cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26187
Views
5
Helpful
9
Replies

Rogue AP: Question

colmgrier
Level 1
Level 1

I need a bit of info with the below topics.

Q1. What is a Rogue AP?

Q2. WLC 4400 is detecting a number of rogue access points from neighboring buildings. How should the WLC 4400 deal with these rogue access points?

Q3. Can the WLC 4400 block these accees points from broadcasting their SSID's into our air space?

Regards,

Colm

1 Accepted Solution

Accepted Solutions

For the Clases, you have the ability to define what criteria must be met for a roge to be called friendly or malicious.  Under the Security tab > Wireless Protection Policy, Rogue Policies, Rogue Rules.

Class Type:

unclassified  <---  AP detected but not matching any policy

friendly  <---  AP matches the criteria of a friendly AP

malicious <--- AP matches the criteria of a malicious AP

Update Status:

Contain <--Contain the AP, uses our own AP to spoof the AP to get the clients to join "us" instead of "them" , once again, you need to be real careful with this, as if you are containing your neighbors, there can be reprocussions

Alert  <-- Just a message saying there is a rogue

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

9 Replies 9

Stephen Rodriguez
Cisco Employee
Cisco Employee

Q1. What is a Rogue AP?

     A Rogue is an AP that we can hear, that is not part of the RF Group.  Rogue on the Wire is an AP that is not part of our RF Group, and is found in ARP on the LAN.

Q2. WLC 4400 is detecting a number of rogue access points from neighboring buildings. How should the WLC 4400 deal with these rogue access points?

     WLC should alert you that there are other AP's out there that can be heard, by default.

Q3. Can the WLC 4400 block these accees points from broadcasting their SSID's into our air space?

     Yes, BUT!  There can be legal reprocutions from "containing" these rogues. Best bet, is to find out who owns them and work with them to get the power lowered.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks Steve for great feedback.

How do the WLC 4400 block or contain these rougue access points. Can you explain the below options.

Class Type:

unclassified

friendly

malicious

Update Status:

Contain

Alert

Q3. Can the WLC 4400 block these accees points from broadcasting their SSID's into our air space?

     Yes, BUT!  There can be legal reprocutions from "containing" these rogues. Best bet, is to find out who owns them and work with them to get the power lowered.

Regards,

Colm

For the Clases, you have the ability to define what criteria must be met for a roge to be called friendly or malicious.  Under the Security tab > Wireless Protection Policy, Rogue Policies, Rogue Rules.

Class Type:

unclassified  <---  AP detected but not matching any policy

friendly  <---  AP matches the criteria of a friendly AP

malicious <--- AP matches the criteria of a malicious AP

Update Status:

Contain <--Contain the AP, uses our own AP to spoof the AP to get the clients to join "us" instead of "them" , once again, you need to be real careful with this, as if you are containing your neighbors, there can be reprocussions

Alert  <-- Just a message saying there is a rogue

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks Steve.

If you contain a rougue access point. That happens this access point?

yes.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

If you contain an AP, does this disable the AP for all clients in the shared airspace or all airspace?

Only clients that are within range of your access point that is containing the rogue will be deauthenicated.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Leo Laohoo
Hall of Fame
Hall of Fame

I'd be very careful trying to contain Rogue APs/Clients because you and/or your company can be brought to court.

I have, in several occasions, successfully done so because I made sure the Rogue AP and/or clients were physically found INSIDE our company's premises.  When the offenders raised a trouble ticket (after buying three APs) we confronted them (with cricket bat!) they initially denied but I gave them the facts:  AP's manufacturer, the SSID, no encryption (duh!), the clients associated to the AP, they meekly admitted and pulled down their "cowboy" network lest I report them to the CIO.

Otherwise, if the signals are coming from OUTSIDE the premises, I have little choice but ignore them.

lesboyce911
Level 1
Level 1

Can you please let us know how it was resolved? When implementing policy do the Rogues disappear? Will it help performance of legitimate AP's? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: