Alerting of "Malicious" Rogue APs

Unanswered Question
Sep 29th, 2010
User Badges:

Hi,


In WCS, I see that we can set a severity level for rogue APs, which is minor by default.  What I'd like to do is set APs classificed as Malicious Rogues (based on the rogue policies), to have a different severity -- critical to be specific.  The goal here is to have an email trigger based on rogue AP detection, but only for those classified as malicious.  How do I accomplish this?


I'm running WCS 7.0, w/  a WLC 4404 on 6.0 code.


Thanks,

David Swafford, Network Engineer, CareSource

Cisco Certified Network Professional  |  Cisco NAC Specialist  |  EC-Council Certified Ethical Hacker

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
bbxie Thu, 09/30/2010 - 22:26
User Badges:
  • Silver, 250 points or more

In WCS7.0.98, under Administration-->Setting-->Severity Configuration, only 3 Alarm conditions had been listed under Rogue AP Alarm Category:

1. Rogue detected on the network

2. Rogue detected

3. Rogue detected contained

There's no Alarm condition for malicious rogue ap, so you can't use malicious Rogue AP as a condition of Rogue AP Alarm Category and change its severity level to be critical. While you configure Email Notification under Monitoring-->Alarm, you can only select Rogue AP as Alarm Category, critical as Severity Levels. So based on it, I don't think it can be achieved by current version, you probably need to open a TAC case and probably will to told to contact Cisco's account team to go through the process of Product Enhance Request.

petersene1 Tue, 11/16/2010 - 09:42
User Badges:

Sounds like we have the exact same issue.  We can create rules/policies that will put the alarms in the Malicious category, but not send emails on just those.


Emails get sent out on all rogues though but can select just Critical and Major, excluding minor.  So since we are not receiving any Critical or Major alarms, I tried to find a change in Severity Configuration for these alarms but was unable.

For now it looks like we're going to have to manually check the alarms in the Malicious category.  But this brings to concern issues like ones that are not detected immediately and users attempt to connect to a malicious AP with our SSID, and also ones that aren't up with we check so are cleared and not showing in the list when we check.

I'll be putting in a TAC case as well.

rsreeves1 Thu, 11/18/2010 - 10:53
User Badges:

A possible alternative solution would be to have WCS send SNMP traps to a 3rd-party monitoring system, which could be configured to trigger an alert if it receives a notification indicating a new rogue AP has been detected and classified as malicious.  This is from the WCS MIB file:



cWNotificationSpecialAttributes OBJECT-TYPE

    SYNTAX          OCTET STRING (SIZE  (1..1024))

    MAX-ACCESS      read-only

    STATUS          current

    DESCRIPTION

        "This object represents the specialized attributes required

        to describe the network condition identified by

        cWNotificationType. These include SNR, RSSI, channel information

        etc. This value is formatted as 'name=value' pairs in CSV

        format. For example, rogueAP Alert's special attributes are sent

        as 'detectingAPRadioType=a0,YCoordinate=0, state=11,

        rogueApType=0, spt Status=0, ssId=wpspsk, on80211A=0,

        numOfDetectingAps=0, on80211B=1, XCoordinate=0,

        classificationType=3, channelNumber=6, containmentLevel=0,

        rssi=-51, rogueApMacAddr=00:1b:2b:35:6a:f3, onNetwork=0, total

        RogueClients=0'. This string can be parsed to get different

        name-value pairs."

    ::= { cwNotificationHistoryEntry 12 }


I haven't actually gotten around to trying this yet.  Hopefully I'll have time during the holiday season.  If anyone else gets it to work in the meantime, let me know!

bbxie Thu, 11/18/2010 - 14:42
User Badges:
  • Silver, 250 points or more

Hi rsreeves1,

I have read this MIB previously, however couldn't find the attribute for Malicious and friendly rogue under rogue alert, do you know where we can find the detailed defination of rogueAP Alert under cWNotificationSpecialAttributes? I noticed in the example, it says "classificationType=3",  is it only used to identify rogue, or is there another classificationType value that can represent Malicious rouge and friendly rogue?

Actually I had opened TAC case for it, and yesterday TAC just gave me a confirmation that:

1.       It is not possible to define alarm condition for friendly and malicious in WCS, so can’t filter it in the packets sent from WCS to HPOVO(configured as the notification receiver in WCS)

2.       In the trap alarms packets sent from WCS to HPOVO, there’s no varbind defining malicious rogue and friendly rogue, so can’t use it as a condition to filter in the HPOVO


And TAC will inform Cisco WNBU about future changes in this context.

rsreeves1 Thu, 11/18/2010 - 15:05
User Badges:

No, I'm afraid I hadn't actually dug deep enough to confirm whether or not the method I proposed was viable.  I suppose it truly just can't be done...

Actions

This Discussion

Related Content

 

 

Trending Topics - Security & Network