Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5139
Views
0
Helpful
7
Replies

Detecting rogue AP messages in syslog? configuring WLC.

Go to solution
asad ali
Level 1
Level 1

‎05-08-2013 10:33 AM - edited ‎07-04-2021 12:02 AM

I'm building the use case to test / detect for rogue devices on the network. I have in my enviroment

Lan controller 5500 controller with AP (aironet 3500). I want to detect for rogue devices/ap connected to my network. I know before i can see this activity on the network i have to configure the controller / ap to detect this behavior. I'm doing this step.

  1. Authorize AP's against AAA function to make sure that  all the AP's registering to your WLC are authorized AP's of the  network.By  enabling this feature, only those AP's whose mac-addresses are present  in the authorization list, will be able to register to the WLC.

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a00808c7234.shtml

  1. Using Rogue detection. feature, the WLC will be able to detect any AP that is not a part of its RF group and contain it.

https://www.cisco.com/application/pdf/paws/70987/rogue_detect.pdf

NOTE: from the forum I have seen other talks about the same issue and saying that if I have any APs in "Rogue Detection"  mode sitting on the trunk port  on the switch then  only, this AP will detect the  Rogue on Wired

I don't think i completely understand this statement, by sitting does it mean that it is passively sniffing coming in/out on trunk link?

Considering the above steps are accurate, after this will i be able to see rogue detection behavior in syslogs? What exactly would be the messages that would produce this behavior.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to asad ali

‎05-10-2013 06:45 AM

By default, in local mode, the AP provides services to wifi clients.  When it's "free" it goes into rogue detection.

So unless you have APs to 'burn", I wouldn't necessarily sacrifice a few APs for dedicated rogue detection.

Now, if you have AP3602 with the Security module, that's another thing.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎05-08-2013 03:12 PM 

I want to detect for rogue devices/ap connected to my network.

By default, this feature is enabled.

Only WCS/NCS/CPI will have the function to inform you if the rogue devices are plugged into your network or not (Rogue on Wired). 

0 Helpful

Go to solution
asad ali
Level 1
Level 1
In response to Leo Laohoo

‎05-10-2013 05:45 AM

I'm using WCS v 5.0 will this work?

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to asad ali

‎05-10-2013 05:52 AM

This will but I wouldn't use WCS 5.0 as there alot more features in 7.0.X.

0 Helpful

Go to solution
asad ali
Level 1
Level 1
In response to Leo Laohoo

‎05-10-2013 06:05 AM

Thanks the steps i layout in my inital quesiton are these enough to configure / setup rogue detection.  Like in most cases it would be my supported AP configured in rogue detection mode doing all the detection and containment? Right.

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to asad ali

‎05-10-2013 06:45 AM

By default, in local mode, the AP provides services to wifi clients.  When it's "free" it goes into rogue detection.

So unless you have APs to 'burn", I wouldn't necessarily sacrifice a few APs for dedicated rogue detection.

Now, if you have AP3602 with the Security module, that's another thing.

0 Helpful

Go to solution
art-barrera
Level 1
Level 1
In response to Leo Laohoo

‎05-12-2013 07:33 PM

RLDP and an ap in Roge Detector mode can be turned on using just the controller.  Both will tell you if a rogue is on your wired network.  With RLDP you will be limited to checking rogues with open authentication. A Rogue Detector ap will also work with just the controller to identify rogue ap's based on MAC address on the wired network. 

Personally, I don't like using RLDP because it wil directly affect my service areas when the AP goes offline.  By contrast, the Rogue detector is easy to setup and I often use an older LAP model for this purpose.  Just keep capacity limits in mind when deploying ip your MDF's.

IMHO, just like anything else with security, Rogue Detection is a multi level effort. Build a strategy and apply the technologies and features that result in what you're looking for.  Often times I start with a simple question with my customers to determine as to what level to take the recommendation: "If you identify a Rogue AP, will you do something about it?"  That usually sets up next steps.  //art

0 Helpful

Go to solution
Saravanan Lakshmanan
Cisco Employee
Cisco Employee

‎05-18-2013 08:27 PM

Rogue Management in a Unified Wireless Network

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card