04-05-2013 12:19 PM - edited 07-03-2021 11:51 PM
With Saravanan Lakshmanan
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about how to monitor, troubleshoot and configure Wireless Networks using Security Protection Policies. It includes Rogue Detection, Rogue Location Discovery Protocol (RLDP), Rogue Detector, Rogue Rules, wireless intrusion detection services (wIDS), Rogue Containment, AP Authentication, client exclusion features that touches Mobility, RF grouping from wireless LAN controller.
Saravanan Lakshmanan is a Customer Support Engineer in Cisco's Technical Assistance Center (TAC) specializing in Wireless Technologies. He is an expert in debugging and troubleshooting Cisco Wireless LAN Controllers (WLANs), wireless LAN services, unified access points, wireless LAN security, autonomous APs, VoWifi, authentication authorization accounting (AAA), and radio frequency (RF). Lakshmanan helps solve high severity and critical wireless issues for Cisco's customers and partners.
Remember to use the rating system to let Saravanan know if you have received an adequate response.
Saravanan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless sub-community Security and Network Management shortly after the event. This event lasts through Friday April 19, 2013. Visit this forum often to view responses to your questions and the questions of other community members.
04-08-2013 12:07 AM
Adding doc link for reference:
Rogue AP:
Rogue Management in a Unified Wireless Network
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml
Rogue Detection under Unified Wireless Networks
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml
Rule Based Rogue Classification in Wireless LAN Controllers (WLC) and Wireless Control System (WCS)
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080ad6b8d.shtml
Classifying Rogue Access Points
Managing Rogue Devices
Trusted AP Policies on a Wireless LAN Controller
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080921cc2.shtml
wIDS:
Configuring IDS Signatures
AP Authentication:
Infrastructure Management Frame Protection (MFP) with WLC and LAP Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml
Configuring Management Frame Protection
Configuring Client Exclusion Policies
04-08-2013 01:27 PM
Hello Saravanan
trying to find rogue on wire using rldp technique but unable to find so far. how long does it take the trigger to detect, using linksys ap as rogue. just like the doc mentioned having similar setup. enabled those rldp debugs but no glimpse of the wlc finding rogue on wire.
Thanks
04-08-2013 03:43 PM
Hi Robert, what's the wlc code, AP model used, if possible share the debug output.
04-08-2013 04:32 PM
5500 running 7.0.240.0, 3500 on local. linksys using open auth, getting debug
04-08-2013 04:36 PM
unsure if debug not showing anything or getting debug output with no reference to find rogue on wire.
be sure to run this on wlc.
(Cisco Controller) > debug dot11 rldp enable
what's the config on security>> wps>> general>> Rogue Location Discovery Protocol >> drop down. Since you're using local mode ap for rldp, it should be selected as "All APs" option. there is no option to say local mode/monitor/mesh/hreap mode AP only. it has to be either monitor for monitor mode only and AllAPs for the rest of the AP modes or it can be disabled.
04-08-2013 04:52 PM
wow!! thanks started working when set to all
would like to excercise rogue detector feature
04-08-2013 06:23 PM
3500 as RD and monitor ap, been long enough and couldn't find wire rogue flag enabled on controller
this time guess got everything right. debug showing got wired mac and sure cisco seeing the linksys. power cycling linksys to force arp
04-08-2013 07:07 PM
Well, unfortunatlely there are two bugs with Rogue Detector feature, use the code that has fix on it.
Rogue AP detection on wire fails if radio mac is +/- 1 of ethernet mac
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCub75472
Fixed-In 7.4(100.0).
Cant find rogue on wire, if rogue ap on non native vlan of RD's trunk
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCue09354
Fixed-In 7.4MR(yet to release).
04-11-2013 04:10 PM
Thank you.
are rldp scalable to work across mobility tunnel. both wlc1 & 2 added as mobility member with tunnels up, wired mac found on wlc1 and wireless mac identified by wlc2, with rldp enabled on both wlc.
04-10-2013 11:19 AM
hi everyone is there any one would like to help me
i got following situation
how to share router one fastethernet port (e.g fa0/0) with different network addresses(e.g 192.168.1.1 and 192.168.2.1 and 192.168.3.1) when using them as a gateway using RIP or static routing?
any one please help me..
04-10-2013 11:48 AM
Hi Muhammad
Please post your question to LAN - Switching, Routing section.
https://supportforums.cisco.com/community/netpro/network-infrastructure/switching?view=discussions
Thanks
Saravanan
04-11-2013 12:02 AM
Hello,
What am I supposed to do with unclassified rogue AP?
I understand that if they don't look a thread I can mark them as "Friendly External" to no receive more alarms about them. Is it ok?
The problem is what happens if this external Friendly AP change the SSID for a Managed SSID (an SSID is using our controller). Then, this AP is a threat, but is not longer detected for the controller as Malicious
Is it a bug?
or am I not managing unclassified Rogue correctly?
Thanks
04-11-2013 12:52 PM
Hi there,
I have installed about 2 days ago one Cisco WCS 2504 and 11 APs. Everything is doing well regarding to WPA authentication. But I have a Radius Server that is also running with some issues on wireless:
- Unless I open network settings and click connect on that config I cannot obtain a valid IP Address;
- Roaming is not working also;
I'm still getting issues regarding Radius;
- WPA2 Wlan still ok (144Mbit), but dont know when roaming works (how can I know/change these settings?);
- Radius autenticated with 802.11 Data Encryption on 40 bits Key size connects always at 54Mbps (g) and auto authenticate but dont know when roaming works (how can I know/change these settings?);
- Radius with 802.11 Data Encryption with none key size, doesnt authenticate connects 144Mbit but doesnt acquire IP Address
TY
04-11-2013 03:59 PM
Get debug client output when the wireless client seeing the issue.
WLC>debug client
If the client doesn't get an ip then it can't join wlc and success roaming is not possible.
To achieve N datarate using N AP and Client follow this doc:
Configure 802.11n on the WLC
http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a3443f.shtml
802.11n requires AES encryption to be enabled on WLANs used by 802.11n clients. You can use a WLAN with NONE as Layer 2 Security. However, if you configure any Layer 2 security, 802.11n requires WPA2 AES enabled to operate at 11n rates. Ensure that WMM is set to Allowed on the WLAN profile in order to achieve 802.11n rates.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide