cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1519
Views
10
Helpful
7
Replies

Syslog or Trap for Malicious APs

Travis-Fleming
Level 1
Level 1

Hello, we have a Cisco 5520 WLC. I'm looking into auto-containment of rogue devices found on the network or with our SSID. However I want to get an alert of when it happens. I know the WLC itself doesn't alert, but you can send syslogs and traps to a server. We have SolarWinds as a log viewer.

 

Two questions:

1 - If I setup our WLC to auto contain, if it starts to auto contain an AP on the network, or with our same SSID, will it automatically clasify that AP as "malicious" and I'll be able to see it under the Monitor > Rogues > Malicious Aps section?

2 - What might the syslog look like if a device is being "contained" and not alert for the status? I'm able to see in our log server when a device is marked as malicious, but I would like to see when the status changes to contained. Then I can setup SolarWinds to alert me on that. I had on purpose started to contain an out of inventory AP we have for testing, and the syslog didn't show anything but malicious, but I couldn't see a status of "Contained". I could however see that in the GUI and CLI with some show commands.

 

I would think the WLC out of the box should be able to generate an email stating when an AP is actively being contained...

7 Replies 7

Grendizer
Cisco Employee
Cisco Employee

Auto Containment shouldn’t be used, at least in the US since 2015, check this Public Notice from the FCC https://docs.fcc.gov/public/attachments/DA-15-113A1.pdf

Well that is silly if it’s found to be on your network? If it’s plugged into my LAN on a remote branch network I can’t even block it from what I read. Thanks for the notification.

 

 - On your network  , is a bit of a dubious subject in wireless terms, this could be just out of your networking  perimeter too, such as the ice cream van arrived at your front door and broadcasting the ssid : icecreamishere.  Hence the wise          rules from the government

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

So what are some best practice Rogue Rules you guys use to let you know when there is a BYOD type scenario where someone plugs in their own AP on your corporates network? We have 20 remote sites most of which have a flexconnect setup with thin Cisco AP's.

 

 -                                             Check if these info-resources can be helpful :

          https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-handling-rogue-cuwn-00.html

         https://community.cisco.com/t5/wireless-mobility-documents/rogue-management-attack-detection-and-threat-mitigation/ta-p/3112862

         https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/managing-rogue-devices.html

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thank you that helps. One thing I'm having troubles finding anywhere is hot to auto-clasify an AP that is on my network? I can edit rogue rules on my WLC 5520 to mark AP's with a minimum RSSI, has at least 1 client, and no encryption. But really, I would like to classify it as rogue if it's on my network. I can auto-contain based on that, but how would I make a rule to auto identify them and classify them as malicious? 

You can configure rogue rule as below, this will "alert" you if rogues are using one of your configured enabled SSIDs
>config rogue rule add ap priority 1 classify malicious notify all state alert ManagedSSID
>config rogue rule condition ap set managed-ssid ManagedSSID
>config rogue rule enable ManagedSSID
You will see the new rule from SECURITY > Wireless Protection Policies > Rogue Rules
Other than that, with default settings of the WLC, you will get all related alerts like Rogue APs and Rogue clients and the WLC will show them in trap logs (MANAGEMENT > SNMP > Trap Logs) and if you configured "SNMP Trap Receiver" then that server will receive all traps including those as well.
With the above rule, you will be notified thru the Trap Logs as:
Classification: malicious, State: Alert, RuleClassified : Y
Instead of
Classification: unclassified, State: Alert, RuleClassified : N
and based on that, you can configure the trap receiver (Prime Infrastructure or in your case SolarWinds) to send you emails as alert

Review Cisco Networking for a $25 gift card