Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1162
Views
10
Helpful
7
Replies

Syslog or Trap for Malicious APs

Travis-Fleming
Level 1
Level 1

‎10-20-2020 06:32 AM - edited ‎07-05-2021 12:40 PM

Hello, we have a Cisco 5520 WLC. I'm looking into auto-containment of rogue devices found on the network or with our SSID. However I want to get an alert of when it happens. I know the WLC itself doesn't alert, but you can send syslogs and traps to a server. We have SolarWinds as a log viewer.

 

Two questions:

1 - If I setup our WLC to auto contain, if it starts to auto contain an AP on the network, or with our same SSID, will it automatically clasify that AP as "malicious" and I'll be able to see it under the Monitor > Rogues > Malicious Aps section?

2 - What might the syslog look like if a device is being "contained" and not alert for the status? I'm able to see in our log server when a device is marked as malicious, but I would like to see when the status changes to contained. Then I can setup SolarWinds to alert me on that. I had on purpose started to contain an out of inventory AP we have for testing, and the syslog didn't show anything but malicious, but I couldn't see a status of "Contained". I could however see that in the GUI and CLI with some show commands.

 

I would think the WLC out of the box should be able to generate an email stating when an AP is actively being contained...

Labels:
0 Helpful
7 Replies 7

Grendizer
Cisco Employee
Cisco Employee

‎10-21-2020 06:36 PM

Auto Containment shouldn’t be used, at least in the US since 2015, check this Public Notice from the FCC https://docs.fcc.gov/public/attachments/DA-15-113A1.pdf

Travis-Fleming
Level 1
Level 1
In response to Grendizer

‎10-22-2020 04:51 AM

Well that is silly if it’s found to be on your network? If it’s plugged into my LAN on a remote branch network I can’t even block it from what I read. Thanks for the notification.
0 Helpful

marce1000
VIP
VIP
In response to Travis-Fleming

‎10-22-2020 05:07 AM

 

 - On your network  , is a bit of a dubious subject in wireless terms, this could be just out of your networking  perimeter too, such as the ice cream van arrived at your front door and broadcasting the ssid : icecreamishere.  Hence the wise          rules from the government

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Travis-Fleming
Level 1
Level 1
In response to marce1000

‎10-22-2020 06:14 AM

So what are some best practice Rogue Rules you guys use to let you know when there is a BYOD type scenario where someone plugs in their own AP on your corporates network? We have 20 remote sites most of which have a flexconnect setup with thin Cisco AP's.

0 Helpful

marce1000
VIP
VIP
In response to Travis-Fleming

‎10-22-2020 09:05 AM

 

 -                                             Check if these info-resources can be helpful :

          https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-handling-rogue-cuwn-00.html

         https://community.cisco.com/t5/wireless-mobility-documents/rogue-management-attack-detection-and-threat-mitigation/ta-p/3112862

         https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/managing-rogue-devices.html

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Travis-Fleming
Level 1
Level 1
In response to marce1000

‎10-22-2020 10:22 AM

Thank you that helps. One thing I'm having troubles finding anywhere is hot to auto-clasify an AP that is on my network? I can edit rogue rules on my WLC 5520 to mark AP's with a minimum RSSI, has at least 1 client, and no encryption. But really, I would like to classify it as rogue if it's on my network. I can auto-contain based on that, but how would I make a rule to auto identify them and classify them as malicious? 

0 Helpful

Grendizer
Cisco Employee
Cisco Employee
In response to Travis-Fleming

‎10-22-2020 10:23 AM

You can configure rogue rule as below, this will "alert" you if rogues are using one of your configured enabled SSIDs
>config rogue rule add ap priority 1 classify malicious notify all state alert ManagedSSID
>config rogue rule condition ap set managed-ssid ManagedSSID
>config rogue rule enable ManagedSSID
You will see the new rule from SECURITY > Wireless Protection Policies > Rogue Rules
Other than that, with default settings of the WLC, you will get all related alerts like Rogue APs and Rogue clients and the WLC will show them in trap logs (MANAGEMENT > SNMP > Trap Logs) and if you configured "SNMP Trap Receiver" then that server will receive all traps including those as well.
With the above rule, you will be notified thru the Trap Logs as:
Classification: malicious, State: Alert, RuleClassified : Y
Instead of
Classification: unclassified, State: Alert, RuleClassified : N
and based on that, you can configure the trap receiver (Prime Infrastructure or in your case SolarWinds) to send you emails as alert

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card