Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Rogue AP Detection on WLC. What actions should I take?

Hello,

I have a 5508 controller with 70 AP's ( a mix of 1131 and 1142). On the Monitor tab I can see under the Rogue Summary numerous "Rogue AP's" as well as the clients associated to these AP's. There are no Rogue AP's on my wired network according to the report. My question is this: What actions should I take regarding these "Roague AP's"? Many of them appear to be just other AP's in the residential area near by. I know I can take action to classify them as Friendly or Malicious as well as Internal or External, but what benefit is there to doing this? Will taking these actions keep my AP's from scanning off channel for Rogues? I read that if a "Rogue AP" is not on the wired network that is really is not considered a threat. Any advice on the Cisco best practices regarding how to handle detected Rogue AP's would be beneficial and much appreciated. Thank you!

Chris.

1 ACCEPTED SOLUTION

Accepted Solutions

Rogue AP Detection on WLC. What actions should I take?

you can classify them based on the RSSI, if you set it low enough, that you know it can't be in your facility that could work.  Alternately, you could go around with a spectrum card and try to pinpoint where the AP is to verify.

Malicious would tend to be more, your SSID but not your AP, a RSSI value that should be in your building, and of course anything on the wire.

Friendly, would be the ones from the residential area you are hearing, or from another buisiness nearby.

As alwyas, becareful with Malicious, especially if you opt to contain those AP.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
4 REPLIES

Rogue AP Detection on WLC. What actions should I take?

If you know that the SSID belongs to another entity, classifying it as "Friendly" should stop you from getting alerts on it.

But no, if you classify rogues, it doesn't stop the AP from scanning for other rogues.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Rogue AP Detection on WLC. What actions should I take?

Stephen,

Once again I thank you for responding to my post. In your opinion, how should I go about deciding whether or not an AP is Friendly or Malicious? There are many AP's that are on the Rogue List that I see on a daily basis, and are stationary because it is consistently being detected by the same AP(s) on my network as well, should I mark these as Friendly/External and be done with it? I know there are Rogue Rules that can be created, but in the simplest terms, how should I go about making the distinction between "Malicious" or "Friendly"? And what benefits are gained by classifying all the Rogues one way or the other? 

Thanks.

Rogue AP Detection on WLC. What actions should I take?

you can classify them based on the RSSI, if you set it low enough, that you know it can't be in your facility that could work.  Alternately, you could go around with a spectrum card and try to pinpoint where the AP is to verify.

Malicious would tend to be more, your SSID but not your AP, a RSSI value that should be in your building, and of course anything on the wire.

Friendly, would be the ones from the residential area you are hearing, or from another buisiness nearby.

As alwyas, becareful with Malicious, especially if you opt to contain those AP.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Rogue AP Detection on WLC. What actions should I take?

Stephen,

Those are some very good suggestions. I have been reading a lot of about the effects of the Containment option and will excercise extreme caution and only use it in the most necessary of cases. Thanks again!

Chris.

7365
Views
0
Helpful
4
Replies