cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5150
Views
30
Helpful
23
Replies
wireless_student
Beginner

Question on Rogue Detection

Hi All,

I have a question regarding rogue detection configuration on WLC.

we know that rogue detection can be enabled on a per AP basis under the advanced tab of each AP, starting from code 6.0, and it also supports rogue detection in RF groups when we configure protection type as "AP Authentication" under WLC security tab, which will make APs to authentication frames based on the RF group name, if name is different, then the AP is considered as a rogue.

so the question is if we only enable rogue detection on the AP level, however leave the AP authentication selected as "none", how does the AP detect rogues? does that mean if any signal detected is not from the APs connected to the WLC, then this will be considered as a rogue?

also in the configuration guide, under the section "enable rogue access point detection in RF groups", it says rogue detection will need the AP to be configured as either local or monitor mode, when we also have AP authentication enabled. however if an AP is under h-reap mode, we still able to enable/disable rogue detection under the advanced tab, so how does H-REAP mode APs detect rogues? is that the same method as when AP authentication selected as "none"

thanks in advance for your help.

23 REPLIES 23
Saravanan Lakshmanan
Cisco Employee

it is applicable not only for AP Authentication but also even for AP infrastructure mfp.

does that mean if any signal detected is not from the APs connected to the WLC, then this will be considered as a rogue?

Yes, APs outside cisco WLC and APs that are not on same RF group will be rogues.

if an AP is under h-reap mode, we still able to enable/disable rogue  detection under the advanced tab, so how does H-REAP mode APs detect  rogues? is that the same method as when AP authentication selected as  "none"

If hreap is on connected mode to WLC then yes it detects rogue and report to WLC, on standalone it doesn't work.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080b3690b.shtml

Amjad Abdullah
Engager

Hi,

If APs joinign a cisco WLC detected WIRELESS 802.11 FRAMES that are being send and they do not belong to the WLC to which the AP belongs or any WLC in its mobility group then the source of those frames (source mac address) is considered a rogue AP that has that mac address as a source.

If the detected signal is not a wireless 802.11 frame (just noise, bluetooth...etc) then that is not detected as rogue because the AP does not able to analyze that signal as 802.11 frame and hence does not know the source mac of the sender.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Thank you both for the reply, can you please confirm the below senario as well:

with rogue detection enabled on AP level, what is the difference between AP authentication configured as "none" and "AP Authentication"? my understanding is that with AP Authentication or MFP enabled under "AP Authentication" field, rogue detection will be verified based on the RF group name, so signal from other RF domain or not from WLC will be considered as rogue, but what if we select AP authentication as "none"? are we still using RF group name to authenticate frames from other APs? or there is another method? if not does that mean rogue detection is DISABLED in this case even when we have it enabled under the advanced tab of the APs?

thanks for your time to clarify this.

If roge detection under the AP advanced tab is selected:

- Enabled: the AP will report rogues it finds to the WLC.

- Disabled: the AP will not report any rogues to the WLC regardless of what AP authentication is.

If rogue detection is enabled and AP authentication is:

- None: AP reports rogues it finds to the controller. APs on same mobility group are not reported even if they are on different RF groups.

- AP authentication: AP reports the rogues to the WLC. APs on same mobility group but with different RF groups are also reported as rogues.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

ok, thanks for your reply, so if AP authentication is "none", then even RF group name is different, then AP will NOT report rogues from other WLCs, and WLCs in the same mobility group is the condition for this? becasue it seems AP still reports rogues, and it should report rogue APs from other WLCs which has no relation to the current one (not in mobility group/list, different RF group), then in this case RF group name is not something that the WLC uses to determine the rogue?

thanks.

ok, thanks for your reply, so if AP authentication is "none", then even RF group name is different, then AP will NOT report rogues from other WLCs, and WLCs in the same mobility group is the condition for this?

WLC mobility group is always a condition to decide if a rogue should be reported or not. If on same mobility group then it is not rogue. if on different mobility group then it is a rogue.

RF group is not always there. you can enable or disable checking it by selecting "none" or "AP authentication". If none then RF group should be similar or else it is reported as a rogue.

If mobility group is different then we do not look at RF group and the AP is reported as rogue.

If mobility group is similar then:

- If "none" we do notlook at the RF group and the AP considered not rogue.

- If "AP authentication" then we look at the RF group. if similar then not rogue. if different then rogue.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

ahh, ok this makes sense now, thanks a lot for your help!

don't think Mobility group will be a prime factor and it is always RF group since Configuring Mobility group is optional, RF group is mandatory for a WLC. Also, Rogue detection happen over wireless, to show or not to show as rogue is decided by other configuration parameters Ex: Rogue rules, AP auth type, is it in friendly list,.... only exception is with different RF group with same Mobility may still detect as Rogue but won't show bcoz mobility group is the subset of RF group just like other filter parameters.

It is recommended to keep RF group name, Mobility group name, AP auth type used similar across all WLCs whose APs ovelapping RF. Same RF group name with different AP auth type will be flagged as Rogue.

hi Saravanan,

ok if mobility group/list configuration is not considered as a factor for rogue detection, can you please help to explain what is the difference between "none" and "AP Authentication" under the AP Authentication configuration?

when we have rogue detection enabled under AP level, does that mean rogues will always be detected, even if ap authentication selected as "none"?

thanks.

can anyone please help to confirm what is the difference between "none" and "AP Authentication" under "AP Authentication" configuration option?

appreciate any comment on this.

#Regards to AP Auth type, Same RF group require to have same AP Auth type - Auth/MFP/none on all WLCs. Different RF group with same auth type or same RF group with different RF group will be flagged as rogue.

should be an easy test if you've two wlc.

Saravanan:

I dont agree. If wlcs on same mobility domain the aps on different wlcs are not reported as rogues. However, if wlcs on different mobility domain (or mobility domain is not set) then the aps on different wlcs are reported as rogues.

Rogue rules and friendly list are used to classify rogue aps that are reported. While aps on same mobility domain are not reported in the first place.

HTH

Amjad

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"

Amjad,

Saravanan is correct, its RF group -- not mobility group. I too have made this mistake, as you, until i read the config guide like 20x times ..

See below this may help better explain.

Enabling Rogue Access Point Detection in RF Groups

After you have created an RF group of controllers, you need to configure  the access points connected to the controllers to detect rogue access  points. The access points will then select the beacon/
probe-response  frames in neighboring access point messages to see if they contain an  authentication information element (IE) that matches that of the RF  group. If the select is successful, the frames are authenticated.  Otherwise, the authorized access point reports the neighboring access  point as a rogue, records its BSSID in a rogue table, and sends the  table to the controller.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George and Saravanan:

Thank you. +5 to each post you both put. Your clarification is very useful to me.

What i know from before: mobility group wlcs can communicate and know the ap belongs to any of group wlcs. Hence they know it is not a rogue. If It is "ap auth" then rf group should be the same. If "none" then rf group if different on same mobility domain then is even not reported.

If anyone can test and confirm that will be appreciated. Because some of the info i got was from Cisco TAC. About cisco doc: they are useful but sometimes not accurate enough and sometime missing information. I became a friend with the wireless doc manager because i report too many problems with the docs

So if you can test the mobility domain part that will be great.

Because depending on your explanation if another neighbor network is exist with same RF group name then it will not be reported as a rogue. It does not make sense this way and I think there is a missing part.

Thank you again

Sent from Cisco Technical Support iPad App

Rating useful replies is more useful than saying "Thank you"
Create
Recognize Your Peers
Content for Community-Ad