Re: What tools for locating rogue APs and adhoc clients ?

rduke · ‎01-28-2008

Hi all. I was wondering how you locate your rogues. I have WCS with location detection; however, I still have to go out and hunt down the device. It can be difficult when there is a high density of laptops. Right now, I try to attach to unsecured devices and use the Cisco wireless survey utility to home in on the rogue. Please let me know if you use something better. This seems to work better than using netstumbler, but it has the disadvantage of requiring that you attach to it first. If security is enabled, I have to resort to netstumbler. I would appreciate hearing what techniques and tools work for you.

Randy

irisrios · ‎02-01-2008

There is a feature called Rogue Location Discovery Protocol which tracks the rogues and adhoc clients in the network. If this enabled on the controller rogues are automatically detected and reported. Having WCS with location detection helps you locate rogues more accurately. Butg still you will have to manually remove the rogue devices to be completely out of the problem. Refer URL http://cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml for more information.

rduke · ‎02-01-2008

Thanks for the reply, but I did mention that I am already using WCS with location detection (using Cisco's controllers and LWAPP APs). The problem is that location detection is not always completely trustworthy. You still need tools to actually find the device. I assume most people are using netstumbler ? I am trying to find out if there are better mobile tools to actually hunt it down once you have an approximate location for the rogue.

Randy

wowsersusa · ‎04-09-2008

Were you ever able to find out an easy way to find the rogues without having to hunt them down? I have rogues on the wired network but the WLC and WCS only show me the mac-address of the wireless radio and not the ethernet port mac.

rduke · ‎05-12-2009

I have not found and new tools/techniques as of yet. The way I see it the flow goes like this:

1. You detect the rogue over the air waves. WLCs and WCS do a good job of this.

2. With WCS and location detection, you get the aproximate location of the rogue.

3. Then you have to go get the rogue. Sometimes they are easy to find, sometimes they are really hard to even when the location data is good. They could be under or behind a desk, or in an adjacent office.

I have not tried one of the spectrum cards from Cisco. Perhaps that would work better for finding the device once you know roughly where to look.

It seems that most rogues are not APs, but are routers using NAT. That hides the clients wireless mac addresses from the LAN side of your switched network so I don't think it is easy to locate the rogue on the LAN switch based upon what the AP's hear over the air waves - at least that is my experience.

Randy

Leo Laohoo · ‎05-12-2009

Hi Randy,

When I started using the WLC (we didn't have the WCS back then), I used to track/hunt down rogues by triangulating their location using the output of the SNR and RSSI from at least 3 AP's. Accuracy was as good as about 2 meters.

With the WCS, provided the AP's placement is accurate, it was a whole lot easier.

However, if you have a very large area and you don't have the time to track them down, CONTAIN, the rogues until they start complaining. Let the problem crawl itself to you.

I have never once used netstumbler or AirMagnet to locate rogues. I've always used the output from the WLC to triangulate the location and use the WCS to verify (and never the other way around).

Hope this helps.