Solved: How can I find out if a Rogue AP is on your Lan from the WCS/WLC

Mike Clites · ‎03-19-2012

Hello,

I have a large site that is remote to me; in other words I do not have a physical presence there so a walk around is impossible.

We have recently deployed a wlc5508 & some 40+ 3502i APs at the location.

In the wlc I notice quite a few "rogue AP" listed with ssid's.

Is there a way within the wcs or wlc to determine better if any of these rogue AP are on my Lan?

If I can locate the mac address of the ethernet port on the rogue AP I can track the port down on the appropriate switch & shut it down.

Thank you in advance for your time and assistance guys.

Mike

Leo Laohoo · ‎03-19-2012

If I can locate the mac address of the ethernet port on the rogue AP I can track the port down on the appropriate switch & shut it down.

Without a heat map of the WCS, the best way is to triangulate. With WCS, you can track it down where the exact location is. WCS also has a feature to test if the Rogue AP is on your LAN (or "on the wire").

View solution in original post

Amjad Abdullah · ‎03-21-2012

Mike:

You may consider changing the mode of some APs to rogue detector mode:

http://tiny.cc/iioibw

'''snip'''

Rogue Detector Access Point

You can make an AP operate as a rogue detector, which allows it to be placed on a trunk port so that it can hear all wired-side connected VLANs. It proceeds to find the client on the wired subnet on all the VLANs. The rogue detector AP listens for Address Resolution Protocol (ARP) packets in order to determine the Layer 2 addresses of identified rogue clients or rogue APs sent by the controller. If a Layer 2 address that matches is found, the controller generates an alarm that identifies the rogue AP or client as a threat. This alarm indicates that the rogue was seen on the wired network.

'''snip'''

so you know the mac address and then can search for it.

Good luck.

Amjad

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Leo Laohoo · ‎03-19-2012

If I can locate the mac address of the ethernet port on the rogue AP I can track the port down on the appropriate switch & shut it down.

Without a heat map of the WCS, the best way is to triangulate. With WCS, you can track it down where the exact location is. WCS also has a feature to test if the Rogue AP is on your LAN (or "on the wire").

Mike Clites · ‎03-20-2012

Leolaohoo,

Thank you for your information.

I do not have the heat maps setup yet and am likely not to anytime soon.

I did however check into the WCS ability to look for a rogue AP on the Lan. I am in the process of setting up the switches in the WCS for this purpose.

Thank you

Amjad Abdullah · ‎03-21-2012

Mike:

You may consider changing the mode of some APs to rogue detector mode:

http://tiny.cc/iioibw

'''snip'''

Rogue Detector Access Point

You can make an AP operate as a rogue detector, which allows it to be placed on a trunk port so that it can hear all wired-side connected VLANs. It proceeds to find the client on the wired subnet on all the VLANs. The rogue detector AP listens for Address Resolution Protocol (ARP) packets in order to determine the Layer 2 addresses of identified rogue clients or rogue APs sent by the controller. If a Layer 2 address that matches is found, the controller generates an alarm that identifies the rogue AP or client as a threat. This alarm indicates that the rogue was seen on the wired network.

'''snip'''

so you know the mac address and then can search for it.

Good luck.

Amjad

Rating useful replies is more useful than saying "Thank you"

Mike Clites · ‎03-21-2012

Amjad,

Thank you for the additional tip.

Another good way to find the rogues!

The only thing about this solution is I am removing a servicing AP for a time while it monitors the network.

Not a bad idea but since the price of 3502 are not cheap and I am limited to the number of them makes it a slightly less desirable option but one I will definitely check into.

Gregor Geldhauser · ‎03-22-2012

Hi,

i have a similar problem, i want to locate the rogue APs but we have a slightly big environment (600APs)

We have a own subnet for every floor and building routed with layer 3 switches.

When i use this technologie i would need a "Rogue Detection AP" for every switch, which would be a lot of APs.

i have almost every AP in the maps.

Isn't there a way to find the rogue APs by triangulation?

Mike Clites · ‎03-22-2012

Gregor,

I believe if you do have your areas mapped accurately then you should be able to use the heat maps in the WCS.

It gives you a graphical display of the rogue location via wireless triangulation. (at least thats how I understand it)

I dont have my areas mapped out. Very large, spread out complex and unfortunately not a decent quality or particularly accurate map provided to me.

I am sure someone on the forums who is more familiar with the maps can answer your question.

Scott Fella · ‎03-22-2012

Your exactly right. If you see rogues inside on your map or being seen by two or more within -78 or so, it could mean that you do have a rogue in your environment. Agin, this has limitations especially if your office is in a downtown building with multiple tenants.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***