Unable to detect wired rogue AP

Unanswered Question
Feb 17th, 2012
User Badges:

This is my scenario

1: WLC 2500 software version In Wireless Protection Policies section I enable “Rogue on Wire”, “Using our SSID” and “Valid client on Rogue AP”.

Auto Containment Level is set to 3

The WLC correctly detect Rogue AP in the air and auto contains Rogue AP using same SSID. Also I can contain rogue AP manually with no problem.

10: LAP 1141 Software version in Local Mode

1: LAP 1141 Software version in ROGUE DETECTOR mode connected to trunk port in distribution Switch, all VLAN permitted so that the AP can see traffic from all segments.

I ran this command in the Rogue Detector AP and verify the existence off Rogue AP MAC addres:

AP7081.05b0.e127#show capwap rm rogue detector | include 0021.29e8.8f39

Rogue hindex = 94: MAC 0021.29e8.8f39, flag = 0, unusedCount = 1

According to Cisco Document ID 112045 the flag must be 1 for wired rogue AP, for me this is not happening.

In the GUI off WLC the Rogue TEST AP never show like wired.

I use a TEST Rogue AP that connect to the wired LAN and a Laptop associated to this AP, the WLC never do their job off contain that AP.

I’m missing something ?

Experts please help ?

Sorry for my bad English …

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Stephen Rodriguez Fri, 02/17/2012 - 10:58
User Badges:
  • Purple, 4500 points or more

Can you show the rules you have for the rogues?  I'd also like to see your SSID as well.


aguia05 Fri, 02/17/2012 - 11:16
User Badges:

I have not set any rogue rules. Is this necessary for detecting Wired Rogue AP?


Thanks for the help and the fast answer

Stephen Rodriguez Fri, 02/17/2012 - 12:11
User Badges:
  • Purple, 4500 points or more

No, I just wanted to see what all was there to make sure nothing conflicted.

For your 'Rogue AP', you are using an unsecured, broadcasted SSID correct?


Stephen Rodriguez Fri, 02/17/2012 - 13:44
User Badges:
  • Purple, 4500 points or more

No, it won't be detected as on the wire

RLDP only works with open rogue APs broadcasting their SSID with authentication and encryption disabled.

So if you put that SSID as open it should detect it.


Stephen Rodriguez Fri, 02/17/2012 - 14:40
User Badges:
  • Purple, 4500 points or more

It's a mix actually.

A rogue detector AP aims to correlate rogue information heard over the air with ARP information obtained from the wired network. If a MAC address is heard over the air as a rogue AP or client and is also heard on the wired network, then the rogue is determined to be on the wired network. If the rogue is detected to be on the wired network, then the alarm severity for that rogue AP is raised to


. It should be noted that a rogue detector AP is not successful at identifying rogue clients behind a device using NAT.

Rogue Detector

—This mode monitors the rogue APs on wire. It does not transmit or receive frames over the air or contain rogue APs.

So you still need to be able to detect that the mac address in the air (RLDP) as well hearing the ARP.

Test it out.  Change the SSID to be open, and see if it gets detected.


aguia05 Fri, 02/17/2012 - 14:48
User Badges:

But referring to the picture, why the column “What is Detects” for Rogue Detector say:

  • Open APs
  • Secured APs
  • NAT APs

However for RLDP only say:

  • Open AP
  • NAT APs

According to CISCO, RLDP protocols detect wired AP as follows:

The algorithm of RLDP is listed here:

  1. Identify the closest Unified AP to the rogue      using signal strength values.
  2. The AP then connects to the rogue as a WLAN      client, attempting three associations before timing out.
  3. If association is successful, the AP then uses      DHCP to obtain an IP address.
  4. If an IP address was obtained, the AP (acting      as a WLAN client) sends a UDP packet to each of the controller's IP      addresses.
  5. If the controller receives even one of the      RLDP packets from the client, that rogue is marked as on-wire with a      severity of critical.

So RLDP don’t need AP in Rogue Detector mode to do their job.

Thanks Adel


This Discussion

Related Content



Trending Topics - Security & Network