Unable to detect wired rogue AP

Unanswered Question
Feb 17th, 2012

This is my scenario

1: WLC 2500 software version 7.0.116.0. In Wireless Protection Policies section I enable “Rogue on Wire”, “Using our SSID” and “Valid client on Rogue AP”.

Auto Containment Level is set to 3

The WLC correctly detect Rogue AP in the air and auto contains Rogue AP using same SSID. Also I can contain rogue AP manually with no problem.

10: LAP 1141 Software version 7.0.116.0 in Local Mode

1: LAP 1141 Software version 7.0.116.0 in ROGUE DETECTOR mode connected to trunk port in distribution Switch, all VLAN permitted so that the AP can see traffic from all segments.

I ran this command in the Rogue Detector AP and verify the existence off Rogue AP MAC addres:

AP7081.05b0.e127#show capwap rm rogue detector | include 0021.29e8.8f39

Rogue hindex = 94: MAC 0021.29e8.8f39, flag = 0, unusedCount = 1

According to Cisco Document ID 112045 the flag must be 1 for wired rogue AP, for me this is not happening.

In the GUI off WLC the Rogue TEST AP never show like wired.

I use a TEST Rogue AP that connect to the wired LAN and a Laptop associated to this AP, the WLC never do their job off contain that AP.

I’m missing something ?

Experts please help ?

Sorry for my bad English …

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Stephen Rodriguez Fri, 02/17/2012 - 10:58

Can you show the rules you have for the rogues?  I'd also like to see your SSID as well.

Steve

aguia05 Fri, 02/17/2012 - 11:16

I have not set any rogue rules. Is this necessary for detecting Wired Rogue AP?

I select the option “Rogue on Wire” in SECURITY/WIRELESS PROTECTION POLICE/ROGUE POLICIES/GENERAL

Thanks for the help and the fast answer

Attachment: 
Stephen Rodriguez Fri, 02/17/2012 - 12:11

No, I just wanted to see what all was there to make sure nothing conflicted.

For your 'Rogue AP', you are using an unsecured, broadcasted SSID correct?

Steve

Stephen Rodriguez Fri, 02/17/2012 - 13:44

No, it won't be detected as on the wire

RLDP only works with open rogue APs broadcasting their SSID with authentication and encryption disabled.

So if you put that SSID as open it should detect it.

Steve

Stephen Rodriguez Fri, 02/17/2012 - 14:40

It's a mix actually.

A rogue detector AP aims to correlate rogue information heard over the air with ARP information obtained from the wired network. If a MAC address is heard over the air as a rogue AP or client and is also heard on the wired network, then the rogue is determined to be on the wired network. If the rogue is detected to be on the wired network, then the alarm severity for that rogue AP is raised to

_critical_

. It should be noted that a rogue detector AP is not successful at identifying rogue clients behind a device using NAT.

Rogue Detector

—This mode monitors the rogue APs on wire. It does not transmit or receive frames over the air or contain rogue APs.

So you still need to be able to detect that the mac address in the air (RLDP) as well hearing the ARP.

Test it out.  Change the SSID to be open, and see if it gets detected.

Steve

aguia05 Fri, 02/17/2012 - 14:48

But referring to the picture, why the column “What is Detects” for Rogue Detector say:

  • Open APs
  • Secured APs
  • NAT APs

However for RLDP only say:

  • Open AP
  • NAT APs

According to CISCO, RLDP protocols detect wired AP as follows:

The algorithm of RLDP is listed here:

  1. Identify the closest Unified AP to the rogue      using signal strength values.
  2. The AP then connects to the rogue as a WLAN      client, attempting three associations before timing out.
  3. If association is successful, the AP then uses      DHCP to obtain an IP address.
  4. If an IP address was obtained, the AP (acting      as a WLAN client) sends a UDP packet to each of the controller's IP      addresses.
  5. If the controller receives even one of the      RLDP packets from the client, that rogue is marked as on-wire with a      severity of critical.

So RLDP don’t need AP in Rogue Detector mode to do their job.

Thanks Adel

Actions

Login or Register to take actions

This Discussion

Posted February 17, 2012 at 10:54 AM
Stats:
Replies:8 Avg. Rating:
Views:2010 Votes:0
Shares:0
Tags: ap, wired, rogue
+

Related Content

Discussions Leaderboard