11-14-2016 12:46 PM
We had an incident where someone hooked up a rogue AP inside our building. We want to be notified of this, BUT not whenever someone in the apartments across the road gets a new ISP or wireless router.
Our setup is Cisco Prime 3.2, Cisco WLC5508 (software 8.0.121.0) and various 1602, 2602, 2702 and 3602 APs.
My thought is to somehow notify only for rogue APs above a certain signal strength. Is that possible? Is there a better way? On Prime or the WLC? How?
11-14-2016 01:33 PM
Funny that. I was just looking for a solution like this YESTERDAY.
I'm currently playing with setting up a Rogue Rules: Security > Wireless Protection Policies > Rogue Policies > Rogue Rules.
Under the Rogue Rules that I've created, I set Rule Type to be "Maliciious", Notify as "Local", State as "Alert" and Match Operation as "Match Any".
The conditions I've set is "Minimum RSSI" value of -60 dBm.
So with this setup, I hope to get an alarm at PI whenever a Rogue AP with an RSSI value of -60 dBm (or better) pops up on a controller-basis.
So far, I'm still testing. I hope this helps.
11-14-2016 01:58 PM
Leo,
That sounds exactly like we are looking to setup. We were thinking -70 db, but of course we would do some testing of our own. Please let me know if you are able to get it to work.
11-17-2016 06:22 PM
Ok, it works.
The only thing is the Alerting can only be seen in PI: Dashboard > Wireless > Security. Look under Rogue Containment for anything that says "Containment Pending" (since I've instructed the Rogue Rules to tag the Rogue APs as "Malicious").
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide