Solved: Rogue APs/Clients

jpgleason · ‎05-29-2012

A couple of quick questions here (5508 WLC, 1142N APs).

I understand if I enable the AP mode to Rogue Detector from the details page of the AP, the AP stops accepting requests and is now looking for rogue items on the wired network. Is this the same when I enable Rogue Location Discovery Protocol? Will I lose the wireless functionality of all of my APs on the controller?

Next question, when I look at the Rogue Summary on the Monitoring page I see three Adhoc Rogue devices. When I select the Detail link only one shows. I remember the other two were HP mutifuction devices with WIFI enabled but I cannot retrieve that information anymore. Ideas?

Thank you,

Amjad Abdullah · ‎05-30-2012

Question 1: No. Enabling RLDP does not make you lose connectivity of local or HREAP or even bridge APs.

This link will be helpful to you: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml

I did not get your second questoin, what is your concern exactly? Where you see ad hoc rogues? WLC or WCS?
can you please clarify more?

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Leo Laohoo · ‎05-31-2012

On another note, I have a company in a building next to ours and their WIFI range is bleeding over and my WLC is picking them up. Right now I have just set it up as contained.

NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Don't do that! You MAY be liable for criminal offenses. Containing a legitimate wi-fi signal (even though it ain't yours) can be constitued as "jamming".

Either classify it as "Unclassified" or "Friendly"/"External".

View solution in original post

Amjad Abdullah · ‎05-30-2012

Question 1: No. Enabling RLDP does not make you lose connectivity of local or HREAP or even bridge APs.

This link will be helpful to you: http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml

I did not get your second questoin, what is your concern exactly? Where you see ad hoc rogues? WLC or WCS?
can you please clarify more?

Thanks.

Amjad

Rating useful replies is more useful than saying "Thank you"

jpgleason · ‎05-30-2012

I have a standalone 5508 WLC. On the Monitor/Summary page, to the right there is the Rogue Summary section. My third line item is Adhoc Rogues and I have three listed. When I select the Details link only one shows up. I remember checking this a week ago and seeing some HP devices (assuming they are printers with wireless functionality), but I cannot retrieve this information via GUI or CLI.

I am not overly worried about getting this information back, but if someone from management asks about it I would like to give them a proper answer.

Thanks,

Jim

Amjad Abdullah · ‎05-30-2012

You can look in left column in monitor tab in wlc gui. There is a list to monitor rogues ( rogue aps, ad hoc rogues, friendly rogues....etc).

I am not sure if WLC keeps history of rogues that detected earlier but currently not detected. AFAIK you can only display rogues that currently detected.

Check from the mentioned locaion above and let us know if it answers your concern

HTH

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Leo Laohoo · ‎05-30-2012

When I select the Details link only one shows up. I remember checking this a week ago and seeing some HP devices (assuming they are printers with wireless functionality), but I cannot retrieve this information via GUI or CLI.

WLC doesn't keep history. If it's the list then the WLC "saw" the rogue clients. If it's not there, then it's either turned off, signal's too weak, or someone's done some "Action" to it.

jpgleason · ‎05-31-2012

Thank you guys, both are good answers.

On another note, I have a company in a building next to ours and their WIFI range is bleeding over and my WLC is picking them up. Right now I have just set it up as contained. My new question is, they are not friendly or malicious... what is the benefit or harm of classifiying these "rogue APs" as friendly or malicious? I get malicious if it is truly an AP and/or client attacking my network but since these devices are not "authorized" as best practice should I just mark them as malicious? I am talking about up to 40 that are being detected.

Thanks,

Leo Laohoo · ‎05-31-2012

On another note, I have a company in a building next to ours and their WIFI range is bleeding over and my WLC is picking them up. Right now I have just set it up as contained.

NOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Don't do that! You MAY be liable for criminal offenses. Containing a legitimate wi-fi signal (even though it ain't yours) can be constitued as "jamming".

Either classify it as "Unclassified" or "Friendly"/"External".

mstrz · ‎06-02-2012

I have heard of the liability story, but I have never heard of anybody actually being prosecuted for it, let alone proven that it is deliberate.

However, setting it to Friendly External will allow your APs to avoid their channels and reduce power to prevent interference.

The question is, of course, is your neighbor doing the same, or are they also "containing" your AP's?

Leo Laohoo · ‎06-02-2012

The question is, of course, is your neighbor doing the same, or are they also "containing" your AP's?

Not alot of enterprise-grade wireless vendors have the option to contain.

The only time I've "contained" an SSID (and I've done quiet a few) is when I am more than 100% sure the offender is INSIDE my premises.

I have heard of the liability story, but I have never heard of anybody actually being prosecuted for it, let alone proven that it is deliberate.

I have no idea what country you are in but if you are in America, anyone can be sued.

Saravanan Lakshmanan · ‎06-03-2012

Q1 ans:

#Both are different technique to find rogue on wire.

#Rogue detector is an AP mode that is applicable per AP.

#RLDP is an global feature that is applicable on AP modes - local, hreap & monitor. Security>> WPS>> General>> RLDP>> drop down menu.

#AP on Rogue Detector mode(listens arp on wire) is not similar to RLDP(that uses wireless).

#AP on Rogue Detector mode will not enable their Radios, so wireless client connection is not possible. The AP will be connected to trunk port of the switch and listens for arp entries on all VLANs, it compares the arp entry against Rogue AP & client info collected by WLC through APs, if it matches then it will make rogue on wire. its not very accurate method.

#AP on RLDP serves client but don't enable this feature on Local/hreap mode AP servicing voice clients(since AP goes off channel and connect to rogue AP that interrupts client service), use dedicated Monitor mode AP for this purpose. When RLDP feature is enabled cisco AP act as wireless client and connect to rogue AP and ping the management interface of WLC, on reply the Rogue AP will be marked as 'Rogue on wire'.

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml

Q2 ans:

Check First & Last Time Reported On WCS/NCS that stores the history of Rogues.

If you've external trap server setup then it should be there as well.

Security>> WPS>> General>> Expiration Timeout for Rogue AP and Rogue Client entries - configurable between 240 & 3600 secs. If the rogue is not reported/refreshed with in this time frame then it will get deleted from WLC.

Q3 ans:

It is suggested to talk to them to reduce their AP power levels if they're seen very high.

If your client talks to their AP(which is detected as Rogue by WLC) then your own client will be marked as rogue client.

Enable MFP - global Infrastructure mfp for AP & per wlan mfp for Client as mandatory to avoid attacks.