Solved: Re: Detecting Rogue Clients

david.enenkel · ‎01-18-2011

Hy,

we are playing around with the Rogue AP Detection at the moment. For this we have setup a test scenario where we have a Rogue AP connected to our network using WPA2 PSK and several clients connected to it.

What can cause that a AP sees the Rogue AP (mac) but not the rogue clients mac connected to it ?

all the very best

David

Surendra BG · ‎01-20-2011

Hi David,

These are the Rogue debugs that we have on the WLC..

(WiSM-slot2-1) >
(WiSM-slot2-1) >
(WiSM-slot2-1) >debug dot11 rogue ?

disable        Disables debug.
enable         Enables debug.
rule           Configures debug of 802.11 rogue rule events.

(WiSM-slot2-1) >debug dot11 rogue

Regards

Surendra

Regards
Surendra BG

View solution in original post

Surendra BG · ‎01-18-2011

Hi David,

If the AP is in Monitor Mode, then you Should or You must see the Rogue clients as well.. if not then there is a problem with the code or the client driver..

do we hav the AP in monitor mode??

lemme know if this answered your question..

Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Regards
Surendra BG

david.enenkel · ‎01-18-2011

Hello Surendra,

thanks for your reponds. No the APs are in local mode. As i have read in the documentation in local mode the APs monitor for noise and rogue ap's for 50 ms.

Nevertheless i have an update on our situation . Just fife minutes ago (now after having the client over 24 hours connected) it has recognised it.

Does this mean that the 50 ms are to short to recognise all of the rogue details?

all the very best

David

Surendra BG · ‎01-18-2011

oops.. sorry the previous post was for something else!! but both the users name was David!! and coming back.. i am not sure about the time Gap or the metric... i normally go for Monitor Mode and then wait for the SNMP log on the WCS..

lemme know if this answered your question..

Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Regards
Surendra BG

Leo Laohoo · ‎01-18-2011

What can cause that a AP sees the Rogue AP (mac) but not the rogue clients mac connected to it ?

The WLC/WCS can see rogue clients associated to a rogue AP even in local mode. By default, auto-contain of rogue AP is disabled. Be careful of legal repercussions to enable auto-contain of rogue AP or manual contain of rogue AP and clients.

david.enenkel · ‎01-20-2011

The feature does not look very consistend to me. The rogue client has only be seen for a few minutes on our WLC and then again vanished. Since then , though it is active all the time it has not been recognised by any AP in this area. Any additional thoughts on this ?

all the very best

David

Surendra BG · ‎01-20-2011

Hi David,

Hope you are doing great!!

If you are able to see the inconsistencies on the rogue, then i request you open up a TAC case and we will open up a Software bug and help you out in getting the issue resolved.

lemme know if this answered your question..

Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Regards
Surendra BG

david.enenkel · ‎01-20-2011

Hello Surendra

is there a possibility to debug the rogue detection on the local AP itself ?

all the best

David

Surendra BG · ‎01-20-2011

Hi David,

These are the Rogue debugs that we have on the WLC..

(WiSM-slot2-1) >
(WiSM-slot2-1) >
(WiSM-slot2-1) >debug dot11 rogue ?

disable        Disables debug.
enable         Enables debug.
rule           Configures debug of 802.11 rogue rule events.

(WiSM-slot2-1) >debug dot11 rogue

Regards

Surendra

Regards
Surendra BG

david.enenkel · ‎01-21-2011

I have now added an additional AP in "Monitor Mode" . Since then the Rogue Clients are discovered in a consistend manner. Nevertheless adding additional "monitor AP's" all over the place is not really a prefered solution from us and i'm a little bit disappointed that the "local Mode" scanning does not work that good.

all the very best

David

Surendra BG · ‎01-21-2011

Hi David,

The Monitor mode is specifically for this purpose as per my very first post in this thread... so we do get the data correctly..

lemme know if this answered your question..

Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Regards
Surendra BG