Looking to notify via Prime Infrastructure 3.2 on rogue AP above certain signal strength.

hetteldorf · ‎11-14-2016

We had an incident where someone hooked up a rogue AP inside our building. We want to be notified of this, BUT not whenever someone in the apartments across the road gets a new ISP or wireless router.

Our setup is Cisco Prime 3.2, Cisco WLC5508 (software 8.0.121.0) and various 1602, 2602, 2702 and 3602 APs.

My thought is to somehow notify only for rogue APs above a certain signal strength. Is that possible? Is there a better way? On Prime or the WLC? How?

Leo Laohoo · ‎11-14-2016

Funny that. I was just looking for a solution like this YESTERDAY.

I'm currently playing with setting up a Rogue Rules: Security > Wireless Protection Policies > Rogue Policies > Rogue Rules.

Under the Rogue Rules that I've created, I set Rule Type to be "Maliciious", Notify as "Local", State as "Alert" and Match Operation as "Match Any".

The conditions I've set is "Minimum RSSI" value of -60 dBm.

So with this setup, I hope to get an alarm at PI whenever a Rogue AP with an RSSI value of -60 dBm (or better) pops up on a controller-basis.

So far, I'm still testing. I hope this helps.

hetteldorf · ‎11-14-2016

Leo,

That sounds exactly like we are looking to setup. We were thinking -70 db, but of course we would do some testing of our own. Please let me know if you are able to get it to work.

Leo Laohoo · ‎11-17-2016

Ok, it works.

The only thing is the Alerting can only be seen in PI: Dashboard > Wireless > Security. Look under Rogue Containment for anything that says "Containment Pending" (since I've instructed the Rogue Rules to tag the Rogue APs as "Malicious").