AP Aironet 1830/ME rogue access point detection

pdenableetoavit19698 · ‎03-03-2023

Hi there,

Trying to have a better understanding of the "rogue access point detection" functionality.

How it works and what it does ? Is it mainly showing nearby AP that are conflicting on channels etc with your own, or actual AP trying to login/join the network etc?

Thank you for help!

Scott Fella · ‎03-03-2023

It is just showing you what ap's it can hear and providing you that list. It is passive so it doesn't do anything else.

-Scott
*** Please rate helpful posts ***

Rich R · ‎03-04-2023

https://www.cisco.com/c/en/us/td/docs/wireless/access_point/mob_exp/86/best_practices/b_ME_Best_Practices_Guide_86/security.html#security-rogue-policies

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

JPavonM · ‎03-06-2023

The "problem" is that Cisco wrongly uses 'rogue AP' to identify all access points in the vicinity, and then categorize them as 'Malicious' if they are into the wired network, or 'Unclassified' for external ones.

Then there is a 'Honeypot' which is an unmanaged access point that is using the same SSID than ours (infrastructure SSID). This honeypot could be external, or connected to our wired network, so in this case it would act as Rogue AP and Honeypot at the same time.

However, the 'rogue AP' definition states that this is an unmanaged access point connected to the same wired network that our managed access point is connected to.

Other vendors use this definition and don't alert about OBSS networks like Cisco do in both AireOS and C9800 WLCs, reducing the list of possible threats to the minimum ones that pose a real threat.

At the same time other vendors uses only one signature (Rogue AP or Honeypot) to categorize a threat so in the case of an AP connected to our network and broadcasting our SSID, it would be very difficult to know that this is a real threat to the network at first sight.