https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5142046#M273346 <P>9800-40, 17.12.3, 1000 AP, 4 sites</P> <P>I would like all APs to detect rogues but only a subset of them to perform a rogue containment. For example one site is more open and public so we are not alowed to contain rogues while another one is closed and private and the containment can be performed..</P> <P>The only thing I can is to disable rogue detection in a AP join. I would like to keep detection but not contain.</P> <P>Is there any way to do it?</P> <P>Mirek</P> Tue, 09 Jul 2024 11:03:57 GMT Mirek_Tichy 2024-07-09T11:03:57Z https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5142046#M273346 <P>9800-40, 17.12.3, 1000 AP, 4 sites</P> <P>I would like all APs to detect rogues but only a subset of them to perform a rogue containment. For example one site is more open and public so we are not alowed to contain rogues while another one is closed and private and the containment can be performed..</P> <P>The only thing I can is to disable rogue detection in a AP join. I would like to keep detection but not contain.</P> <P>Is there any way to do it?</P> <P>Mirek</P> Tue, 09 Jul 2024 11:03:57 GMT https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5142046#M273346 Mirek_Tichy 2024-07-09T11:03:57Z https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5142153#M273356 <P>&nbsp;</P> <P>&nbsp; - FYI :&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/rogue-per-ap.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/rogue-per-ap.html</A><BR />&nbsp; &nbsp;&gt;..<EM>.Rogue detection is configured <U><STRONG>per AP</STRONG></U> or for a <U><STRONG>group of APs</STRONG></U>. The rogue AP detection is configured under the AP profile. The&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;rogue AP detection configuration enabled by default and is part of the default AP profile.</EM></P> <P><SPAN>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; <FONT color="#008000"> &nbsp; &nbsp; &nbsp; &nbsp; Check the entire document too ,&nbsp;&nbsp;</FONT></SPAN></P> <P><SPAN>&nbsp;M.</SPAN></P> Tue, 09 Jul 2024 13:16:14 GMT https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5142153#M273356 Mark Elsen 2024-07-09T13:16:14Z https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5142415#M273381 <P>Be careful with containment! There are large fines if used incorrectly:&nbsp;<A href="https://edition.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/index.html" target="_blank">https://edition.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/index.html</A>&nbsp;</P><P>You want to make sure the rogue is within your network and an actual threat not someones hotspot or neighbouring companies wireless networks.</P><P>The other thing is it will tax your AP whilst containing it.</P><P>Catalyst Centre has a really nice rogue rule set that enables you to filter the rogues and also do things like create the rules in an easy GUI format</P><P>I would recommend only containing rogues where they are honey pots (using your SSIDs) or a rogue on the wire:<BR />Rogue on wire:&nbsp;</P><TABLE><TBODY><TR><TD><P><SPAN>A "Rogue AP on wire" is an unauthorised access point that is physically connected to the wired network infrastructure without authorization or approval. This type of rogue access point is particularly concerning because it can be used to bypass security controls and provide an attacker with a direct connection to the wired network.</SPAN></P><BR /><P><SPAN>A rogue AP on wire can be intentionally or accidentally connected to the wired network by an employee, contractor, or malicious actor. Once connected, the rogue AP can provide unauthorised wireless access to the network, potentially allowing an attacker to compromise sensitive data or resources.</SPAN></P><P><SPAN>Honeypot:&nbsp;</SPAN></P><P><SPAN>A rogue access point (AP) that mimics a legitimate AP in order to intercept and manipulate network traffic.</SPAN></P><P>&nbsp;</P></TD></TR></TBODY></TABLE> Tue, 09 Jul 2024 22:55:14 GMT https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5142415#M273381 Haydn Andrews 2024-07-09T22:55:14Z https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5143675#M273456 <P>Thanks Haydn, it's clear. It is just the reason why we want to do it selectively strictly in closed company offices. But want to keep monitoring other areas.</P> <P>Mirek</P> Thu, 11 Jul 2024 14:39:23 GMT https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5143675#M273456 Mirek_Tichy 2024-07-11T14:39:23Z https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5143963#M273458 <P>THX, but my original question was: "How to configure a subset of APs to <STRONG>keep rogue detection</STRONG> but not participate in the autocontainment"</P> <P>MiTi</P> Fri, 12 Jul 2024 07:10:29 GMT https://community.cisco.com/t5/wireless/selective-rogue-auto-containment/m-p/5143963#M273458 Mirek_Tichy 2024-07-12T07:10:29Z