Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
10
Helpful
2
Replies

WLSE not locating rouge AP.

Go to solution
johnlitter
Level 1
Level 1

‎10-13-2005 07:27 PM - edited ‎07-04-2021 11:13 AM

Hi, Not sure anyone facing this problem. I have purchased a WLSE recently for the purpose of detecting the Rouge AP. I felt that WLSE did not perform to the standard I want. I have found a long list of Rouge but it only 3 out of 100 show the location with Switch Port information. The rest were only with BBSID information. Location Manager deos not show me reasonable location for the rouge AP found. I also notice that the WSLE collect the mac-address on rouge wireless adapter and do the calculation for the ethernet adapter address by +/- 1 of the mac-address wireless. This can be a problem as there are many APs ethernet adapter is not +/- of the wirelss adapter. This can be seen from the AP1200. I really need to know how to locate this rough device in our network.

WLSE 1130 rel 2.9

AP are combination of 350 (12.2(13)JA1)and 1200 (12.3(2)JA2 )

Pls advice. Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
stschmidt
Level 1
Level 1

‎10-14-2005 04:45 AM

Firstly you need to understand that switch port tracing is not 100% guaranteed and is a best effort feature.

There are assumptions that are made now that should be resolved and refined in later releases of WLSE.

I would also recommend that you upgrade to the latest version of WLSE software which may help your detection.

For detecting rogues have you followed these tips:

To detect rogue APs, Radio Monitoring must be running.

•Although you might be tempted to disable Radio Monitoring and detect rogue APs only during AP Radio Scans, this approach is not recommended. AP Radio Scan jobs can detect rogues, but only during the scan (approximately 3 to 4 minutes); any rogues that show up after the scan are not detected. In addition, because the scan is so short, it is possible that some rogues will not be detected because they do not respond with a Probe Request during the active scan. When Radio Monitoring is enabled, the rogue will eventually be detected by the beacon frame; it is statistically possible that a beacon will not be seen during an AP scan.

Note If you disable Radio Monitoring and do not run AP Radio Scan, no unknown radios (rogue or friendly) will be detected. If you run AP Radio Scan but disable Radio Monitoring, some unknown radios will be detected, but not as many as would be detected if Radio Monitoring was running.

•An 11a-capable client that is associated with an 11g network cannot detect 11a rogues. No matter what the client is capable of supporting, it only searches for rogues that match the band of the AP. Therefore, when a client is associated to a 2.4Ghz AP (b or g), it only detects 2.4Ghz rogues (b or g). When it is associated to a 5Ghz (11a) AP, it only detects 5Ghz (11a) rogues.

•To detect all rogue APs in a network in which several hundred 11g APs have been deployed, you must also deploy 11a APs. Depending on the deployment, however, you might not have to deploy one 11a for each 11g radio. Using scanning-only APs, it is possible to completely cover the area for 11a rogue AP detection using fewer APs.

•A scanning-only AP that has a dual radio (both a and g) can detect all types of rogues (a, b, and g).

•If several rogue APs with similar MAC addresses appear in exactly the same location, there might be only one physical AP.

•If you disable the rogue AP fault detection, only the notification is removed; the rogue AP detection still occurs. The Location Manager still displays all the rogues in the system regardless of the fault detection setting.

•If you delete a rogue and the rogue still exists in the network, WLSE will detect it the next time AP Radio Scan or Radio Monitoring runs. Deleting the rogue will not mark it to be ignored; it is removed from the syst

View solution in original post

2 Replies 2

Go to solution
stschmidt
Level 1
Level 1

‎10-14-2005 04:45 AM

Firstly you need to understand that switch port tracing is not 100% guaranteed and is a best effort feature.

There are assumptions that are made now that should be resolved and refined in later releases of WLSE.

I would also recommend that you upgrade to the latest version of WLSE software which may help your detection.

For detecting rogues have you followed these tips:

To detect rogue APs, Radio Monitoring must be running.

•Although you might be tempted to disable Radio Monitoring and detect rogue APs only during AP Radio Scans, this approach is not recommended. AP Radio Scan jobs can detect rogues, but only during the scan (approximately 3 to 4 minutes); any rogues that show up after the scan are not detected. In addition, because the scan is so short, it is possible that some rogues will not be detected because they do not respond with a Probe Request during the active scan. When Radio Monitoring is enabled, the rogue will eventually be detected by the beacon frame; it is statistically possible that a beacon will not be seen during an AP scan.

Note If you disable Radio Monitoring and do not run AP Radio Scan, no unknown radios (rogue or friendly) will be detected. If you run AP Radio Scan but disable Radio Monitoring, some unknown radios will be detected, but not as many as would be detected if Radio Monitoring was running.

•An 11a-capable client that is associated with an 11g network cannot detect 11a rogues. No matter what the client is capable of supporting, it only searches for rogues that match the band of the AP. Therefore, when a client is associated to a 2.4Ghz AP (b or g), it only detects 2.4Ghz rogues (b or g). When it is associated to a 5Ghz (11a) AP, it only detects 5Ghz (11a) rogues.

•To detect all rogue APs in a network in which several hundred 11g APs have been deployed, you must also deploy 11a APs. Depending on the deployment, however, you might not have to deploy one 11a for each 11g radio. Using scanning-only APs, it is possible to completely cover the area for 11a rogue AP detection using fewer APs.

•A scanning-only AP that has a dual radio (both a and g) can detect all types of rogues (a, b, and g).

•If several rogue APs with similar MAC addresses appear in exactly the same location, there might be only one physical AP.

•If you disable the rogue AP fault detection, only the notification is removed; the rogue AP detection still occurs. The Location Manager still displays all the rogues in the system regardless of the fault detection setting.

•If you delete a rogue and the rogue still exists in the network, WLSE will detect it the next time AP Radio Scan or Radio Monitoring runs. Deleting the rogue will not mark it to be ignored; it is removed from the syst

Go to solution
johnlitter
Level 1
Level 1
In response to stschmidt

‎10-23-2005 05:35 AM

Hi stschmidt,

Yes, I can detect many rogue APs now. I had enable the radio scan previously but not all APs was selected in the Filter AP. Now is fined after I select all AP in my orgaisation to participate in the detection. You had hit at the right nail.

Since switch port tracing is not 100% guaranteed and is a best effort feature, I think I have to depend on the location manager in the mean time.

Thanks once again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card