Solved: Rouge AP with ISE

ppoggi · ‎04-13-2017

Hi team,

do we have ISE best practice for discovering rouge AP?

Regards,

Paolo

Jason Kunst · ‎04-13-2017

Can you explain more?

Besides ise being populated with a list of MAC address and profiling them? What are you looking for?

You could even authenticate your APs perhaps and secure your wired ports and not allow APs that aren't sanctioned

What about wireless controller rogue AP detection

View solution in original post

Jason Kunst · ‎04-13-2017

Can you explain more?

Besides ise being populated with a list of MAC address and profiling them? What are you looking for?

You could even authenticate your APs perhaps and secure your wired ports and not allow APs that aren't sanctioned

What about wireless controller rogue AP detection

ppoggi · ‎04-13-2017

Hi Jason,

the idea is to discover and possibly control rouge AP leveraging if possible ISE, apart from known wireless controller capability. I guess profiling is the best option and maybe the latest anomalous endpoint detection feature, isn't it?

Is there any Technotes on this topic?

Thanks,

Paolo

Jason Kunst · ‎04-13-2017

Besides the profiling guide, I will check, don’t think so

https://communities.cisco.com/servlet/JiveServlet/previewBody/68156-102-1-125076/How-To_30_ISE_Profiling_Design_Guide.pdf

Jason Kunst · ‎04-13-2017

Identify the expected corp wireless devices and create a logical profile to restrict/block the non-corp controllers/APs.

hariholla · ‎04-13-2017

The AireOS based Wireless LAN Controllers have built in features to handle Rogue APs. As Jason mentioned, ISE can authenticate Wireless Access points and ensure only the known one's are allowed in the network. If a known AP, changes it profile and if necessary data is made available for ISE, then ISE can flag it as 'Anomalous'

Cheers!

-Hari