What am I supposed to do with unclassified rogue AP?
I understand that if they don't look a thread I can mark them as "Friendly External" to no receive more alarms about them. Is it ok?
The problem is what happens if this external Friendly AP change the SSID for a Managed SSID (an SSID is using our controller). Then, this AP is a threat, but is not longer detected for the controller
Is it a bug?
or am I not managing unclassified Rogue correctly?
I don't even bother with these alerts to be honest. You can mark them friendly just so you don't get the alerts if you want. Just depends on what you want to see or ignore:)
Sent from Cisco Technical Support iPhone App
Yes, but the problem is that if the Friendly AP changes its SSID by one SSID of your network (managed SSID) is not detected as Malicious.
And with this change this Friendly AP is a thread and should be detected as Malicious but it's not
Are you manually classifying as Friendly External?
If yes then #1 is applicable and what you're seeing is expected. If not then #3 is not happening in your case and how long did you wait once the ssid of the rogue changed to the WLC's management?
#Try, If the AP is removed from friendly rogue list(monitor> Rogue> friendly APs) then does it classifies back to original status friendly or malicious as expected. in this case it should classify as malicious once removed from friendly list based on #2.
When the controller receives a rogue report from one of its managed access points, it responds as follows:
The identification of Rogue AP is done by WLC, whereas we could classify the AP either manually or based on set of rules.
The controller would still be able to identify that AP as a Rogue AP. The reason is that the Wireless LAN Controller would look for the Basic Service Set Identifier (BSSID) for that particular AP.