Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5765
Views
30
Helpful
23
Replies

Question on Rogue Detection

wireless_student
Level 1
Level 1

‎07-17-2012 05:27 AM - edited ‎07-03-2021 10:24 PM

Hi All,

I have a question regarding rogue detection configuration on WLC.

we know that rogue detection can be enabled on a per AP basis under the advanced tab of each AP, starting from code 6.0, and it also supports rogue detection in RF groups when we configure protection type as "AP Authentication" under WLC security tab, which will make APs to authentication frames based on the RF group name, if name is different, then the AP is considered as a rogue.

so the question is if we only enable rogue detection on the AP level, however leave the AP authentication selected as "none", how does the AP detect rogues? does that mean if any signal detected is not from the APs connected to the WLC, then this will be considered as a rogue?

also in the configuration guide, under the section "enable rogue access point detection in RF groups", it says rogue detection will need the AP to be configured as either local or monitor mode, when we also have AP authentication enabled. however if an AP is under h-reap mode, we still able to enable/disable rogue detection under the advanced tab, so how does H-REAP mode APs detect rogues? is that the same method as when AP authentication selected as "none"

thanks in advance for your help.

Labels:
0 Helpful
23 Replies 23

Saravanan Lakshmanan
Cisco Employee
Cisco Employee
In response to Amjad Abdullah

‎07-20-2012 10:48 AM

#Mobility group check is added as subset to delete the rogue, if they're already joined to them to avoid self containment(see exception from prior post)from 7.0 only, prior to that -mobility means nothing to rogue detection.

#Mobility happens on wire while RF neighbor/rogue learning happens over wireless is the key difference.

George Stefanick
VIP Alumni
VIP Alumni

‎07-20-2012 03:16 PM

You should test it and let us know

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

wireless_student
Level 1
Level 1
In response to George Stefanick

‎07-21-2012 08:51 PM

I have done some tests regarding rogue detection, and here are some of my findings:

  1. different RF group name, with AP Authentication policy on both WLCs selected to "none": rogue will be detected
  2. different RF group name with AP Authentication policy on both WLCs selected to "ap-auth": rogue will be detected
  3. same RF group name wtih AP Authentication policy on both WLCs selected to "none", rogue will not be detected
  4. same RF group name with AP Authentication policy on both WLCs selected to "ap-auth", rogue will not be detected
  5. same RF group name with AP Authentication policy on one WLC as "none" and on the other as "ap-auth", rogue will be detected

however I have noticed something that does not seem to be correct. I am only able to see the rogue from one WLC but not the other, for example I have WLCs number 1 and 2, from number 1 I could see radio from WLC number 2 as rogue, however I am not able to see radio on WLC number 1 reported as rogue on WLC number 2, when I configured different RF group name.

all the above tests are performed with both WLCs in the same mobility list.

so it seems RF group name as well as the AP authentication policy are the factors for reporting rogue APs (plus enable rogue detection on the AP level of course), however I guess the questions still remain are:

  1. what is the difference between enabling "none" and "ap authentication" under AP authentication policy, if we keep this parameter consistent across all WLCs? it appears there is not much of difference however there must be a reason for each option available here.
  2. if we select AP authentication, then what is the threshold number actually represents? my understanding is that this is the number of times that same radio MAC/BSSID been detected, so to prevent from false alarms, we need to increase this numebr, however in the configuration guide, it says this has something to do with WMM clients as well, can you please advise what is this number stands for and what is the general best practice for this number?

thanks in advance for your time and help.

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to wireless_student

‎07-22-2012 12:23 AM

I've done some tests as well:

I have multiple WLCs on same mobility and same RF groups. AP Auth type set to "none" on all o ft hem. I took one WLC (I'll call it thereafter "My WLC") and changed its RF group name. I also cahnged its AP auth policy to "AP Authentication". All WLCs have same SSIDs configured. I added one extra test SSID on "MY WLC".

The results are:

- The WLC with different RF group name did not mention other APs as rogues. Other APs did not mention my WLC APs as rogues as well.

- There is very high number of AP impersonation detected by "My WLC". other WLCs did not detect ap impersonation. This indicates that other APs on other WLCs try to contain "My WLC" APs. However, "My WLC" does not seem to try impersonating other APs. (it worths to notice that number of APs on "My WLC" is much less than APs on other WLCs).

- When using "AP authentication", there is a new IE appears in the SSID beacons.

The highlighted in blue is that information that could not be interpretted (as seen in highlighted yellow above). This information differs based no the SSID. Different SSID name shows different information. This IE seems to carry the information about the RF group name. If this does not appear when using "none" as AP auth policy then WLCs can not distinguish different RF group names if ap auth set to "none". (because I could not find any RF group info anywhere in the beacon packet. If you know it is exist somewhere else please let us know. So far I assume it is included in this vendor specific IE).

- When I changed the AP auth to "none" the number of AP impersonation reported started to decrease gradually. I'll keep monitoring to see what it will be after couple of hours.

- Config guide is very useful. However, sometimes it is extremley stupid. Why?

     well, because if you go to the part that talks about configuring MFP (http://tiny.cc/un6thw), and if you go to Step 5,      you will find that the optoin metnioned in step 5 is not available in the AP. It tells you that to enable or disable MFP      validation for specific AP you can do this from under Advanced tab. However, this option is not available under      Advanced tab. I had a big discussion with TAC about this very long time ago. prompted to doc guys about it but so      far nothign changed.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to Amjad Abdullah

‎07-22-2012 12:59 AM

By now the number of AP impersonations last hour = 0.

Rating useful replies is more useful than saying "Thank you"
0 Helpful

wireless_student
Level 1
Level 1
In response to Amjad Abdullah

‎07-22-2012 04:36 AM

hi Amjad,

so based on your test result, does that mean you if AP authentication policy is configured as "none", then it seems rogue detection is off?

in my test, I do not have that many of APs connected to the WLC however I have got two test APs sitting next to each other, and joined one WLC each. then I have created a rogue rule with RSSI value in the rule, so if RSSI is better than -50 dBm, then this rogue will be classified as malicious (since the two test APs are sitting next to each other, so RSSI between the two normally around -20 to -25 dBm), and this will filter out a larger number of rogues in the list and will give only a few to check, I assume if the two APs can detect each other as rogue, then this rule should be matched as they are located so close.

then I have got the above result. however I did see the other AP reported as rogue in my malicious list when I have AP authentication as "none" on both WLCs and RF group names are different.

so far it seems to me that there is not much of difference between "none" and "ap authentication" under AP authentication policy.

0 Helpful

Amjad Abdullah
VIP Alumni
VIP Alumni
In response to wireless_student

‎07-22-2012 04:49 AM

Note that:

- I am already having a rogue rule to classify the APs as rogues if the RSSI is better than -70 dBm.

- I am running 7.0.230.0 code version.

In my test, the rogue list in the WLC did not mention the other APs on different RF group name. I can't see them listed in either malicous or unclassified or even friendly APs.

However, when I use "AP Authentiation" it is obvious that the other APs try to contain AP joined to My WLC. (I know this from the high number of AP impersonations reported).

When I use "none" then there is no AP impersonation. since my last post in which I said the AP impersonation is 0, they are still 0 until this moment. I am sure if I set it back to "AP Authentication" I will start seeing the AP impersonation messages.

RF group is still different.

When I mention rogues reported I mean only APs on different RF group. I have already many rogues reported that are external networks that I don't administer. Those are reported anyway regardless of what I use (AP auth or none). This means that AP Auth or none does not affect the rogue detection for external APs. In my opinion (that I am trying to prove and my test supports me), if none, then it does not matter if RF group name similar or different. If AP Auth, then RF group name should be the same or otherwise different RF group names will treat each other as rogues.

Please try to do one more test. make sure to remove reported rogues manually after each test to make sure they are no rogues from old tests.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

wireless_student
Level 1
Level 1
In response to Amjad Abdullah

‎07-23-2012 04:41 AM

ok, i have done some further tests and results are not consistent, this time I could not get the other AP detected as rogue no matter what changes I have made...

when I selected AP authentication with threshold value of 50, and different RF group name, still not able to detect each other as rogue, I even rebooted both WLCs and both APs.... I am using two 3500s and 5508 WLCs running 7.0.116.0.

hmmm, not sure why, I have confimed multiple times that rogue detection is enabled on both APs......

I am pretty sure this used to be working...

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to wireless_student

‎07-23-2012 06:55 AM

Here some some additional reading

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080ad6b8d.shtml

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml

How long did you wait. Cause here is one of the corky things to know. The ap will be on channel for 16 seocnds and then go off channel for 50ms to scan 1 channel. It is possible the ap missed the rogue beacon.

If you think about it, it could take well over a minute to go through all channels before coming back to the rogues channel and miss the beacon again, since the ap only listens for 50ms.

Did you put the ap into mointor mode ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card