Rogue Detector Access Point

Answered Question
Mar 10th, 2009
User Badges:

If you deploy a Cisco 1242 a/b/g access point as a rogue detector, can this be used for 802.11n wired detection as well.


i.e Will the controller send the MAC addresses of the 802.11n clients and APs.


http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml



Correct Answer by Leo Laohoo about 8 years 2 months ago

The 1250 will "listen" for Rogue AP on both Wired and Air.


I have over 175 AP's in four sites. Not one of them is configured for a Rogue detector. But daily, if a new Rogue AP would appear, the WLC/WCS would let me know.


WLC/WCS would also inform me if (and only if), a particular Rogue AP/Client/Ad-Hoc was also plugged into the LAN.


Does this answer your query?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Leo Laohoo Tue, 03/10/2009 - 14:50
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi Mark,

You mean Rogue on Wire? If so, by default, this option is turned off.


Go to Security -> Wireless Protection Policies -> General

mark.cronin Wed, 03/11/2009 - 04:40
User Badges:

OK Rogue on Wire.


Can the Cisco 1242 be used as a Rogue detector for 802.11n rogue AP and clients


Will the controller be able to use 1250's in local mode and 1242's in rogue detector mode to detect rogue on wire 802.11n client/APs


Mark

Leo Laohoo Wed, 03/11/2009 - 14:34
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Mark,

Don't need to do this (enable Rogue Detector). By default, all AP's will detect rogue AP's automatically.


AP's by default "can" contain a rogue AP, client or ad-hoc rogue.


Because a 1242 is an A/B/G only, it won't be able to detect any Draft N 2.0 signal.


Is this what you are looking for?

mark.cronin Thu, 03/12/2009 - 02:07
User Badges:

Not exactly


The question


If the Cisco 1242A/B/G access point is connected to the network and configured as a Rogue detector (Radio switched off just listening to layer 2 traffic on the wired network) can it be used with 1250's in local mode to detect 802.11N greenfield rogue aps connected to the wired network


1242 listening on the wired network


1250 listening over the Air


Controller looking at the ARP tables of both and working out if rogues are connected to the network.


Mark

Correct Answer
Leo Laohoo Thu, 03/12/2009 - 16:48
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

The 1250 will "listen" for Rogue AP on both Wired and Air.


I have over 175 AP's in four sites. Not one of them is configured for a Rogue detector. But daily, if a new Rogue AP would appear, the WLC/WCS would let me know.


WLC/WCS would also inform me if (and only if), a particular Rogue AP/Client/Ad-Hoc was also plugged into the LAN.


Does this answer your query?

mark.cronin Fri, 03/13/2009 - 02:18
User Badges:

Ok


To confirm LWAP's configured in Local mode monitor the wired network


Mark

Leo Laohoo Sun, 03/15/2009 - 14:19
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Thanks for the ratings Mark.

Amjad Abdullah Wed, 03/21/2012 - 04:14
User Badges:
  • Red, 2250 points or more

Mark and Leo:


AFAIK the idea behind the rogue detector APs is to be connected to a trunk so it catchs all VLANs data and detect an AP connected to whatever VLAN allowed on the Detector's AP trunk.


If an AP is not a rogue detector (Local, HREAP or even bridge mode) it will not be able to detect rogue APs on wired side on same VLAN. It only detects The Rogue over wireless (wireless singal that it listens to).


As in Mark's Scenario: Rogue detector is 1242 and local AP is 1252, the rogude detector does not care about wireless. the BRAIN of the process is the WLC. The WLC have a list of all rogue APs detected (by normal APs [local, hreap...etc]). then the WLC instructs the rogue detector AP to try to find the mac addresses of the rogue APs on the wired side. the rogue-detector AP gets the order and try to do ARP requests on all vlans for the mac addresses provided by the WLC to see if those are on the wired network or not. If they are found on the wired network an alarm will be sent to the WLC about this.



'''snip'''

Passive Operation:

This approach is used when rogue AP has some form of authentication, either WEP or WPA. When a form of authentication is configured on rogue AP, the Lightweight AP cannot associate because it does not know the key configured on the rogue AP. The process begins with the controller when it passes on the list of rogue client MAC addresses to an AP that is configured as a rogue detector. The rogue detector scans all connected and configured subnets for ARP requests, and ARP searches for a matching Layer 2 address. If a match is discovered, the controller notifies the network administrator that a rogue is detected on the wired subnet.


'''snip'''


Reference:

http://tiny.cc/repibw


so I would answer Mark question by "Yes". your 1242 rogue detector APs will be able to detect 802.11n rogues on WIRED side if those rogues are reported to WLC by some other APs that have 802.11n capability.


HTH


Amjad

Actions

This Discussion

 

 

Trending Topics - Security & Network