I have a question regarding rogue detection configuration on WLC.
we know that rogue detection can be enabled on a per AP basis under the advanced tab of each AP, starting from code 6.0, and it also supports rogue detection in RF groups when we configure protection type as "AP Authentication" under WLC security tab, which will make APs to authentication frames based on the RF group name, if name is different, then the AP is considered as a rogue.
so the question is if we only enable rogue detection on the AP level, however leave the AP authentication selected as "none", how does the AP detect rogues? does that mean if any signal detected is not from the APs connected to the WLC, then this will be considered as a rogue?
also in the configuration guide, under the section "enable rogue access point detection in RF groups", it says rogue detection will need the AP to be configured as either local or monitor mode, when we also have AP authentication enabled. however if an AP is under h-reap mode, we still able to enable/disable rogue detection under the advanced tab, so how does H-REAP mode APs detect rogues? is that the same method as when AP authentication selected as "none"
thanks in advance for your help.
it is applicable not only for AP Authentication but also even for AP infrastructure mfp.
does that mean if any signal detected is not from the APs connected to the WLC, then this will be considered as a rogue?
Yes, APs outside cisco WLC and APs that are not on same RF group will be rogues.
if an AP is under h-reap mode, we still able to enable/disable rogue detection under the advanced tab, so how does H-REAP mode APs detect rogues? is that the same method as when AP authentication selected as "none"
If hreap is on connected mode to WLC then yes it detects rogue and report to WLC, on standalone it doesn't work.
If APs joinign a cisco WLC detected WIRELESS 802.11 FRAMES that are being send and they do not belong to the WLC to which the AP belongs or any WLC in its mobility group then the source of those frames (source mac address) is considered a rogue AP that has that mac address as a source.
If the detected signal is not a wireless 802.11 frame (just noise, bluetooth...etc) then that is not detected as rogue because the AP does not able to analyze that signal as 802.11 frame and hence does not know the source mac of the sender.
Thank you both for the reply, can you please confirm the below senario as well:
with rogue detection enabled on AP level, what is the difference between AP authentication configured as "none" and "AP Authentication"? my understanding is that with AP Authentication or MFP enabled under "AP Authentication" field, rogue detection will be verified based on the RF group name, so signal from other RF domain or not from WLC will be considered as rogue, but what if we select AP authentication as "none"? are we still using RF group name to authenticate frames from other APs? or there is another method? if not does that mean rogue detection is DISABLED in this case even when we have it enabled under the advanced tab of the APs?
thanks for your time to clarify this.
If roge detection under the AP advanced tab is selected:
- Enabled: the AP will report rogues it finds to the WLC.
- Disabled: the AP will not report any rogues to the WLC regardless of what AP authentication is.
If rogue detection is enabled and AP authentication is:
- None: AP reports rogues it finds to the controller. APs on same mobility group are not reported even if they are on different RF groups.
- AP authentication: AP reports the rogues to the WLC. APs on same mobility group but with different RF groups are also reported as rogues.
ok, thanks for your reply, so if AP authentication is "none", then even RF group name is different, then AP will NOT report rogues from other WLCs, and WLCs in the same mobility group is the condition for this? becasue it seems AP still reports rogues, and it should report rogue APs from other WLCs which has no relation to the current one (not in mobility group/list, different RF group), then in this case RF group name is not something that the WLC uses to determine the rogue?
ok, thanks for your reply, so if AP authentication is "none", then even RF group name is different, then AP will NOT report rogues from other WLCs, and WLCs in the same mobility group is the condition for this?
WLC mobility group is always a condition to decide if a rogue should be reported or not. If on same mobility group then it is not rogue. if on different mobility group then it is a rogue.
RF group is not always there. you can enable or disable checking it by selecting "none" or "AP authentication". If none then RF group should be similar or else it is reported as a rogue.
If mobility group is different then we do not look at RF group and the AP is reported as rogue.
If mobility group is similar then:
- If "none" we do notlook at the RF group and the AP considered not rogue.
- If "AP authentication" then we look at the RF group. if similar then not rogue. if different then rogue.
don't think Mobility group will be a prime factor and it is always RF group since Configuring Mobility group is optional, RF group is mandatory for a WLC. Also, Rogue detection happen over wireless, to show or not to show as rogue is decided by other configuration parameters Ex: Rogue rules, AP auth type, is it in friendly list,.... only exception is with different RF group with same Mobility may still detect as Rogue but won't show bcoz mobility group is the subset of RF group just like other filter parameters.
It is recommended to keep RF group name, Mobility group name, AP auth type used similar across all WLCs whose APs ovelapping RF. Same RF group name with different AP auth type will be flagged as Rogue.
ok if mobility group/list configuration is not considered as a factor for rogue detection, can you please help to explain what is the difference between "none" and "AP Authentication" under the AP Authentication configuration?
when we have rogue detection enabled under AP level, does that mean rogues will always be detected, even if ap authentication selected as "none"?