Rogue ap detection что это

Часовой пояс: UTC + 3 часа

WLC и глушить AP соседей

Слышал краем уха, что если точки доступа работают в паре с WLC, то есть возможность глушить точки доступа которые находятся в твоём радиусе.
Вопросы:

1) миф или правда?
2) если правда, как называется функция, которая позволяет это делать и на каком принципе глушится сигнал?

А в чем фишка нахождения:
Active Rogue APs
Active Rogue Clients
Adhoc Rogues

Ну нашел он их.. и дальше что? Толку от этой информации?

Не совсем понял, что подразумевается под «глушить»?

Возможно я невнимателен и ошибаюсь. В этом случае буду признателен за пруф.

Паш, я за что купил, за то и продаю.
Вызвать отказ в обслуживании wifi сети можно без проблем.

Название не помню. Пользовался только на курсах, а принцип прост
Обнаруживаем нелегальные точки доступа.
Даём нескольким нашим точка команду «глушить»
Наши точки доступа «прикидываются» нелегальной точкой доступа, и дают всем клиентам подключенным к этой токе команду «переподключится».
Если в этот момент на копмпе подключенном к нелегальной точке выполнять команду ping,то мы увидим большое количество потерянных пактов (чем больше будет наших точек участвовать в атаке, тем больше потерянных пакетов, вплоть до 100%)

Паш, я за что купил, за то и продаю.
Вызвать отказ в обслуживании wifi сети можно без проблем.

Источник

WiFi-Pumpkin: беспроводная мошенническая точка доступа (Rogue Wi-Fi Access Point Attack)

Среди огромного множества всевозможных кибератак в сети особое место занимают атаки с мошеннической точкой доступа, которые ещё называют Rogue Wi-Fi Access Point Attack. Они направлены на перехват важных учётных данных жертвы. Результативность их довольно велика, а настройка работы Rogue Access Point чем-то напоминает процесс организации раздачи беспроводного интернета при помощи компьютера с Linux. Сегодня предлагаю познакомиться поближе с данным видом атаки, а также рассмотреть особенности работы программы WiFi-Pumpkin.

Целью атак с мошеннической точкой доступа (Rogue Wi-Fi Access Point Attack) является не пароль от Wi-Fi сети, а данные, передаваемые через эту точку доступа. В передаваемых данных можно поймать учётные данные (логины и пароли) от веб-сайтов, узнать, какие сайты были посещены, какие данные вводил пользователь и другое.

Установка WiFi-Pumpkin

WiFi-Pumpkin – это ещё одна программа для настройки беспроводной мошеннической точки доступа. Её особенностью является графический интерфейс, который ещё больше упрощает атаку Rogue Access Point. В платформу встроены плагины (другие программы), которые собирают данные и выполняют различные атаки.

Для установки WiFi-Pumpkin в Kali Linux необходимо ввести:

Процесс запуска и настройки WiFi-Pumpkin

Запуск программы делается командой:

Обратите внимание, что при попытке запуска от обычного пользователя (не рута) программа не работает. После запуска открывается такой интерфейс:

Перейдите в настройки и поменяйте имя точки доступа (я выбрал WiFi-Home):

В Activity Monitor settings (настройках монитора активности) я ставлю галочки на HTTP-Requests (веб-запросы), HTTP-Authentication (учётные данные с веб-сайтов) и Pumpkin-Proxy.

Во вкладке Plugins (плагины) выберите, что вам важнее. Pumpkin-Proxy позволяет использовать различные готовые решения (килогеры, BeEF, внедрение кода и т.д. Зато SSLStrip+ в паре с dns2proxy позволяют обходить HTTPS и перехватывать намного больше учётных данных.

Во вкладке Plugins имеется краткое описание каждого плагина. Когда настройка будет завершена, нажмите Start. Можно увидеть перехваченные учётные данные для сайтов vk.com и mail.ru:

Плагины Pumpkin-Proxy

Во вкладке Pumpkin-Proxy имеются следующие плагины:

У некоторых из них имеются опции. Для изменения опций плагина нажмите Settings напротив названия плагина. Все эти плагины будут срабатывать только на веб-сайтах без HTTPS. Посмотрим работу этих плагинов на примере keylogger, т.е. мы будем перехватывать нажатия клавиш. Остановите работу ТД, если она запущена, перейдите во вкладку Plugins, выберите там Pumpkin-Proxy:

Теперь отметим желаемые для использования плагины Pumpkin-Proxy:

Запускаем точку доступа. Перейдите во вкладку Activity-Monitor, там кликните на PumpkinProxy:

В этом окне отображаются данные о работе плагина и перехваченная информация.

Дополнительные инструменты WiFi-Pumpkin

Кроме своего главного назначения – фальшивая точка доступа, WiFi-Pumpkin может выполнять другие функции, благодаря встроенным модулям. К этим модулям относятся:

Благодаря графическому интерфейсу WiFi-Pumpkin ещё более упрощаются популярные атаки с мошеннической точкой доступа. Фреймворк реализует комплексный подход к атаке Rogue AP, что упрощает работу продвинутого хакера.

Источник

Configure rogue AP detection on EAP/Omada Controller

Suitable for: EAP/Omada Controller 2.0.3 or higher and all EAPs

A rogue AP is an access point that has been installed in a local network without explicit authorization from a network administrator.

The EAP device can scan all channels to detect all APs in the vicinity of the network. By default, all available APs seen by the EAP are shown on the Untrusted Rogue APs page. Network administrator can take further actions according to this list, for instance take out the rogue AP from the local network.

This article is aimed to give you some instructions on how to configure the Rogue AP Detection function on EAP/Omada controller.

Step 1 Enable Rogue AP Detection

Go to Access Points. Choose one of the EAP that you want to enable rogue AP detection. Then select Configuration->Rogue AP Detection configuration->Enable Rogue Status and click Apply.

Step 2 Add the Trusted Rogue APs

Go to Insight. Select Untrusted Rogue APs and it will show all APs in the vicinity of the network. You can click “” to add a known AP to Trusted AP list.

Notes:

Источник

Rogue Management in an Unified Wireless Network

Available Languages

Download Options

Contents

Introduction

This document provides information on Rogue Detection and Mitigation on Cisco Wireless Networks.

Wireless networks extend wired networks and increase worker productivity and access to information. However, an unauthorized wireless network presents an additional layer of security concern. Less thought is put into port security on wired networks, and wireless networks are an easy extension to wired networks. Therefore, an employee who brings his or her own Access Point (Cisco or Non Cisco) into a well-secured wireless or wired infrastructure and allows unauthorized users access to this otherwise secured network, can easily compromise a secure network.

Rogue detection allows the network administrator to monitor and eliminate this security concern. Cisco Unified Network Architecture provides methods for rogue detection that enable a complete rogue identification and containment solution without the need for expensive and hard-to-justify overlay networks and tools.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Components Used

The information in this document is based on these software and hardware versions:

Cisco Unified Wireless Lan Controllers (5520, 8540 and 3504 Series) that runs version 8.8.120.0.

Wave 2 APs 1832, 1852, 2802 and 3802 series.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Rogue Overview

Any device that shares your spectrum and is not managed by you can be considered a rogue. A rogue becomes dangerous in these scenarios:

When setup to use the same Service Set Identifier (SSID) as your network (honeypot).

When it is detected on the wired network.

Setup by an outsider, most times, with malicious intent.

The best practice is to use rogue detection to minimize security risks, for example, in a corporate environment. However, there are certain scenarios in which rogue detection is not needed, for example, in Office Extend Access Point (OEAP) deployment, citywide, and outdoors. With the usage of outdoor mesh APs to detect rogues would provide little value while it would use resources to analyze. Finally, it is critical to evaluate (or avoid altogether) rogue auto-containment, as there are potential legal issues and liabilities if left to operate automatically.

There are three main phases of rogue device management in the Cisco Unified Wireless Network (UWN) solution:

Rogue Detection

A rogue is essentially any device that shares your spectrum, but is not in your control. This includes rogue Access Points, wireless router, rogue clients, and rogue ad-hoc networks. The Cisco UWN uses a number of methods to detect Wi-Fi-based rogue devices such as off-channel scanning and dedicated monitor mode capabilities. Cisco Spectrum Expert can also be used to identify rogue devices not based on the 802.11 protocol, such as Bluetooth bridges.

Off-Channel Scanning

This operation is performed by Local and Flex-Connect (in connected mode) mode APs and utilizes a time-slicing technique which allows client service and channel scanning with the usage of the same radio. With the move to off channel for a period of 50ms every 16 seconds, the AP, by default, only spends a small percentage of its time to not serve clients. Also, note there is a 10ms channel change interval that will occur. In the default scan interval of 180 seconds, each 2.4Ghz FCC channel (1−11) is scanned at least once. For other regulatory domains, such as ETSI, the AP will be off channel for a slightly higher percentage of time. Both the list of channels and scan interval can be adjusted in the RRM configuration. This limits the performance impact to a maximum of 1.5% and intelligence is built into the algorithm to suspend scanning when high-priority QoS frames, such as voice, need to be delivered.

This graphic is a depiction of the off-channel scanning algorithm for a local mode AP in the 2.4GHz frequency band. A similar operation is done in parallel on the 5GHz radio if the AP has one present. Each red square represents the time spent on the APs home channel, whereas each blue square represents time spent on adjacent channels for scanning purposes.

Monitor Mode Scanning

This operation is performed by Monitor Mode and Adaptive wIPS monitor mode APs which utilizes 100% of the radio’s time for scanning all channels in each respective frequency band. This allows a greater speed of detection and enables more time to be spent on each individual channel. Monitor mode APs are also far superior at the detection of rogue clients as they have a more comprehensive view of the activity that occurs in each channel.

This graphic is a depiction of the off-channel scanning algorithm for a monitor mode AP in the 2.4GHz frequency band. A similar operation is done in parallel on the 5GHz radio if the AP has one present.

Local Mode and Monitor Mode Comparison

A local mode AP splits its cycles between the service of WLAN clients and the scan of channels for threats. As a result, it takes a local mode AP longer to cycle through all the channels, and it spends less time in the collection data on any particular channel so that client operations are not disrupted. Consequently, rogue and attack detection times are longer (3 to 60 minutes) and a smaller range of over-the-air attacks can be detected than with a monitor mode AP.

Furthermore, detection for bursty traffic, such as rogue clients, is much less deterministic because the AP has to be on the channel of the traffic at the same time the traffic is transmitted or received. This becomes an exercise in probabilities. A monitor mode AP spends all of its cycles on the scan of channels to look for rogues and over-the-air attacks. A monitor mode AP can simultaneously be used for Adaptive wIPS, location (context-aware) services, and other monitor mode services.

When monitor mode APs are deployed, the benefits are lower time-to-detection. When monitor mode APs are additionally configured with Adaptive wIPS, a broader range of over-the-air threats and attacks can be detected.

Local Mode APs

Monitor Mode APs

Serves clients with time-slicing off-channel scanning

Listens for 50ms on each channel

Listens for 1.2s on each channel

Configurable to scan:

Scans all channels

Rogue Identification

If probe response or beacons from a rogue device are heard by either local, flex-connect or monitor mode APs, then this information is communicated via CAPWAP to the Wireless LAN controller (WLC) for the process. In order to prevent false positives, a number of methods are used to ensure other managed Cisco-based APs are not identified as a rogue device. These methods include mobility group updates, RF neighbor packets, and allowed list friendly APs via Prime Infrastructure (PI).

Rogue Records

While the controller’s database of rogue devices contains only the current set of detected rogues, the PI also includes an event history and logs rogues that are no longer seen.

Rogue Details

A CAPWAP AP goes off-channel for 50ms in order to listen for rogue clients, monitor for noise, and channel interference. Any detected rogue clients or APs are sent to the controller, which gathers this information:

The rogue AP’s MAC address

Name of the AP detected rogue

The rogue connected client(s) MAC address

The Signal-to-Noise Ratio (SNR)

The Receiver Signal Strength Indicator (RSSI)

Channel of Rogue detection

Radio in which rogue is detected

Rogue SSID (if the rogue SSID is broadcasted)

First and last time the rogue is reported

To Export Rogue Events

In order to export rogue events to a third-party Network Management System (NMS) for archival, the WLC permits additional SNMP trap receivers to be added. When a rogue is detected or cleared by the controller, a trap that contains this information is communicated to all SNMP trap receivers. One caveat with the export of events via SNMP is that if multiple controllers detect the same rogue, duplicate events are seen by the NMS as correlation is only done at PI.

Rogue Record Timeout

Once a rogue AP has been added to the WLC’s records, it will remain there until it is no longer seen. After a user configurable timeout (1200 seconds default), a rogue in the_unclassified_category is aged out.

Rogues in other states such as_Contained_and_Friendly_will persist so that the appropriate classification is applied to them if they reappear.

There is a maximum database size for rogue records that is variable across controller platforms:

Rogue Detector AP

A rogue detector AP aims to correlate rogue information heard over the air with ARP information obtained from the wired network. If a MAC address is heard over the air as a rogue AP or client and is also heard on the wired network, then the rogue is determined to be on the wired network. If the rogue is detected to be on the wired network, then the alarm severity for that rogue AP is raised to_critical_. It should be noted that a rogue detector AP is not successful at the identification of rogue clients behind a device that uses NAT.

This approach is used when rogue AP has some form of authentication, either WEP or WPA. When a form of authentication is configured on rogue AP, the Lightweight AP cannot associate because it does not know the authentication method and credentials configured on the rogue AP.

Note: Only Wave 1 APs can be configured as Rogue Detectors.

Scalability Considerations

A rogue detector AP can detect up to 500 rogues and 500 rogue clients. If the rogue detector is placed on a trunk with too many rogue devices, then these limits might be exceeded, which causes issues. In order to prevent this to occurr, keep rogue detector APs at the distribution or access layer of your network.

RLDP

The aim of RLDP is to identify if a specific rogue AP is connected to the wired infrastructure. This feature essentially uses the closest AP to connect to the rogue device as a wireless client. After the connection as a client, a packet is sent with the destination address of the WLC to assess if the AP is connected to the wired network. If the rogue is detected to be on the wired network, then the alarm severity for that rogue AP is raised to critical.

The algorithm of RLDP is listed here:

Identify the closest Unified AP to the rogue by the usage of signal strength values.

The AP then connects to the rogue as a WLAN client, attemps three associations before it times out.

If association is successful, the AP then uses DHCP to obtain an IP address.

If an IP address was obtained, the AP (that acts as a WLAN client) sends a UDP packet to each of the controller’s IP addresses.

If the controller receives even one of the RLDP packets from the client, that rogue is marked as on-wire with a severity of critical.

Note: The RLDP packets are unable to reach the controller if the filter rules are in place between the controller’s network and the network where the rogue device is located.

Caveats of RLDP

RLDP only works with open rogue APs that broadcast their SSID with authentication and encryption disabled.

RLDP requires that the Managed AP that acts as a client is able to obtain an IP address via DHCP on the rogue network

Manual RLDP can be used to attempt and RLDP trace on a rogue multiple times.

On the RLDP process, the AP is unable to serve clients. This will negatively impact performance and connectivity for local mode APs.

RLDP does not attempt to connect to a rogue AP that operates in a 5GHz DFS channel.

Switch Port Tracing

Switch port tracing is a rogue AP mitigation technique. Although switch port tracing is initiated at the PI, it utilizes both CDP and SNMP information to track a rogue down to a specific port in the network.

In order for switch port tracing to run, all switches in the network must be added to the PI with SNMP credentials. Although read-only credentials work to identify the port the rogue is on, read-write credentials allow the PI to also shut the port down, thus it contains the threat.

At this time, this feature works only with Cisco switches that run IOS with CDP enabled, and CDP must also be enabled on the Managed APs.

The algorithm for switch port tracing is listed here:

The PI finds the closest AP, which detects the rogue AP over-the-air, and retrieves its CDP neighbors.

The PI then uses SNMP to examine the CAM table within the neighbor switch, it looks for a positive match to identify the rogues location.

A positive match is based on the exact rogue MAC address, +1/−1 the rogue MAC address, any rogue client MAC addresses, or an OUI match based on the vendor information inherent in a MAC address.

If a positive match is not found on the closest switch, the PI continues the search in neighbor switches up to two hops away (by default).

Rogue Classification

By default, all rogues that are detected by the Cisco UWN are considered Unclassified. As shown in this graphic, rogues can be classified on a number of criteria that includs RSSI, SSID, Security type, on/off network, and number of clients:

Rogue Classification Rules

Rogue classification rules, allow you to define a set of conditions that mark a rogue as either malicious or friendly. These rules are configured at the PI or the WLC, but they are always performed on the controller as new rogues are discovered.

HA Facts

If you manually move any rogue device to contained state (any class) or friendly state, this information is stored in the standby Cisco WLC flash memory; however, the database is not updated. When HA switchover occurs, the rogue list from the previously standby Cisco WLC flash memory is loaded.

In a High Availability scenario, if the rogue detection security level is set to either High or Critical, the rogue timer on the standby controller starts only after the rogue detection pend stabilization time, which is 300 seconds. Therefore, the active configurations on the standby controller are reflected only after 300 seconds.

Flex-Connect Facts

A FlexConnect AP (with rogue detection enabled) in the connected mode takes the containment list from the controller. If auto-contain SSID and auto contain adhoc are set in the controller, then these configurations are set to all FlexConnect APs in the connected mode and the AP stores it in its memory.

When the FlexConnect AP moves to a standalone mode, the next tasks are performed:

The containment set by the controller continues.

If the FlexConnect AP detects any rogue AP that has same SSID as that of infra SSID (SSID configured in the controller that the FlexConnect AP is connected to), then containment gets started if auto contain SSID was enabled from the controller before it moves to the standalone mode.

If the FlexConnect AP detects any adhoc rogue, containment gets started if auto-contain adhoc was enabled from the controller when it was in the connected mode.

When the standalone FlexConnect AP moves back to the connected mode, then the below tasks are performed:

All containment gets cleared.

Containment initiated from the controller will take over.

Rogue Mitigation

Rogue Containment

Containment is a method that uses over-the-air packets to temporarily interrupt service on a rogue device until it can physically be removed. Containment works with the spoof of de-authentication packets with the spoofed source address of the rogue AP so that any clients associated are kicked off.

Rogue Containment Details

A containment initiated on a rogue AP with no clients will only use de-authentication frames sent to the broadcast address:

A containment initiated on a rogue AP with client(s) will use de-authentication frames sent to the broadcast address and to the client(s) address:

Containment packets are sent at the power level of the managed AP and at the lowest enabled data rate.

Containment sends a minimum of 2 packets every 100ms:

Note: A containment performed by non-monitor mode APs is sent at an interval of 500ms instead of the 100ms interval used by monitor mode APs..

An individual rogue device can be contained by 1 to 4 managed APs which work in conjunction to mitigate the threat temporarily.

Containment can be performed by the usage of local mode, monitor mode and flex-connect (Connected) mode APs. For local mode of flex-connect APs, a maximum of three rogue devices per radio can be contained. For monitor mode APs, a maximum of six rogue devices per radio can be contained.

Auto-Containment

In addition to manually initiation of containment on a rogue device via PI or the WLC GUI, there is also the ability to automatically launch containment under certain scenarios. This configuration is found underGeneralin theRogue Policiessection of the PI or controller interface. Each of these features is disabled by default and should only be enabled to nullify the threats that might cause the most damage.

Rogue Containment Caveats

Because containment uses a portion of the managed AP’s radio time to send the de-authentication frames, the performance to both data and voice clients is negatively impacted by up to 20%. For data clients, the impact is reduced throughput. For voice clients, containment can cause interruptions in conversations and reduced voice quality.

Containment can have legal implications when launched against neighbor networks. Ensure that the rogue device is within your network and poses a security risk before you launch the containment.

Switch Port Shut

Once a switch port is traced by the usage of SPT, there is an option to disable that port in PI. Administrator has to do this exercise manually. An option is available to enable the switch port through PI if rogue is physically removed from the network.

Configure

Configure Rogue Detection

Rogue detection is enabled in the controller by default.

In order to configure various options, navigate toSecurity > Wireless Protection Policies > Rogue Policies > General. As Example:

Step 1. Change the timeout for rogue APs.

Step 2. Enable the detection of ad-hoc rogue networks.

From the CLI:

Configure Channel Scanning for Rogue Detection

For a local/Flex-Connect/Monitor mode AP there is an option under RRM configuration which allows the user to choose which channels are scanned for rogues. It Depends on the config, the AP scans all channel/country channel/DCA channel for rogues.

In order to configure this from the GUI, navigate toWireless > 802.11a/802.11b > RRM > General, as shown in the image.

From the CLI:

Configure Rogue Classification

Manually Classify a Rogue AP

In order to classify a rogue AP as friendly, malicious, or unclassified, navigate toMonitor > Rogue > Unclassified APs, and click the particular rogue AP name. Choose the option from the drop-down list, as shown in the image.

From the CLI:

In order to remove a rogue entry manually from the rogue list, navigate toMonitor > Rogue > Unclassified APs, and clickRemove, as shown in the image.

In order to configure a Rogue AP as a friendly AP, navigate toSecurity > Wireless Protection Policies > Rogue Policies > Friendly Roguesand add the rogue MAC address.

The added friendly rogue entries can be verified fromMonitor > Rogues > Friendly Roguepage, as shown in the image.

Configure a Rogue Detector AP

In order to configure the AP as a rogue detector through the GUI, navigate toWireless > All APs. Choose the AP name and change the AP mode as shown in the image.

From the CLI:

Configure Switchport for a Rogue Detector AP

Note: The native VLAN in this configuration is one that has IP connectivity to the WLC.

Configure RLDP

In order to configure RLDP in the controller’s GUI, navigate toSecurity > Wireless Protection Policies > Rogue Policies > General.

Monitor Mode APs– Allows only APs in monitor mode to participate in RLDP.

All APs– Local/Flex-Connect/Monitor mode APs participate in the RLDP process.

Disabled– RLDP is not triggered automatically. However, the user can trigger RLDP manually for a particular MAC address through the CLI.

From the CLI:

RLDP schedule and manually trigger is configurable only through command prompt. To Initiate RLDP manually:

For schedule of RLDP:

RLDP retries can be configured with the command:

Configure Rogue Mitigation

Configure Manual Containment

In order to contain a rogue AP manually, navigate toMonitor > Rogues > Unclassified, as shown in the image.

From the CLI:

Note: A particular rogue can be contained with 1-4 APs. By default, the controller uses one AP to contain a client. If two APs are able to detect a particular rogue, the AP with the highest RSSI contains the client regardless of the AP mode.

Auto Containment

To configure auto containment, go toSecurity>Wireless Protection Policies>Rogue Policies>General, and enable all applicable options for your network.

If you want the Cisco WLC to automatically contain certain rogue devices, check the below check boxes. Otherwise, leave the check boxes unselected, which is the default value.

Warning: When you enable any of these parameters, the message appears:“Using this feature may have legal consequences. Do you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, the containment of devices on another party’s network could have legal consequences.

These are the Auto Contain Parameters:

Auto Containment Level

Drop-down list from which you can choose the rogue auto containment level from 1 to 4.

You can choose up to four APs for auto containment when a rogue is moved to a contained state through any of the auto containment policies.

You can also choose Auto for automatic selection of the number of APs used for auto containment. The Cisco WLC chooses the required number of APs based on the RSSI for effective containment.

The RSSI value that is associated with each containment level is as follows:

4 — Less than –85 dBm

Auto Containment only for Monitor mode APs

Check box that you can select to enable the monitor mode APs for auto containment. The default is disabled state.

Auto Containment on FlexConnect Standalone

Check box that you can select to enable auto containment on FlexConnect APs in the standalone mode. The default is disabled state. When the FlexConnect APs are in the standalone mode, you can enable only the Using our SSID or AdHoc Rogue AP auto containment policies. The containment stops after the standalone AP connects back to the Cisco WLC.

Check box that you enable to automatically contain the rogues that are detected on the wired network. The default is disabled state.

Check box that you enable to automatically contain those rogues that advertises your network’s SSID. If you leave this parameter unselected, the Cisco WLC only generates an alarm when such a rogue is detected. The default is disabled state.

Valid client on Rogue AP

Check box that you enable to automatically contain a rogue access point to which trusted clients are associated. If you leave this parameter unselected, the Cisco WLC only generates an alarm when such a rogue is detected. The default is disabled state.

Check box that you enable to automatically contain ad-hoc networks that are detected by the Cisco WLC. If you leave this parameter unselected, the Cisco WLC only generates an alarm when such a network is detected. The default is disabled state.

Click Apply to send data to the Cisco WLC, but the data is not preserved across a power cycle; these parameters are stored temporarily in volatile RAM.

From the CLI:

With Prime Infrastructure

Cisco Prime Infrastructure can be used to configure and monitor one or more controllers and associated APs. Cisco PI has tools to facilitate large-system monitor and control. When you use Cisco PI in your Cisco wireless solution, controllers periodically determine the client, rogue access point, rogue access point client, radio frequency ID (RFID) tag location and store the locations in the Cisco PI database.

Cisco Prime Infrastructure supports rule-based classification and uses the classification rules configured on the controller. The controller sends traps to Cisco Prime Infrastructure after these events:

If an unknown access point moves to the Friendly state for the first time, the controller sends a trap to Cisco Prime Infrastructure only if the rogue state is Alert. It does not send a trap if the rogue state is Internal or External.

If a rogue entry is removed after the timeout expires, the controller sends a trap to Cisco Prime Infrastructure for rogue access points that are categorized as Malicious (Alert, Threat) or Unclassified (Alert). The controller does not remove rogue entries with these rogue states: Contained, Contained Pending, Internal, and External.

Verify

In order to find rogue details in a controller in the graphical interface, navigate toMonitor > Rogues, as shown in the image.

In this page, different classification for rogues are available:

Friendly APs – APs which are marked as friendly by administrator.

Malicious APs – APs which are identified as malicious via RLDP or Rogue detector AP.

Unclassified APs – By default rogue APs will be shown as unclassified list in controller.

Rogue Clients – Clients connected to Rogue APs.

Adhoc Rogues – Adhoc rogue clients.

Rogue AP ignore list – As listed through PI.

Note: If WLC and autonomous AP is managed by the same PI, WLC lists automatically this autonomous AP in Rogue AP ignore list. There is no additional configuration required in WLC to enable this feature.

Click a particular rogue entry in order to get the details of that rogue. Here is an example of a Rogue detected on wired network:

From the CLI:

Troubleshoot

If The Rogue Is Not Detected

Verify that rogue detection is enabled on the AP. On the GUI:

Rogue detection can be enabled on an AP with this command:

A local mode AP scans only country channels/DCA channels and depends on the configuration. If the rogue is in any other channel, the controller is not able to identify the rogue if you do not have monitor mode APs in the network. Issue this command in order to verify:

Rogue AP may not be broadcast the SSID.

Ensure the rogue AP’s MAC address is not added in the friendly rogue list or allowed listed through PI.

Beacons from the rogue AP may not be reachable to the AP that detected rogues. This can be verified by the capture of the packets with a sniffer close to the AP-detector rogue.

A local mode AP may take up to 9 minutes to detect a rogue (3 cycles 180×3).

Cisco APs are not able to detect rogues on frequencies like the public safety channel (4.9 Ghz).

Cisco APs are not able to detect rogues that work on FHSS (Frequency Hopping Spread Spectrum).

Useful Debugs

Expected Trap Logs

Once a rogue is detected/removed from the rogue list:

Recommendations

Configure the channel scan to all channels if you suspect potential rogues in your network.

The number and location of rogue detector APs can vary from one per floor to one per building and depends on the layout of the wired network. It is advisable to have at least one rogue detector AP in each floor of a building. Because a rogue detector AP requires a trunk to all layer 2 network broadcast domains that should be monitored, placement is dependent on the logical layout of the network.

If the Rogue Is Not Classified

Verify the rogue rules are configured properly.

Useful Debugs

Recommendations

If you have known rogue entries, add them in the friendly list or enable validation with AAA and ensure known client entries are there in the Authentication, Authorization and Accounting (AAA) database.

RLDP Does Not Locate Rogues

Useful Debugs

Recommendations

Initiate RLDP manually on suspicious rogue entries.

Schedule RLDP periodically.

Rogue Detector AP

Rogue entry in a rogue detector can be seen with this command in the AP console. For wired rogues, the flag moves to set status.

Useful Debug Commands in an AP Console

Rogue Containment

Expected Debugs

Recomendations

The local/Flex-Connect mode AP can contain 3 devices at a time per radio, and the monitor mode AP can contain 6 devices per radio. As a result, ensure the AP is not already containing the maximum number of devices permitted. In this scenario, the client is in a containment pending state.

Verify auto containment rules.

Conclusion

Rogue detection and containment within the Cisco centralized controller solution is the most effective and least intrusive method in the industry. The flexibility provided to the network administrator allows for a more customized fit that can accommodate any network requirements.

Источник

• ← системный амилоидоз код по мкб 10
• Автоматически переключается на английский язык что делать →