Rogue Detector Access Point

Answered Question
Mar 10th, 2009

If you deploy a Cisco 1242 a/b/g access point as a rogue detector, can this be used for 802.11n wired detection as well.

i.e Will the controller send the MAC addresses of the 802.11n clients and APs.

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml

I have this problem too.
0 votes
Correct Answer by Leo Laohoo about 7 years 10 months ago

The 1250 will "listen" for Rogue AP on both Wired and Air.

I have over 175 AP's in four sites. Not one of them is configured for a Rogue detector. But daily, if a new Rogue AP would appear, the WLC/WCS would let me know.

WLC/WCS would also inform me if (and only if), a particular Rogue AP/Client/Ad-Hoc was also plugged into the LAN.

Does this answer your query?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Leo Laohoo Tue, 03/10/2009 - 14:50

Hi Mark,

You mean Rogue on Wire? If so, by default, this option is turned off.

Go to Security -> Wireless Protection Policies -> General

mark.cronin Wed, 03/11/2009 - 04:40

OK Rogue on Wire.

Can the Cisco 1242 be used as a Rogue detector for 802.11n rogue AP and clients

Will the controller be able to use 1250's in local mode and 1242's in rogue detector mode to detect rogue on wire 802.11n client/APs

Mark

Leo Laohoo Wed, 03/11/2009 - 14:34

Mark,

Don't need to do this (enable Rogue Detector). By default, all AP's will detect rogue AP's automatically.

AP's by default "can" contain a rogue AP, client or ad-hoc rogue.

Because a 1242 is an A/B/G only, it won't be able to detect any Draft N 2.0 signal.

Is this what you are looking for?

mark.cronin Thu, 03/12/2009 - 02:07

Not exactly

The question

If the Cisco 1242A/B/G access point is connected to the network and configured as a Rogue detector (Radio switched off just listening to layer 2 traffic on the wired network) can it be used with 1250's in local mode to detect 802.11N greenfield rogue aps connected to the wired network

1242 listening on the wired network

1250 listening over the Air

Controller looking at the ARP tables of both and working out if rogues are connected to the network.

Mark

Correct Answer
Leo Laohoo Thu, 03/12/2009 - 16:48

The 1250 will "listen" for Rogue AP on both Wired and Air.

I have over 175 AP's in four sites. Not one of them is configured for a Rogue detector. But daily, if a new Rogue AP would appear, the WLC/WCS would let me know.

WLC/WCS would also inform me if (and only if), a particular Rogue AP/Client/Ad-Hoc was also plugged into the LAN.

Does this answer your query?

mark.cronin Fri, 03/13/2009 - 02:18

Ok

To confirm LWAP's configured in Local mode monitor the wired network

Mark

Amjad Abdullah Wed, 03/21/2012 - 04:14

Mark and Leo:

AFAIK the idea behind the rogue detector APs is to be connected to a trunk so it catchs all VLANs data and detect an AP connected to whatever VLAN allowed on the Detector's AP trunk.

If an AP is not a rogue detector (Local, HREAP or even bridge mode) it will not be able to detect rogue APs on wired side on same VLAN. It only detects The Rogue over wireless (wireless singal that it listens to).

As in Mark's Scenario: Rogue detector is 1242 and local AP is 1252, the rogude detector does not care about wireless. the BRAIN of the process is the WLC. The WLC have a list of all rogue APs detected (by normal APs [local, hreap...etc]). then the WLC instructs the rogue detector AP to try to find the mac addresses of the rogue APs on the wired side. the rogue-detector AP gets the order and try to do ARP requests on all vlans for the mac addresses provided by the WLC to see if those are on the wired network or not. If they are found on the wired network an alarm will be sent to the WLC about this.

'''snip'''

Passive Operation:

This approach is used when rogue AP has some form of authentication, either WEP or WPA. When a form of authentication is configured on rogue AP, the Lightweight AP cannot associate because it does not know the key configured on the rogue AP. The process begins with the controller when it passes on the list of rogue client MAC addresses to an AP that is configured as a rogue detector. The rogue detector scans all connected and configured subnets for ARP requests, and ARP searches for a matching Layer 2 address. If a match is discovered, the controller notifies the network administrator that a rogue is detected on the wired subnet.

'''snip'''

Reference:

http://tiny.cc/repibw

so I would answer Mark question by "Yes". your 1242 rogue detector APs will be able to detect 802.11n rogues on WIRED side if those rogues are reported to WLC by some other APs that have 802.11n capability.

HTH

Amjad

Actions

This Discussion

 

 

Trending Topics - Security & Network