Rogue AP: Question

Answered Question
Dec 30th, 2009

I need a bit of info with the below topics.


Q1. What is a Rogue AP?


Q2. WLC 4400 is detecting a number of rogue access points from neighboring buildings. How should the WLC 4400 deal with these rogue access points?


Q3. Can the WLC 4400 block these accees points from broadcasting their SSID's into our air space?


Regards,

Colm

Correct Answer by Stephen Rodriguez about 7 years 1 month ago

For the Clases, you have the ability to define what criteria must be met for a roge to be called friendly or malicious.  Under the Security tab > Wireless Protection Policy, Rogue Policies, Rogue Rules.



Class Type:


unclassified  <---  AP detected but not matching any policy

friendly  <---  AP matches the criteria of a friendly AP

malicious <--- AP matches the criteria of a malicious AP


Update Status:


Contain <--Contain the AP, uses our own AP to spoof the AP to get the clients to join "us" instead of "them" , once again, you need to be real careful with this, as if you are containing your neighbors, there can be reprocussions

Alert  <-- Just a message saying there is a rogue

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Stephen Rodriguez Wed, 12/30/2009 - 11:05

Q1. What is a Rogue AP?


     A Rogue is an AP that we can hear, that is not part of the RF Group.  Rogue on the Wire is an AP that is not part of our RF Group, and is found in ARP on the LAN.


Q2. WLC 4400 is detecting a number of rogue access points from neighboring buildings. How should the WLC 4400 deal with these rogue access points?


     WLC should alert you that there are other AP's out there that can be heard, by default.


Q3. Can the WLC 4400 block these accees points from broadcasting their SSID's into our air space?


     Yes, BUT!  There can be legal reprocutions from "containing" these rogues. Best bet, is to find out who owns them and work with them to get the power lowered.

colmgrier Wed, 12/30/2009 - 12:18

Thanks Steve for great feedback.


How do the WLC 4400 block or contain these rougue access points. Can you explain the below options.


Class Type:


unclassified

friendly

malicious


Update Status:


Contain

Alert




Q3. Can the WLC 4400 block these accees points from broadcasting their SSID's into our air space?


     Yes, BUT!  There can be legal reprocutions from "containing" these rogues. Best bet, is to find out who owns them and work with them to get the power lowered.


Regards,

Colm

Correct Answer
Stephen Rodriguez Wed, 12/30/2009 - 12:25

For the Clases, you have the ability to define what criteria must be met for a roge to be called friendly or malicious.  Under the Security tab > Wireless Protection Policy, Rogue Policies, Rogue Rules.



Class Type:


unclassified  <---  AP detected but not matching any policy

friendly  <---  AP matches the criteria of a friendly AP

malicious <--- AP matches the criteria of a malicious AP


Update Status:


Contain <--Contain the AP, uses our own AP to spoof the AP to get the clients to join "us" instead of "them" , once again, you need to be real careful with this, as if you are containing your neighbors, there can be reprocussions

Alert  <-- Just a message saying there is a rogue

colmgrier Wed, 12/30/2009 - 12:31

Thanks Steve.


If you contain a rougue access point. That happens this access point?

colmgrier Wed, 12/30/2009 - 12:55

If you contain an AP, does this disable the AP for all clients in the shared airspace or all airspace?

George Stefanick Wed, 12/30/2009 - 14:14

Only clients that are within range of your access point that is containing the rogue will be deauthenicated.

Leo Laohoo Wed, 12/30/2009 - 14:32

I'd be very careful trying to contain Rogue APs/Clients because you and/or your company can be brought to court.


I have, in several occasions, successfully done so because I made sure the Rogue AP and/or clients were physically found INSIDE our company's premises.  When the offenders raised a trouble ticket (after buying three APs) we confronted them (with cricket bat!) they initially denied but I gave them the facts:  AP's manufacturer, the SSID, no encryption (duh!), the clients associated to the AP, they meekly admitted and pulled down their "cowboy" network lest I report them to the CIO.


Otherwise, if the signals are coming from OUTSIDE the premises, I have little choice but ignore them.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode