I'm really battling to make sense of the available deployment advice for selecting between local, monitor, rogue (and to some degree also sniffer) modes as they relate to security functionality. Can anyone provide guidance or experiences?
Local vs. Monitor mode:
In the WLC Configuration Guide's section entitled "Enabling Rogue Access Point Detection" it specifies that Local or Monitor mode should be selected and ap-authentication enabled in order to achieve rogue access point detection. That's all good if you're using AP auth, but...
This means that MFP can't be used as they're mutually exclusive features (for some unknown reason). So in an MFP-enabled environment there would seem to be little point to Monitor mode, since Local mode APs can do pretty much the same thing (plus also do RLDP, which monitor mode APs can't do).
What else can Monitor mode do that might make it worthwhile to invest in additional monitor-only APs? Is it possibly...
- because they're less susceptible to DoS attacks?
- for performance gain (they can scan through the channels quicker, for e.g.)?
- to extend your rogue detection range without extending your WLAN coverage area?
Rogue Detector mode:
The Configuration Guide says:
"In this mode, the access point radio is turned off, and the access point listens to wired traffic only. The controllers that operate in this mode monitor the rogue access points. The controller sends all the rogue access point and client MAC address lists to the rogue detector, and the rogue detector forwards this information to the WLC. The MAC address list is compared to what
the WLC access points heard over the network. If the MAC addresses match, you can determine which rogue access points are connected on the wired network."
Now maybe it's just me, but the above paragraph makes absolutely no sense!!! I think they mean that the WLC sends MAC lists to the rogue detector AP, which sniffs for those MACs in order to figure out which are also being seen on the wired network. That's also a bit weird for 2 reasons:
1) A rogue AP wouldn't spill it's wireless NIC's MAC address onto the wired network, as far as I can imagine. The addresses of clients connected via the rogue AP might make their way on to the wired network and the rogue detector might be able to infer from the wireless communication that the AP is therefore also connected to the wired network. If this is the case then how does the CUWN solution notify differently from the case when a rogue is detected only wirelessly?
2) If the rogue AP is connected to a switched network, where on the network would one place the rogue detector, since the rogues' MAC addresses wouldn't make it beyond the access switch?
Can anyone clarify, or has anyone successfully deployed rogue detector APs?
And then there's Sniffer mode. It forwards packets to Airopeek - makes sense, and I suppose that could be useful if you couldn't afford to buy an antenna for your Airopeek or if the problem is occuring at a location across town. Has anyone found use in running APs in this mode? How does it differ from enabling Mirroring on an AP or client?
Does anyone have any insights on the AP modes or know of any *decent* documentation regarding deployment recommendations for the 6 AP modes? Even something like a simple comparison table of the functional differences would be great. I have honestly searched cisco.com and the product documentation without finding anything terribly useful.
Also, a question that has been raised before on this forum without any satisfactory response: When is it appropriate to use AP Auth vs. using MFP?