Solved: Re: how to jam rogue APs

adilhayat · ‎02-03-2011

Dear

I have detected several rogue APs in my company, one is with no security key. We are using 4402 WLC, i tried to contain those rogue APs , after this it shows these APs as contained, but no effect on SSID, still anyone can use it. Can someone tell me is it possible to disable rogue APs so that they are not used by employees. Thanks

Scott Fella · ‎02-05-2011

Those are pretty far away from one of your AP's... -80+ I don't ven bother because if you have 100%, then these are not in your area. If you see these AP's in your area, then instead of containing, you need to locate and remove them. Having a policy to enforce users no to bring in their own AP is what you need. Containg AP's being seen by 3 of your LAP's from an RSSI of -80 will work better than is only one or two AP's.

-Scott
*** Please rate helpful posts ***

View solution in original post

Leo Laohoo · ‎02-05-2011

Your theory seems to be correct, as I was able to Contain one SSID of my own D-LINK AP.
What was the RSSI value when you did this? How many APs were assigned to contain?

after that when I contain the client associated with that Contained AP then I was able to dis-associate.
Not a good idea because you'll need to contain alot of clients. What if the clients want to join YOUR valid SSID?

Cud u tell me what are possible RSSI values or distance between which we should be able to contain APs without issues. Is it related with APs or WLC model etc.
Y'know what? I'm not so sure because "containing" an AP isn't really a "sport" you want to brag about and Cisco frowns upon it. I just theorized because your RSSI values are just too low. If you have a value of, say, -75 dBm then there's a chance of being successful.

I plan to implement switch port security with mac-filtering on access switches.
Here's the deal. This is OK if the rogue AP happens to be connected to YOUR network. What if, and this is very common occurance here in Australia, if the rogue AP IS/WAS NOT connected to your network? What if the AP is actually acting as a honeytrap or siphoning your enterprise WLAN traffic and sending it the other side? As Scott recommended, the best way is to go to the owner of the offending rogue AP with two other big and burly colleagues and tell the offender to take the rogue AP out or you'll send your "enforcers" back.

This AP is just two floors away.
What are the inter-floors made of? Are they made of concrete or wood? Sounds like it's made out of concrete which makes propagation of wireless signal more difficult. A recent study in Australia regarding the propagation of rogue APs are caused by staff bringing in their own chop-suey wireless access point. The reason why they are doing it is because they are sick and tired of management telling them "No, you can't do it." The same study stated that if management is un-willing to improve work-related technology then staff will do their best to it themselves and without any authorization or approval. When it comes to wireless technology in the workplace, you'll be surprise to know how many managers are still ignorant about the security implications and consider wireless as a "punishment from G0d".

My opinion is this: Roll out wireless to your floors and buildings.

View solution in original post

Leo Laohoo · ‎02-25-2011

Hi Muhammad,

I tracked that SSID using Netsumbler and It is too far from my building probably more than 100 m.

We would be in big legal trouble if we, in Australia, contain a rogue AP that happens to be OUTSIDE our company's building.

Another thing I want to ask after rolling out our WLAN, should we permit some SSIDs that are within our building but physically isolated networks.

Allow SSID of your company that are part of an isolated network? Like Development networks or DMZ? Heck no! I would never allow that in my wireless network.

View solution in original post

Leo Laohoo · ‎02-03-2011

If you have "contained" the Rogue AP then the WLC will send a flood of de-authenticate packet to the rogue AP. This will cause the AP to stop associating client and any existing client will get de-authenticated.

adilhayat · ‎02-03-2011

Thanks for your reply, still I am able to browse internet using that SSID, which is shown as contained by WLC.

Maithri B · ‎02-04-2011

Hi Muhammad,

When a WLC detects an AP as rogue, only that access point gets contained, not the SSID.

The other AP's in your network (which were not detected as rogue) will continue to function normally and will broadcast the SSID. That is the reason why clients are able to see the SSID and still connect.

So the idea is, clients will not be able to connect to the Rogue AP but will be able to connect to other AP's in the network.

adilhayat · ‎02-04-2011

Hi,

Thanks for your reply. Actually, that SSID is broadcast only by one AP, WLC is showing that AP as contained, but users can connect to that SSID broadcast by that AP and browse internet. I want to block all rogue APs so that no one can use those SSID by those APs, these are all automonous, is it possible on WLC 4402 or any other method u can suggest without WLC. Urgent reply is requested. Thanx

Leo Laohoo · ‎02-04-2011

How many APs can see this Rogue AP?

How many APs are "containing" this Rogue AP?

What is the RSSI values of this Rogue AP from the "eyes" of the different APs? Please provide highest and lowest RSSI values in the format of -nn dBm.

adilhayat · ‎02-05-2011

Hi,

Thanks for your reply. Please find below infor about no. of APs that see it as rogue i,e. 4 , APs that contain that AP and RSSI values.i.e -82 -97 .

Leo Laohoo · ‎02-05-2011

Hmmm ... I've never seen this issue before. But then again, I've never contained an AP with that low RSSI value either.

Your APs, I am theorizing, are just too far away from the rogue AP to do any effect.

adilhayat · ‎02-05-2011

Hi,

Thanks for your reply. Your theory seems to be correct, as I was able to Contain one SSID of my own D-LINK AP, but 2 out of 6 times, my laptop remained associated to that SSID even after containing, after that when I contain the client associated with that Contained AP then I was able to dis-associate. This AP is just two floors away . Cud u tell me what are possible RSSI values or distance between which we should be able to contain APs without issues. Is it related with APs or WLC model etc.

Secondly, apart from interference , what other threat these externel rogue APs pose , if we cant contain them if they belong to neigbours? Thanks again for your help.

Scott Fella · ‎02-05-2011

Those are pretty far away from one of your AP's... -80+ I don't ven bother because if you have 100%, then these are not in your area. If you see these AP's in your area, then instead of containing, you need to locate and remove them. Having a policy to enforce users no to bring in their own AP is what you need. Containg AP's being seen by 3 of your LAP's from an RSSI of -80 will work better than is only one or two AP's.

-Scott
*** Please rate helpful posts ***

adilhayat · ‎02-05-2011

Hi,

Thanks for your reply. I plan to implement switch port security with mac-filtering on access switches. That will stop anyone plugging in an AP. cud u please explain if there is any risk posed by these distant APs as they are open and my employees can access internet through them. I suspect that since company laptop can get associated with these open SSIDs somone can hack into these laptops as well. Is there any way to jam these APs which are very far and WLC cant contain them and employees are able to access internet through them ? if not what security threat do they pose and wht cud be any possible solution. Many thanks

Scott Fella · ‎02-05-2011

Of course that can be an issue. You can push out a group policy to not allow domain users or an OU the ability to add, make changes to the wireless profile. 3M makes an RF blocking tint of some sort also.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

adilhayat · ‎02-05-2011

Dear Scot

wht if the laptop is not uder domain, as anyone can connect their laptop by removing desktop ( which is under domain control) and get connected to LAN, wht if they are also connected to Wireless LAN of externel AP. . wht would be the best practice to solve this situation. NOT TO ALLOW USERS with personel laptops to connect to externel APs with no security and browse internet. Thanks for your help.

Scott Fella · ‎02-05-2011

The best thing is not allow personal computers on your network. How I see it, is that you allow personal laptops then how do you secure in case of virus or something that might be in the personal laptop to allow outside connections in. Best practice is to secure your wired network then you will be able to secure your wireless. If personal laptops need to be connected, then you really can't tell people what they can do or can't.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Leo Laohoo · ‎02-05-2011

Your theory seems to be correct, as I was able to Contain one SSID of my own D-LINK AP.
What was the RSSI value when you did this? How many APs were assigned to contain?

after that when I contain the client associated with that Contained AP then I was able to dis-associate.
Not a good idea because you'll need to contain alot of clients. What if the clients want to join YOUR valid SSID?

Cud u tell me what are possible RSSI values or distance between which we should be able to contain APs without issues. Is it related with APs or WLC model etc.
Y'know what? I'm not so sure because "containing" an AP isn't really a "sport" you want to brag about and Cisco frowns upon it. I just theorized because your RSSI values are just too low. If you have a value of, say, -75 dBm then there's a chance of being successful.

I plan to implement switch port security with mac-filtering on access switches.
Here's the deal. This is OK if the rogue AP happens to be connected to YOUR network. What if, and this is very common occurance here in Australia, if the rogue AP IS/WAS NOT connected to your network? What if the AP is actually acting as a honeytrap or siphoning your enterprise WLAN traffic and sending it the other side? As Scott recommended, the best way is to go to the owner of the offending rogue AP with two other big and burly colleagues and tell the offender to take the rogue AP out or you'll send your "enforcers" back.

This AP is just two floors away.
What are the inter-floors made of? Are they made of concrete or wood? Sounds like it's made out of concrete which makes propagation of wireless signal more difficult. A recent study in Australia regarding the propagation of rogue APs are caused by staff bringing in their own chop-suey wireless access point. The reason why they are doing it is because they are sick and tired of management telling them "No, you can't do it." The same study stated that if management is un-willing to improve work-related technology then staff will do their best to it themselves and without any authorization or approval. When it comes to wireless technology in the workplace, you'll be surprise to know how many managers are still ignorant about the security implications and consider wireless as a "punishment from G0d".

My opinion is this: Roll out wireless to your floors and buildings.