"On wired Rogue" not on wire

krauskopf.p · ‎11-04-2007

Actually I have the following X-File: Since several firmware releases our 4404 WLCs report two Rogue APs as on our network. But they are definetively not on our LAN. They are in neighbour buildings but they belong not to our university. The buildings are not LAN connected.

Has anyone an possible explanation/theory for this?

p.k.

dennischolmes · ‎11-05-2007

If RLDP is showing them as on your LAN then some way or another they are on your LAN is my suspicion. They may be bridged in someway but the methodolgy for locating on wire rogues is for a good AP on your network to send a ping to itself through the airwaves to the rogue AP. If the good AP recieves the ping back on its cable ethernet port then it assumes the rogue is physically connected to your network. If the APs are bridging traffic I could see where the ping could make it back but I would ask the owner of the AP to let you know how it is being used. Remember, ask nicely. LOL

krauskopf.p · ‎11-05-2007

There is a street and respectively a railway track between our buildings and the other two.

I thought maybe the users of the other APs are connected to our LAN via VPN but that is also not the case.

dennischolmes · ‎11-05-2007

If you are absolutely sure there is no physical connection or wireless bridging taking place, I would call TAC.

johnruffing · ‎12-24-2007

Keep in mind that the way that the controller detects if a rogue AP is on the network is that it pings its own IP address. It may be that, by coincidence, there is a device with the same IP address as the controller on the neighboring network.

I do not believe that the controller is able to tell if it sent the response to this ping or not.

Hope this helps,

- John

(Please remember to rate helpful posts)

scottmac · ‎12-25-2007

Is there any possibility that someone has an unknown bridge connecting the two locations?

If the WLC saw traffic on the wire from a source it doesn't know about (like through a back-door bridge) it assumes it is a wired peer.

It might be worth a walkabout with a laptop running NetStumbler or other analyzer to see it you are "sharing" your LAN ... it is not out of the realm of possibility that they are stealing your signal (or someone is intentionally allowing them access).

I'd pay close attention to rooms with windows facing the other buildings, and the roofline.

Good Luck

Scott

johnruffing · ‎12-26-2007

Scott raises an interesting point.

It is possible for Windows-based laptops to permit their wireless connection to be shared with other users. This can result in a layer 2 bridging by the laptop itself between your wired and wireless networks. This is often the result of a misconfigured NIC on the access point. If you can narrow down which machine has this MAC, it could get you a lot farther.

Alternately, if you are hunting an adhoc rogue, in theory, if you could connect to it with a wireless laptop you could perform a network discovery to see what is out there.

Of course, you will want to consider any legal ramifications prior to attempting to do this if it turns out that this rogue equipment is not on your network.

- John

(Please remember to rate helpful posts)