Solved: WLC 5508 + rogue detection types

Eric Daoust · ‎04-29-2013

I have been looking up info on rogue detection and have a quitck question.

Can a rogue detector AP find a rogue on the wire thats using NAT? after reading all the info its seems that the way it works is that it looks for the client MAC address on the wired network, but if that client is using a SOHO wireless router it will all be NAT'd..

There's also RLDP but thats only good at detecting OPEN wifi which is usually not the case. Plus it kicks off current connections to run its tests?

What is the best way of detecting Rogue AP's on the wire? at this point the best thing i can think of is implementing NAC on my network and using 802.1x

for all clients...

Any input is greatly appreciated

David Watkins · ‎04-29-2013

You are correct, the rogue detector will not detect clients on an AP "on-wire" behind a NAT'd device.

"It should be noted that a rogue detector AP is not successful at identifying rogue clients behind a device using NAT."

- http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml

Yes, RLDP will drop clients and attempt to "connect" to the rogue AP "open" network if configured as such.

802.1x would be a very viable solution to simply "prevent" them connecting in the first place, but it won't really provide any "detection" for you.

If you build you rogue rules out properly, you should be able to "isolate" the presence of an actual "internal" rogue device in your network and track it down from an RF perspective.

View solution in original post

David Watkins · ‎04-29-2013

You are correct, the rogue detector will not detect clients on an AP "on-wire" behind a NAT'd device.

"It should be noted that a rogue detector AP is not successful at identifying rogue clients behind a device using NAT."

- http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml

Yes, RLDP will drop clients and attempt to "connect" to the rogue AP "open" network if configured as such.

802.1x would be a very viable solution to simply "prevent" them connecting in the first place, but it won't really provide any "detection" for you.

If you build you rogue rules out properly, you should be able to "isolate" the presence of an actual "internal" rogue device in your network and track it down from an RF perspective.

Eric Daoust · ‎04-30-2013

Thanks for the reply.

Can you elaborate a little more on

"If you build you rogue rules out properly, you should be able to "isolate" the presence of an actual "internal" rogue device in your network and track it down from an RF perspective."

I am cusious as to what steps i could take from an RF perspective.

Stephen Rodriguez · ‎04-30-2013

From the RF perspective you can look at the AP's that detected it and what their RSSI is for it. Should give you an idea of where it is.

Alternately, you can use a spectrum analyzer in the area to track it down as well.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Eric Daoust · ‎04-30-2013

Yes but then i need to be watching constantly

You guys ever seen other WIPS vendors and how they do it? i was reading up on Airtight and they seem pretty crazy when it comes to on the line rogue detection. "inserting packets" and such..

but they make finding rogues on the line much easier.

Stephen Rodriguez · ‎04-30-2013

Well with NCS and MSE you'll get alerts about rogues, vs having to just watch the WLC directly.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Eric Daoust · ‎04-30-2013

yeah i currently have a syslog setup for that, but have ~ 80 rogues in my area

i guess once i take the time to classify them all i could use the syslog monitor to alert me of new ones then investigate them 1 by 1

Stephen Rodriguez · ‎04-30-2013

you may want to go and tweak the RSSI at which you detect rogues.

Security > Wireless Protection Policies > Rogues > General

I'd set it to -75. see how many that clears out

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Eric Daoust · ‎04-30-2013

I will have to look into RSSI and how to read it properly and what are "good" values..

Thanks for the help

Saravanan Lakshmanan · ‎05-18-2013

It should be noted that a rogue detector AP is not successful at identifying rogue clients behind a device using NAT.

Well, It should be noted that only "Rogue Clients" behind a NAT can't be identified as 'Rogue client' the "Rogue on Wire" part to identify 'Rogue on Wire' will still work since it is a passive feature and dependent on broadcast packet received from wired MAC only on the wired side.