Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Rogue AP Detection

Can anyone point me to more detail on the Rogue AP detection than in the release notes? Granted this may not be robust, but it does offer some interesting possibilities.

1. We haven't been able to make this work...or at least can't find any log entries for it. We have a wide open SMC and an AP350 in close proximity with the correct versions in the 350 and the 350 client. Both the AP and client are running LEAP with all possible security extensions enabled.

2. Which AP MAC address does the client report to the LEAP AP? Radio or Ethernet? Is said MAC detectable in a cat6000 switch so that we could do some scripting from syslog to automatically disable the port when a rogue is detected in the log?

3. How is the Rogue AP timeout used, in detail? How often does the log entry fire until the timeout is reached?

New Member

Re: Rogue AP Detection

In LEAP authentication setup, when client fails to get authenticated, it possibly reports a rogue AP in network.

1)APs do not automatically look for rouge APs in wireless LAN. They depend on clients to report rogue APs.

2)It requires functionalities on both AP and the client. It is supported in 12.01T VxWorks release for APs.

The following are the possible procedures for failed authentication.:

Client request LEAP authentication, if AP responses with unsupported authentication method, the client will mark the AP as rogue.

Now, regarding the Rogue AP time out:


When the client initiates EAP authentication with the AP, a timer is started. If the timer expires before the authentication is complete, this can be due to the following reasons:

a) AP did not support LEAP authentication method and did not respond back(rogue AP)

b)AP relays the LEAP request to the radius server and did not receivedresponse. This could be due to a network issue or the radius server is not up.

When an access point detects a rogue access point, it sends an alert message to the system log. This setting specifies the amount of time in minutes the access point transmits the alert message. When the timeout is reached, the access point stops sending the alert message.This is how the timeout works.

When leap authentication fails due to above mentioned scenarios, the client records the ethernet MAC addres. failure code and the rogue AP name and forwards this information on to a valid AP after successful logon.

To confirm a rogue AP in network, you can do the following:


1)Check the MAC address of the rogue AP, as reported by the client. If the MAC address is that of an AP in network, it implies that it was because of one of the above mentioned reasons.

2)If the MAC address does not belong to the valid AP in the network, then you may use awireless sniffer to detect this invalid MAC in the surroundings.

CreatePlease to create content