How to Prevent or Block Rogue APs from Joining Your Wired or Wireless WLANs

Unanswered Question
Jul 18th, 2009
User Badges:

Hi all, I deployed a WLAN with 1 WLC 4400 and 5 1252AP. I do not see the way to Block Rogue APs from Joining the Wired or Wireless WLANs

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Roman Rodichev Sat, 07/18/2009 - 08:45
User Badges:
  • Gold, 750 points or more


There are three parts to this:

1. detect - automatic

2. classify - by default APs are untrusted/unknown, various methods can be configured to classify them as trusted and threat (connected to wired network).

3. over the air contain (aka mitigate) - in 4.x this is manual, in 5.x you can configure auto-containment

First you need to detect. WLC does this automatically out of the box. It listens the air for unknown APs, clients and ad-hocs. Are you seeing Rogue APs under Monitor > Rogues > Rogue APs?

Next, you can manually classify rogue APs as "known" (internal or external). Starting with 5.0 you can also build rogue rules based on RSSI, SSID, Clients, etc. If an AP is classified as "known" (internal or external), WCS stops alerting you.

Another key classification piece is to detect whether or not the rogue AP is physically connected to your network which is a high security risk. There are three ways WLC can detect it and neither of them is automatic. You must configure these methods manually.

1. Rogue AP Detector, aka ARP sniffing. You have to dedicate one AP as "Rogue Detector" (change AP mode from local to rogue detector). Configure the port the AP is connected to as switchport mode trunk (normally it's switchport mode access). Rogue Detector AP turns off and doesn't use its radios. When WLC detects rogue APs it can also detect the MAC addresses of any clients associated to that rogue APs, and the rogue detector AP simply watches each hardwire trunked VLAN for ARP requests coming from those rogue AP clients. If it sees one, WLC automatically classifies the rogue AP as "threat" indicating that the rogue AP is physically connected to your network. It doesn't actually do anything with the rogue AP, it simply classifies it and alerts you. Also, keep in mind that this method doesn't work if the rogue AP is a Wireless Router, because Wireless Routers NAT and ARP requests don't propagate to the wire.

2. RLDP. Rogue Location Discovery Protocol. This feature is by default turned off and can be enabled under Security > Wireless Protection Policies > Rogue Polices. This feature works only when the rogue SSID is open, meaning that it's not using WEP/WPA/802.1x. When you enable RLDP, your WLC will pick some AP (you can't pick manually) which hears Rogue AP traffic, it will temporarily shut off its radio, turn it into a client, and instruct it to associate to the Rogue AP as client (this is where the requirement comes in for the Rogue SSID to be open authentication). Once associated, AP gets a DHCP IP through Rogue AP, it then sends a special small UDP port 6352 RLDP packet to every possible WLC's IP address (mgmt ip, ap manager ip, dynamic int IPs). If WLC gets one of those packets, it means that rogue AP is physically connected to your network. This method will work when Rogue AP is a Wireless Router. But this method is not recommended. It has an adverse effect on your wireless clients because RLDP AP goes offline for a period of time disconnecting your clients and forcing them to associate to another AP. Also, keep in mind, that WLC runs this RLDP process *once* per detected rogue AP. It doesn't periodically do this, it only does it once. In some later WLC versions, you can configure RLDP to run only on "monitor mode" APs, eliminating impact on your clients. Also, you can manually trigger RLDP for a rogue AP from CLI "config rogue ap rldp initiate ". You can "debug dot11 rldp" to see the process.

3. Switchport Tracing (need WCS, and WLC 5.1). This is a later feature that requires WCS. You can add your Catalyst switches to WCS, and WCS will look at CDP information and MAC tables on your switches to detect whether or not Rogue AP is connected to your network. This works with secured and NAT rogues. You can also *manually* instruct WCS to shut down the switchport that Rogue AP is connected to.

afernandez0226 Sat, 07/18/2009 - 09:24
User Badges:

Thanks at lot for this valuable info.

Yes, I see this Rogue Aps:

under Unclassified Aps:

00:10:7f:13:15:06 ssid Crestron-131506

00:21:29:87:6c:d6 ssid Linksys

under Adhoc Rogues:

00:02:6f:50:7a:4b ssid BSSID 02:06:69:3b:2d:ca

and they are wirelessly connected. On my Catalyst 3560 I do not have any rogue AP connected, just my 5 1252AP

Thanks again this valuable info. I am really new to WLC 4400 but am hungry to learn

Roman Rodichev Sat, 07/18/2009 - 08:45
User Badges:
  • Gold, 750 points or more


You can also use WCS to show you approximately where the Rogue AP is located on your floor map. You don't need Location or MSE appliance to do this.

There are also a couple of other features to be aware of:

1. WPS > Trusted AP policies. Once the Rogue AP is detected and manually classified as "known" (trusted), you can configure a "Trusted AP policy" forcing WLC to continuously monitor the state of that Rogue AP making sure that it conforms with your policy. For example, you can configure a policy that requires the "known" Rogue APs to have WPA security. If someone changes Rogue AP's SSID security from WPA to open, WLC will detect this change and alert you. You can also configure a policy to make sure that Rogue AP doesn't use your valid WLC's SSIDs. Or you can have it alert you if your trusted Rogue AP suddenly disappears from the network.

2. WPS > Rogue Policies > "Validate rogue clients against AAA". WLC will authenticate rogue client's MAC address against AAA. Basically, you are trying to detect if one of your internal wireless clients (known MAC address) suddenly associates to a rogue AP. I believe that in WLC 4.x this was only for alerting purposes, but in later WLC code you can also force WLC to send Deauth packet (aka auto-containment) to your valid client forcing it to disconnected from the Rogue AP.

The final piece to this puzzle is "containment". This is what you were asking about "I do not see the way to Block Rogue APs from joining the wired or wireless WLANs". None of the methods described above automatically shut down the wired port that Rogue AP is connected to. If you use the "switchport tracing" method, WCS will tell you which switch port the Rogue AP is connected to, and you can manually shut it from WCS.

You can also use wireless containment, where up to 4 of your valid nearby APs will send Deauth packets to clients connected to Rogue AP and/or to the Rogue AP itself. In WLC 4.x this is not automatic and must be manually initiated from WLC (Monitor > Rogues > Rogue APs / Clients) or from WCS. You have to consider possible legal issues you could face if you start auto-containing your neighbor's APs/clients. Also you should know that over the air containment carries an adverse effect for client performance on managed APs, because APs are busy sending Deauth packets during auto containment.

In WLC 5.x versions, auto-containment is available. You can configure specific rules on when to auto-contain:

1. You can auto-contain when Rogue AP is detected to be connected to the wired network (through Rogue Detector AP, RLDP, switch port tracing)

2. You can auto-contain when Rogue AP is using your valid SSID. Make sure you are using unique SSIDs that your neighbors wouldn't use

3. You can auto-contain your valid clients connected to Rogue APs. I mentioned this earlier. You will need to have all your valid client's mac addresses added to your RADIUS/ACS database.

I haven't been using 5.x as much as 4.x, so if I'm inaccurate on some facts, please correct me.

Leo Laohoo Sun, 07/19/2009 - 01:22
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Do you mean "Contain" a Rogue AP/Ad Hoc Rogue or do you want to "Auto Contain"?

Be default, Auto Contain is disabled by default (for legal reasons), however, manual Contain of rogue wireless appliance can be enabled.

High-light each of the items you want to Contain. Choose "Malicious" in the first drop-down box and "Contain" in the second box. A third box appears where you specify the maximum number of AP's that will perform a round-robin DDOS (aka Contain) of the AP. Maximum is 4 APs.

This process is valid for firmwares before 6.X.

Hope this helps.


This Discussion



Trending Topics - Security & Network