Rogue Detection Client Number Threshold

rezaalikhani · ‎12-14-2024

Hi all;

As you know, one of the enabled options for Rogue Detection operation is the "Rogue Detection Client Number Threshold" option. The default value of this option is "0" in Catalyst 9800. Does selecting "0" mean disabling this functionality or WLC marks an AP as rogue even if there is no client associated with it?

Thanks

ammahend · ‎12-15-2024

There is not precise information on this, but the way I understood is WLC will classify any detected rogue AP as rogue, regardless of whether it has any associated clients or not.

When the threshold is set (e.g., 3 clients), the WLC waits until at least 3 clients are associated with the detected rogue AP before marking it as rogue.

-hope this helps-

Flavio Miranda · ‎12-15-2024

@rezaalikhani

The documentation is not clear enough but my interpretation is that the option "Rogue Detection Client Number Threshold" is related to the WLC generate a trap or not.

If you want to change how WLC sees rogues APs you can disabled it.

"To enable or disable rogue detection on a Cisco WLC 9800, navigate to the "Configuration > Tags & Profiles > AP Join" section, select the desired AP Join Profile, then go to the "Rogue AP" tab where you can check or uncheck the "Rogue Detection" box to enable or disable rogue detection"

But, 9800 offer this possibility of control the SNMP trap by checking the number of clients connect to the rogue AP

"Configures the rogue client per a rogue AP SNMP trap threshold. The valid range for the threshold is 0 to 256."

Considering this, if you set to "0" means, no trap will be generated related to clients connected to the Rogue AP but not related to Rogue AP itself, unless you set the AP rogue detection to disabled as explained above.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/managing-rogue-devices.html