Can anyone point me to more detail on the Rogue AP detection than in the release notes? Granted this may not be robust, but it does offer some interesting possibilities.
1. We haven't been able to make this work...or at least can't find any log entries for it. We have a wide open SMC and an AP350 in close proximity with the correct versions in the 350 and the 350 client. Both the AP and client are running LEAP with all possible security extensions enabled.
2. Which AP MAC address does the client report to the LEAP AP? Radio or Ethernet? Is said MAC detectable in a cat6000 switch so that we could do some scripting from syslog to automatically disable the port when a rogue is detected in the log?
3. How is the Rogue AP timeout used, in detail? How often does the log entry fire until the timeout is reached?
In LEAP authentication setup, when client fails to get authenticated, it possibly reports a rogue AP in network.
1)APs do not automatically look for rouge APs in wireless LAN. They depend on clients to report rogue APs.
2)It requires functionalities on both AP and the client. It is supported in 12.01T VxWorks release for APs.
The following are the possible procedures for failed authentication.:
Client request LEAP authentication, if AP responses with unsupported authentication method, the client will mark the AP as rogue.
Now, regarding the Rogue AP time out:
When the client initiates EAP authentication with the AP, a timer is started. If the timer expires before the authentication is complete, this can be due to the following reasons:
a) AP did not support LEAP authentication method and did not respond back(rogue AP)
b)AP relays the LEAP request to the radius server and did not receivedresponse. This could be due to a network issue or the radius server is not up.
When an access point detects a rogue access point, it sends an alert message to the system log. This setting specifies the amount of time in minutes the access point transmits the alert message. When the timeout is reached, the access point stops sending the alert message.This is how the timeout works.
When leap authentication fails due to above mentioned scenarios, the client records the ethernet MAC addres. failure code and the rogue AP name and forwards this information on to a valid AP after successful logon.
To confirm a rogue AP in network, you can do the following:
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...