WCS Rouge AP Detection/Switchport Tracing

JASON SIMMONS · ‎05-12-2011

What criteria does the WCS use when determining if a nearby access point is a rouge ap?

What doest the WCS do after it has detected a device it classifies as a rouge AP?

Is the WCS switchport tracing feature only compatible with Cisco switches?

We recieve 100's of Rouge AP alerts daily. Many of them are false positives. I'd like to figure out how to only be alerted if a rouge is physically connected to our network.

If I try to do a switchport trace it typically completes with errors. I believe it is due to the fact that there are a mixture of Juniper and Cisco switches in our environment.

The company I work for occupies an entire building in a 3 building campus, two floors a second building, and our data center is in the basement of the 3 building. Plus there are 2 hotels and another office tower and a few apartment complexes near by.

Nicolas Darchis · ‎05-12-2011

What do you mean with false positive ?

A rogue AP is an AP in your physical environment that doesn't belong to you. So the alerts are probably not false positive.

It's not WCS that does the detection, it's the WLCs.

If they hear an AP that does not belong to that WLC or any other WLC in the rf domain, then it's a rogue.

You then have rogue classification rules since sw version 5.x so you can say "rogues broadcasting the SSID Hotel are actually ok, they are friendly rogues".

From there, what is classified as malicious rogue can be contained, i.e. your APs can send deauthentication frames to it.

To detect if a rogue AP is connected to your network, you need to have enable RLDP (rogue location discovery protocol) on the WLCs. Your APs will then associate to the rogues (if their ssid is open) and send special frames.

You then need an AP in "rogue detector" mode on your network to pickup that frame and see if the rogue is a wired rogue.

Switchport tracing requires you to "manage" the switches from WCS.