco.com/t5/wireless/rogue-ap-policies-and-best-practices/m-p/4863159#M257502 <P>Hi</P> <P>&nbsp;AP Authentication is related to your Access Point, not the rogues. With that feature, you can create authentication for your APs, similar to clients. Sounds like a good idea but can create a lot of problem. I would not recommend. </P> <P>"When I receive a rogue AP minor alarm, and I identify that it is a harmless Wi-fi access point from a business around the building, what happens if I classify it as friendly? "</P> <P>&nbsp;The alarm will not be generated again. If you do not classify as frendly I will be receiving alarms about that AP all the time.</P> <P>"It is a security flaw if I do it?</P> <P>&nbsp;I dont believe so.</P> <P>"In the future, if that WAP becomes dangerous, how would I identify it? A new alert would be reported if for example the SSID was changed?"</P> <P>&nbsp; The only possibility I can see for that AP to become "Dangerous" would be if the AP´s owner start advertising your SSIDs or start the containement for your SSIDs. And this could be identify through others logs also.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 27 Jun 2023 12:27:49 GMT https://community.cisco.com/t5/wireless/rogue-ap-policies-and-best-practices/m-p/4863159#M257502 Flavio Miranda 2023-06-27T12:27:49Z https://community.cisco.com/t5/wireless/rogue-ap-policies-and-best-practices/m-p/4863539#M257544 <P>Generally I set the rules like this:<BR />Rogue detected with my SSIDs - classify as malicious&nbsp;</P> <P>Rogue detected with signal -85 - Classify Neigbour and dont worry</P> <P>Rogue detected on wire - classify malicous</P> <P>Rogue detected with signal better than -75 then have investigated.</P> <P>Containement should only be done if the rogue is broadcasting your SSIDs, or is on your wired network - there are legal considerations to containment (<A href="https://edition.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/index.html" target="_blank">https://edition.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/index.html</A>)&nbsp;<BR />Also with containment it affects your APs so it should only be done whilst you are physically finding and disconnecting the rogue AP</P> Tue, 27 Jun 2023 22:14:31 GMT https://community.cisco.com/t5/wireless/rogue-ap-policies-and-best-practices/m-p/4863539#M257544 Haydn Andrews 2023-06-27T22:14:31Z