How to manage unclassified rogue AP's?

jmprats · ‎04-10-2013

What am I supposed to do with unclassified rogue AP?

I understand that if they don't look a thread I can mark them as "Friendly External" to no receive more alarms about them. Is it ok?

The problem is what happens if this external Friendly AP change the SSID for a Managed SSID (an SSID is using our controller). Then, this AP is a threat, but is not longer detected for the controller

Is it a bug?

or am I not managing unclassified Rogue correctly?

Scott Fella · ‎04-10-2013

I don't even bother with these alerts to be honest. You can mark them friendly just so you don't get the alerts if you want. Just depends on what you want to see or ignore:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

jmprats · ‎04-10-2013

Yes, but the problem is that if the Friendly AP changes its SSID by one SSID of your network (managed SSID) is not detected as Malicious.

And with this change this Friendly AP is a thread and should be detected as Malicious but it's not

Saravanan Lakshmanan · ‎05-18-2013

this issue seen on what WLC code?

display the screenshot of Rogue rules.

jmprats · ‎05-19-2013

Version code 7.0.235.3

Saravanan Lakshmanan · ‎05-20-2013

Are you manually classifying as Friendly External?

If yes then #1 is applicable and what you're seeing is expected. If not then #3 is not happening in your case and how long did you wait once the ssid of the rogue changed to the WLC's management?

#Try, If the AP is removed from friendly rogue list(monitor> Rogue> friendly APs) then does it classifies back to original status friendly or malicious as expected. in this case it should classify as malicious once removed from friendly list based on #2.

http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_0110.html#d116047e9015a1635

When the controller receives a rogue report from one of its managed access points, it responds as follows:

The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the controller classifies the access point as Friendly.
If the unknown access point is not in the friendly MAC address list, the controller starts applying rogue classification rules.
If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically only if the rogue is in the Alert state.
The controller applies the first rule based on priority. If the rogue access point matches the criteria specified by the rule, the controller classifies the rogue according to the classification type configured for the rule.
If the rogue access point does not match any of the configured rules, the controller classifies the rogue as Unclassified.
The controller repeats the previous steps for all rogue access points.

Bruno Dinis · ‎06-11-2014

Olá jmprats.

appling that rule every rogue AP with a signal stronger that -70dBm will be automatically classified as Malicious?

Moin Ilyas · ‎07-10-2014

The identification of Rogue AP is done by WLC, whereas we could classify the AP either manually or based on set of rules.

The controller would still be able to identify that AP as a Rogue AP. The reason is that the Wireless LAN Controller would look for the Basic Service Set Identifier (BSSID) for that particular AP.