topic Question on Rogue Detection in Wireless

Question on Rogue Detection

wireless_student — Sun, 04 Jul 2021 05:24:57 GMT

Hi All,

I have a question regarding rogue detection configuration on WLC.

we know that rogue detection can be enabled on a per AP basis under the advanced tab of each AP, starting from code 6.0, and it also supports rogue detection in RF groups when we configure protection type as "AP Authentication" under WLC security tab, which will make APs to authentication frames based on the RF group name, if name is different, then the AP is considered as a rogue.

so the question is if we only enable rogue detection on the AP level, however leave the AP authentication selected as "none", how does the AP detect rogues? does that mean if any signal detected is not from the APs connected to the WLC, then this will be considered as a rogue?

also in the configuration guide, under the section "enable rogue access point detection in RF groups", it says rogue detection will need the AP to be configured as either local or monitor mode, when we also have AP authentication enabled. however if an AP is under h-reap mode, we still able to enable/disable rogue detection under the advanced tab, so how does H-REAP mode APs detect rogues? is that the same method as when AP authentication selected as "none"

thanks in advance for your help.

Question on Rogue Detection

Saravanan Lakshmanan — Tue, 17 Jul 2012 12:39:15 GMT

it is applicable not only for AP Authentication but also even for AP infrastructure mfp.

does that mean if any signal detected is not from the APs connected to the WLC, then this will be considered as a rogue?

Yes, APs outside cisco WLC and APs that are not on same RF group will be rogues.

if an AP is under h-reap mode, we still able to enable/disable rogue detection under the advanced tab, so how does H-REAP mode APs detect rogues? is that the same method as when AP authentication selected as "none"

If hreap is on connected mode to WLC then yes it detects rogue and report to WLC, on standalone it doesn't work.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml

Re: Question on Rogue Detection

Amjad Abdullah — Wed, 18 Jul 2012 10:04:04 GMT

Hi,

If APs joinign a cisco WLC detected WIRELESS 802.11 FRAMES that are being send and they do not belong to the WLC to which the AP belongs or any WLC in its mobility group then the source of those frames (source mac address) is considered a rogue AP that has that mac address as a source.

If the detected signal is not a wireless 802.11 frame (just noise, bluetooth...etc) then that is not detected as rogue because the AP does not able to analyze that signal as 802.11 frame and hence does not know the source mac of the sender.

HTH

Amjad

Question on Rogue Detection

wireless_student — Wed, 18 Jul 2012 11:16:38 GMT

Thank you both for the reply, can you please confirm the below senario as well:

with rogue detection enabled on AP level, what is the difference between AP authentication configured as "none" and "AP Authentication"? my understanding is that with AP Authentication or MFP enabled under "AP Authentication" field, rogue detection will be verified based on the RF group name, so signal from other RF domain or not from WLC will be considered as rogue, but what if we select AP authentication as "none"? are we still using RF group name to authenticate frames from other APs? or there is another method? if not does that mean rogue detection is DISABLED in this case even when we have it enabled under the advanced tab of the APs?

thanks for your time to clarify this.

Question on Rogue Detection

Amjad Abdullah — Wed, 18 Jul 2012 11:29:25 GMT

If roge detection under the AP advanced tab is selected:

- Enabled: the AP will report rogues it finds to the WLC.

- Disabled: the AP will not report any rogues to the WLC regardless of what AP authentication is.

If rogue detection is enabled and AP authentication is:

- None: AP reports rogues it finds to the controller. APs on same mobility group are not reported even if they are on different RF groups.

- AP authentication: AP reports the rogues to the WLC. APs on same mobility group but with different RF groups are also reported as rogues.

HTH

Amjad

Question on Rogue Detection

wireless_student — Wed, 18 Jul 2012 12:11:30 GMT

ok, thanks for your reply, so if AP authentication is "none", then even RF group name is different, then AP will NOT report rogues from other WLCs, and WLCs in the same mobility group is the condition for this? becasue it seems AP still reports rogues, and it should report rogue APs from other WLCs which has no relation to the current one (not in mobility group/list, different RF group), then in this case RF group name is not something that the WLC uses to determine the rogue?

thanks.

Re: Question on Rogue Detection

Amjad Abdullah — Wed, 18 Jul 2012 12:27:59 GMT

ok, thanks for your reply, so if AP authentication is "none", then even RF group name is different, then AP will NOT report rogues from other WLCs, and WLCs in the same mobility group is the condition for this?

WLC mobility group is always a condition to decide if a rogue should be reported or not. If on same mobility group then it is not rogue. if on different mobility group then it is a rogue.

RF group is not always there. you can enable or disable checking it by selecting "none" or "AP authentication". If none then RF group should be similar or else it is reported as a rogue.

If mobility group is different then we do not look at RF group and the AP is reported as rogue.

If mobility group is similar then:

- If "none" we do notlook at the RF group and the AP considered not rogue.

- If "AP authentication" then we look at the RF group. if similar then not rogue. if different then rogue.

HTH

Amjad

Question on Rogue Detection

wireless_student — Wed, 18 Jul 2012 12:57:09 GMT

ahh, ok this makes sense now, thanks a lot for your help!

Question on Rogue Detection

Saravanan Lakshmanan — Wed, 18 Jul 2012 15:46:59 GMT

don't think Mobility group will be a prime factor and it is always RF group since Configuring Mobility group is optional, RF group is mandatory for a WLC. Also, Rogue detection happen over wireless, to show or not to show as rogue is decided by other configuration parameters Ex: Rogue rules, AP auth type, is it in friendly list,.... only exception is with different RF group with same Mobility may still detect as Rogue but won't show bcoz mobility group is the subset of RF group just like other filter parameters.

It is recommended to keep RF group name, Mobility group name, AP auth type used similar across all WLCs whose APs ovelapping RF. Same RF group name with different AP auth type will be flagged as Rogue.

Question on Rogue Detection

wireless_student — Thu, 19 Jul 2012 02:00:15 GMT

hi Saravanan,

ok if mobility group/list configuration is not considered as a factor for rogue detection, can you please help to explain what is the difference between "none" and "AP Authentication" under the AP Authentication configuration?

when we have rogue detection enabled under AP level, does that mean rogues will always be detected, even if ap authentication selected as "none"?

thanks.

Question on Rogue Detection

wireless_student — Fri, 20 Jul 2012 11:43:52 GMT

can anyone please help to confirm what is the difference between "none" and "AP Authentication" under "AP Authentication" configuration option?

appreciate any comment on this.

Re: Question on Rogue Detection

Amjad Abdullah — Fri, 20 Jul 2012 16:09:43 GMT

Saravanan:

I dont agree. If wlcs on same mobility domain the aps on different wlcs are not reported as rogues. However, if wlcs on different mobility domain (or mobility domain is not set) then the aps on different wlcs are reported as rogues.

Rogue rules and friendly list are used to classify rogue aps that are reported. While aps on same mobility domain are not reported in the first place.

HTH

Amjad

Sent from Cisco Technical Support iPad App

Re: Question on Rogue Detection

George Stefanick — Fri, 20 Jul 2012 16:42:19 GMT

Amjad,

Saravanan is correct, its RF group -- not mobility group. I too have made this mistake, as you, until i read the config guide like 20x times ..

See below this may help better explain.

Enabling Rogue Access Point Detection in RF Groups

After you have created an RF group of controllers, you need to configure the access points connected to the controllers to detect rogue access points. The access points will then select the beacon/
probe-response frames in neighboring access point messages to see if they contain an authentication information element (IE) that matches that of the RF group. If the select is successful, the frames are authenticated. Otherwise, the authorized access point reports the neighboring access point as a rogue, records its BSSID in a rogue table, and sends the table to the controller.

Re: Question on Rogue Detection

Saravanan Lakshmanan — Fri, 20 Jul 2012 17:44:16 GMT

#Regards to AP Auth type, Same RF group require to have same AP Auth type - Auth/MFP/none on all WLCs. Different RF group with same auth type or same RF group with different RF group will be flagged as rogue.

should be an easy test if you've two wlc.

Re: Question on Rogue Detection

Saravanan Lakshmanan — Fri, 20 Jul 2012 17:48:20 GMT

#Mobility group check is added as subset to delete the rogue, if they're already joined to them to avoid self containment(see exception from prior post)from 7.0 only, prior to that -mobility means nothing to rogue detection.

#Mobility happens on wire while RF neighbor/rogue learning happens over wireless is the key difference.

Re: Question on Rogue Detection

Amjad Abdullah — Fri, 20 Jul 2012 18:29:28 GMT

George and Saravanan:

Thank you. +5 to each post you both put. Your clarification is very useful to me.

What i know from before: mobility group wlcs can communicate and know the ap belongs to any of group wlcs. Hence they know it is not a rogue. If It is "ap auth" then rf group should be the same. If "none" then rf group if different on same mobility domain then is even not reported.

If anyone can test and confirm that will be appreciated. Because some of the info i got was from Cisco TAC. About cisco doc: they are useful but sometimes not accurate enough and sometime missing information. I became a friend with the wireless doc manager because i report too many problems with the docs

So if you can test the mobility domain part that will be great.

Because depending on your explanation if another neighbor network is exist with same RF group name then it will not be reported as a rogue. It does not make sense this way and I think there is a missing part.

Thank you again

Sent from Cisco Technical Support iPad App

Re: Question on Rogue Detection

George Stefanick — Fri, 20 Jul 2012 22:16:22 GMT

You should test it and let us know

Sent from Cisco Technical Support iPhone App

Re: Question on Rogue Detection

wireless_student — Sun, 22 Jul 2012 03:51:04 GMT

I have done some tests regarding rogue detection, and here are some of my findings:

different RF group name, with AP Authentication policy on both WLCs selected to "none": rogue will be detected
different RF group name with AP Authentication policy on both WLCs selected to "ap-auth": rogue will be detected
same RF group name wtih AP Authentication policy on both WLCs selected to "none", rogue will not be detected
same RF group name with AP Authentication policy on both WLCs selected to "ap-auth", rogue will not be detected
same RF group name with AP Authentication policy on one WLC as "none" and on the other as "ap-auth", rogue will be detected

however I have noticed something that does not seem to be correct. I am only able to see the rogue from one WLC but not the other, for example I have WLCs number 1 and 2, from number 1 I could see radio from WLC number 2 as rogue, however I am not able to see radio on WLC number 1 reported as rogue on WLC number 2, when I configured different RF group name.

all the above tests are performed with both WLCs in the same mobility list.

so it seems RF group name as well as the AP authentication policy are the factors for reporting rogue APs (plus enable rogue detection on the AP level of course), however I guess the questions still remain are:

what is the difference between enabling "none" and "ap authentication" under AP authentication policy, if we keep this parameter consistent across all WLCs? it appears there is not much of difference however there must be a reason for each option available here.
if we select AP authentication, then what is the threshold number actually represents? my understanding is that this is the number of times that same radio MAC/BSSID been detected, so to prevent from false alarms, we need to increase this numebr, however in the configuration guide, it says this has something to do with WMM clients as well, can you please advise what is this number stands for and what is the general best practice for this number?

thanks in advance for your time and help.

Re: Question on Rogue Detection

Amjad Abdullah — Sun, 22 Jul 2012 07:23:26 GMT

I've done some tests as well:

I have multiple WLCs on same mobility and same RF groups. AP Auth type set to "none" on all o ft hem. I took one WLC (I'll call it thereafter "My WLC") and changed its RF group name. I also cahnged its AP auth policy to "AP Authentication". All WLCs have same SSIDs configured. I added one extra test SSID on "MY WLC".

The results are:

- The WLC with different RF group name did not mention other APs as rogues. Other APs did not mention my WLC APs as rogues as well.

- There is very high number of AP impersonation detected by "My WLC". other WLCs did not detect ap impersonation. This indicates that other APs on other WLCs try to contain "My WLC" APs. However, "My WLC" does not seem to try impersonating other APs. (it worths to notice that number of APs on "My WLC" is much less than APs on other WLCs).

- When using "AP authentication", there is a new IE appears in the SSID beacons.

The highlighted in blue is that information that could not be interpretted (as seen in highlighted yellow above). This information differs based no the SSID. Different SSID name shows different information. This IE seems to carry the information about the RF group name. If this does not appear when using "none" as AP auth policy then WLCs can not distinguish different RF group names if ap auth set to "none". (because I could not find any RF group info anywhere in the beacon packet. If you know it is exist somewhere else please let us know. So far I assume it is included in this vendor specific IE).

- When I changed the AP auth to "none" the number of AP impersonation reported started to decrease gradually. I'll keep monitoring to see what it will be after couple of hours.

- Config guide is very useful. However, sometimes it is extremley stupid. Why?

well, because if you go to the part that talks about configuring MFP (http://tiny.cc/un6thw), and if you go to Step 5, you will find that the optoin metnioned in step 5 is not available in the AP. It tells you that to enable or disable MFP validation for specific AP you can do this from under Advanced tab. However, this option is not available under Advanced tab. I had a big discussion with TAC about this very long time ago. prompted to doc guys about it but so far nothign changed.

HTH

Amjad

Re: Question on Rogue Detection

Amjad Abdullah — Sun, 22 Jul 2012 07:59:47 GMT

By now the number of AP impersonations last hour = 0.