07-09-2024 04:03 AM
9800-40, 17.12.3, 1000 AP, 4 sites
I would like all APs to detect rogues but only a subset of them to perform a rogue containment. For example one site is more open and public so we are not alowed to contain rogues while another one is closed and private and the containment can be performed..
The only thing I can is to disable rogue detection in a AP join. I would like to keep detection but not contain.
Is there any way to do it?
Mirek
07-09-2024 06:16 AM
- FYI : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/rogue-per-ap.html
>...Rogue detection is configured per AP or for a group of APs. The rogue AP detection is configured under the AP profile. The rogue AP detection configuration enabled by default and is part of the default AP profile.
Check the entire document too ,
M.
07-12-2024 12:10 AM
THX, but my original question was: "How to configure a subset of APs to keep rogue detection but not participate in the autocontainment"
MiTi
07-09-2024 03:55 PM
Be careful with containment! There are large fines if used incorrectly: https://edition.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/index.html
You want to make sure the rogue is within your network and an actual threat not someones hotspot or neighbouring companies wireless networks.
The other thing is it will tax your AP whilst containing it.
Catalyst Centre has a really nice rogue rule set that enables you to filter the rogues and also do things like create the rules in an easy GUI format
I would recommend only containing rogues where they are honey pots (using your SSIDs) or a rogue on the wire:
Rogue on wire:
A "Rogue AP on wire" is an unauthorised access point that is physically connected to the wired network infrastructure without authorization or approval. This type of rogue access point is particularly concerning because it can be used to bypass security controls and provide an attacker with a direct connection to the wired network. A rogue AP on wire can be intentionally or accidentally connected to the wired network by an employee, contractor, or malicious actor. Once connected, the rogue AP can provide unauthorised wireless access to the network, potentially allowing an attacker to compromise sensitive data or resources. Honeypot: A rogue access point (AP) that mimics a legitimate AP in order to intercept and manipulate network traffic.
|
07-11-2024 07:39 AM
Thanks Haydn, it's clear. It is just the reason why we want to do it selectively strictly in closed company offices. But want to keep monitoring other areas.
Mirek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide