cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1129
Views
0
Helpful
4
Replies

Wireless Rogue Same SSID detection and reporting

Alex-Pr
Level 1
Level 1

Hi All,

I’m looking for some advice on how to setup a way to detect and alarm (snmp/email/or applet) for when a rogue is detected that uses the same SSID as one of the wlans on my network.

I essentially want the feature listed in the auto contain called “Using our SSID” but rather then try countermeasures, it generates a message so we can actually investigate.  (auto containment is illegal. I believe the function actually doesn’t run based on our country code).

I am using IOS XE

 

As a bit of context, this is for a public facility in a busy area so I see hundreds of rogue networks.  What happens from time to time is someone will broadcast the same SSID (malicious or just stupidity) as one of the WLANs we have on our system so it causes client problems.  I want to get an email when the system sees it so I go an investigate it.  

Thanks you!!

 

4 Replies 4

marce1000
Hall of Fame
Hall of Fame

 

  >... when a rogue is detected that uses the same SSID as one of the wlans on my network.
 - You should focus on rogue detection in  general : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/managing-rogue-devices.html

     Also consider https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/managing-rogue-devices.html#id_136347

 M.

   



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Thanks for your input.  I figured out a way to get it to work how I want.  I am not using any monitor mode AP's so I set the system to Auto Contain for any SSID detected that I have and set the auto containment to use monitor mode AP's only.  This puts any rogue that matches a SSID on my system into Containment Pending.  From there in PI I was able to setup an alarm for rogues in containment to email me.  In testing it, if I set a hotspot or soho wireless router to have the same ssid as one that exists on my network it is within 5 minutes that I get an email alarm.  logging into the WLC, it is easy to see what SSID and the detecting AP's are seeing it...   Now if I was able to apply so AI to detect similar looking SSIDs.... 

 

 

Thank you again,  

Hello Alex-Pr,

have you found a solution for this?I could not find an exit I was looking for

 

 

Seyidoff
Level 1
Level 1

I'm looking for some advice on how to set up a method (snmp/email/or applet) to detect a rogue using the same SSID as one of the wlans on my network and block or alarm him

Review Cisco Networking for a $25 gift card