Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3014
Views
3
Helpful
2
Replies

Rogue AP Policies and Best Practices

DarioPouseiro
Level 1
Level 1

‎06-27-2023 02:26 AM

Dear Cisco Community, 

 

I am trying to undesrtand the best practices and the best policies to deal with Rogue APs, and many doubts emerged. Let me just clarify that I am just a beginer. 

 

Under Rogue Policies on the Wireless Controller, the AP Authentication, If I select that option is just to confirm what kind of authentication the rogue AP is using when a new one is detected?

 

When I receive a rogue AP minor alarm, and I identify that it is a harmless Wi-fi access point from a business around the building, what happens if I classify it as friendly? It is a security flaw if I do it? In the future, if that WAP becomes dangerous, how would I identify it? A new alert would be reported if for example the SSID was changed?

 

Thank you in advance!

Best regards!

0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎06-27-2023 05:27 AM

Hi

 AP Authentication is related to your Access Point, not the rogues. With that feature, you can create authentication for your APs, similar to clients. Sounds like a good idea but can create a lot of problem. I would not recommend.

"When I receive a rogue AP minor alarm, and I identify that it is a harmless Wi-fi access point from a business around the building, what happens if I classify it as friendly? "

 The alarm will not be generated again. If you do not classify as frendly I will be receiving alarms about that AP all the time.

"It is a security flaw if I do it?

 I dont believe so.

"In the future, if that WAP becomes dangerous, how would I identify it? A new alert would be reported if for example the SSID was changed?"

  The only possibility I can see for that AP to become "Dangerous" would be if the AP´s owner start advertising your SSIDs or start the containement for your SSIDs. And this could be identify through others logs also.

 

 

Haydn Andrews
VIP
VIP

‎06-27-2023 03:14 PM

Generally I set the rules like this:
Rogue detected with my SSIDs - classify as malicious 

Rogue detected with signal -85 - Classify Neigbour and dont worry

Rogue detected on wire - classify malicous

Rogue detected with signal better than -75 then have investigated.

Containement should only be done if the rogue is broadcasting your SSIDs, or is on your wired network - there are legal considerations to containment (https://edition.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/index.html
Also with containment it affects your APs so it should only be done whilst you are physically finding and disconnecting the rogue AP

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card