11-26-2014 08:39 AM - edited 07-05-2021 02:01 AM
Hi Supportcommunity,
i have done a lot of research according this topic but i was unfortunately unable to find an helpful post.
If i missed something I am sorry about.
I got the following issue my customer complains about Rogue AP Alerts in Cisco Prime.
There are always many of them.
I already configured the Rogue Rules at the WLC´s security tab as follows.
Here are the rules in detail.
1st rule
2nd rule
3rd rule
Could you please help me to understand what I did wrong.
I dont understand why there are still so many Rogue warnings although I configure it to not alert.
Thanks for your support
With kind regards
Benedikt
11-27-2014 09:58 PM
Hi ,
I am not going in to the rogue rules. Can you please go to > Management>SNMP>Trap control>Security> Rogue. Disable this setting and see if that stop trap to PI.
Regards
Dhiresh
**Please rate helpful posts**
12-01-2014 01:52 AM
Rogue detection is a way of being aware of other APs in your surroundings, I would not advise on turning the SNMP traps off totally. On the other hand the customer cant really blame you because there are other APs around their network? In 99,9% of all networks there will be....
However, if you want to tidy up among the rogue alarms, the rules can be used.
What your rules are saying is "Anyone except me using my SSIDs? - mark it as a Bad Guy" (OK).
Then it gets a bit weird to me, lets do a short one on Signal strength:
- 30 dBm = Less than one meter from the AP at max European output level 20 dBm EIRP
-40 dBm = Ten times weaker, some 2-4m from AP. All distances are roughly speaking...
-50 dBm = 1/100 weaker, less than 10m from AP
-60 dBm = 1/1000 weaker, some 16m from AP, a "normal" and strong signal
-70 dBm = 1/10000, within 30m from AP, not great, but lower end of "normal" span
-80 dBm = hardly useable signal, might be able to connect @ 1-2 Mbps, not much more
-90 dBm = almost no clients can use this weak levels
-100 dBm = background noise.
You delete rule says that "Any other AP located less than a meter from mine (-30 dBm) should be marked as Malicious and deleted". Lower this to, say -70 dBm and see what happens.
Also note that the order of the rules can be important. It runs from top down, and as far as I remember the last one that matched determines if it is Friendly or Malicious. Play around with the levels first, then if necessary the order of the rules, and get back...
**Please rate helpful posts**
12-01-2014 02:02 AM
Addition to my own post (smile):
In a real network I would do:
"Managed SSID" - Mark as Malicious and alarm (someone is claiming to be my network!)
"RSSI >-95 dBm - Mark as Friendly (ex -70 to -95 probably outside our premises)
"RSSI >-70 dBm) - Mark as Malicious and alarm (An unknown AP in our premises!)
Watch rule order, this overwrites the "Friendly" marker if RSSI over -70dBm
In 8.0 an up you can also match on partial SSIDs, so matching the most common ISP SSIDs as "friendly" also helps...
**Please rate helpful posts**
03-19-2018 02:28 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide