This is my scenario
1: WLC 2500 software version 184.108.40.206. In Wireless Protection Policies section I enable “Rogue on Wire”, “Using our SSID” and “Valid client on Rogue AP”.
Auto Containment Level is set to 3
The WLC correctly detect Rogue AP in the air and auto contains Rogue AP using same SSID. Also I can contain rogue AP manually with no problem.
10: LAP 1141 Software version 220.127.116.11 in Local Mode
1: LAP 1141 Software version 18.104.22.168 in ROGUE DETECTOR mode connected to trunk port in distribution Switch, all VLAN permitted so that the AP can see traffic from all segments.
I ran this command in the Rogue Detector AP and verify the existence off Rogue AP MAC addres:
AP7081.05b0.e127#show capwap rm rogue detector | include 0021.29e8.8f39
Rogue hindex = 94: MAC 0021.29e8.8f39, flag = 0, unusedCount = 1
According to Cisco Document ID 112045 the flag must be 1 for wired rogue AP, for me this is not happening.
In the GUI off WLC the Rogue TEST AP never show like wired.
I use a TEST Rogue AP that connect to the wired LAN and a Laptop associated to this AP, the WLC never do their job off contain that AP.
I’m missing something ?
Experts please help ?
Sorry for my bad English …
Can you show the rules you have for the rogues? I'd also like to see your SSID as well.
No, I just wanted to see what all was there to make sure nothing conflicted.
For your 'Rogue AP', you are using an unsecured, broadcasted SSID correct?
For the Wired Rogue AP (SSID: ROGUE-TEST) I´m using WPA-PSK, according CISCO unsecure SSID are a condition when WLC use RLDP for detect Rogue AP.
In my test the WLC must contain the Wired Rogue AP although the SSID is WPA-PSK, is that correct?
No, it won't be detected as on the wire
RLDP only works with open rogue APs broadcasting their SSID with authentication and encryption disabled.
So if you put that SSID as open it should detect it.
Mmmm I disagree
I think that RLDP protocol and the use of Access point in Rogue Detector mode are two different way to find wired rogue AP.
Check this Cisco document:
It's a mix actually.
A rogue detector AP aims to correlate rogue information heard over the air with ARP information obtained from the wired network. If a MAC address is heard over the air as a rogue AP or client and is also heard on the wired network, then the rogue is determined to be on the wired network. If the rogue is detected to be on the wired network, then the alarm severity for that rogue AP is raised to
. It should be noted that a rogue detector AP is not successful at identifying rogue clients behind a device using NAT.
—This mode monitors the rogue APs on wire. It does not transmit or receive frames over the air or contain rogue APs.
So you still need to be able to detect that the mac address in the air (RLDP) as well hearing the ARP.
Test it out. Change the SSID to be open, and see if it gets detected.
But referring to the picture, why the column “What is Detects” for Rogue Detector say:
However for RLDP only say:
According to CISCO, RLDP protocols detect wired AP as follows:
The algorithm of RLDP is listed here:
So RLDP don’t need AP in Rogue Detector mode to do their job.