cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7899
Views
3
Helpful
7
Replies

How to manage unclassified rogue AP's?

jmprats
Level 4
Level 4

What am I supposed to do with unclassified rogue AP?

I understand that if they don't look a thread I can mark them as "Friendly External" to no receive more alarms about them. Is it ok?

The problem is what happens  if this external Friendly AP change the SSID for a Managed SSID (an SSID is using our controller). Then, this AP is a threat, but is not longer detected for the controller

Is it a bug?

or am I not managing unclassified Rogue correctly?

7 Replies 7

Scott Fella
Hall of Fame
Hall of Fame

I don't even bother with these alerts to be honest. You can mark them friendly just so you don't get the alerts if you want. Just depends on what you want to see or ignore:)

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Yes, but the problem is that if the Friendly  AP changes its SSID by one SSID of your network (managed SSID) is not detected as Malicious.


And with this change this Friendly AP is a thread and should be detected as Malicious but it's not

this issue seen on what WLC code?

display the screenshot of Rogue rules.

Version code 7.0.235.3

Are you manually classifying as Friendly External?

If yes then #1 is applicable and what you're seeing is expected. If not then #3 is not happening in your case and how long did you wait once the ssid of the rogue changed to the WLC's management?

#Try, If the AP is removed from friendly rogue list(monitor> Rogue> friendly APs) then does it classifies back to original status friendly or malicious as expected. in this case it should classify as malicious once removed from friendly list based on #2.

http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_0110.html#d116047e9015a1635

When the controller receives a rogue report from one of its managed access points, it responds as follows:

  1. The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the controller classifies the access point as Friendly.
  2. If the unknown access point is not in the friendly MAC address list, the controller starts applying rogue classification rules.
  3. If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically only if the rogue is in the Alert state.
  4. The controller applies the first rule based on priority. If the rogue access point matches the criteria specified by the rule, the controller classifies the rogue according to the classification type configured for the rule.
  5. If the rogue access point does not match any of the configured rules, the controller classifies the rogue as Unclassified.
  6. The controller repeats the previous steps for all rogue access points.

Olá jmprats.

appling that rule every rogue AP with a signal stronger that -70dBm will be automatically classified as Malicious?

 

Moin Ilyas
Level 4
Level 4

The identification of Rogue AP is done by WLC, whereas we could classify the AP either manually or based on set of rules.

The controller would still be able to identify that AP as a Rogue AP. The reason is that the Wireless LAN Controller would look for the Basic Service Set Identifier (BSSID) for that particular AP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: