Guest

Cisco 4400 Series Wireless LAN Controllers

Rogue Management in a Unified Wireless Network

Cisco - Rogue Management in a Unified Wireless Network

Introduction

Wireless networks extend wired networks and increase worker productivity and access to information. However, an unauthorized wireless network presents an additional layer of security concern. Less thought is put into port security on wired networks, and wireless networks are an easy extension to wired networks. Therefore, an employee who brings his or her own Access Point (Cisco or Non Cisco) into a well-secured wireless or wired infrastructure and allows unauthorized users access to this otherwise secured network, can easily compromise a secure network.

Rogue detection allows the network administrator to monitor and eliminate this security concern. Cisco Unified Network Architecture provides methods for rogue detection that enable a complete rogue identification and containment solution without the need for expensive and hard-to-justify overlay networks and tools.

Prerequisites

Requirements

This document assumes you are familiar with basic controller configurations.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document is based on these software and hardware versions:

  • Cisco Unified Controllers (2100, 5500, 4400,WiSM, and NM-WLC Series) running version 7.0

  • Control and Provisioning of Wireless Access Point Protocol (CAPWAP)-based LAPs - 1130AG, 1140, 3500, 1200, 1230AG, 1240AG, 1250, and 1260 Series LAPs

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Rogue Overview

Any device that shares your spectrum and is not managed by you can be considered a rogue. A rogue becomes dangerous in these scenarios:

  • When setup to use the same SSID as your network (honeypot).

  • When it is detected on the wired network also.

  • Ad-hoc rogues are also a big threat.

  • Setup by an outsider, most times, with malicious intent.

There are three main phases of rogue device management in the Cisco Unified Wireless Network (UWN) solution:

  • Detection – Radio Resource Management (RRM) scanning is used to detect the presence of rogue devices.

  • Classification – Rogue Location Discovery Protocol (RLDP), Rogue Detectors and switch port tracing are used to identify if the rogue device is connected to the wired network. Rogue classification rules also assist in filtering rogues into specific categories based on their characteristics.

  • Mitigation – Switch port shutting, rogue location, and rogue containment are used in tracking down its physical location and to nullify the threat of the rogue device.

handling-rogue-cuwn-01.gif

Rogue Management Theory of Operation

Rogue Detection

A rogue is essentially any device that is sharing your spectrum, but is not in your control. This includes rogue Access Points (APs), wireless router, rogue clients, and rogue ad-hoc networks. The Cisco UWN uses a number of methods to detect Wi-Fi-based rogue devices including off-channel scanning and dedicated monitor mode capabilities. Cisco Spectrum Expert can also be used to identify rogue devices not based on the 802.11 protocol, such as Bluetooth bridges.

Off-Channel Scanning

This operation is performed by Local mode and H−REAP (in connected mode) APs and utilizes a time-slicing technique which allows client service and channel scanning using the same radio. By going off channel for a period of 50ms every 16 seconds, the AP, by default, only spends a small percentage of its time not serving clients. Also, note there is a 10ms channel change interval that will occur. In the default scan interval of 180 seconds, each 2.4Ghz FCC channel (1−11) is scanned at least once. For other regulatory domains, such as ETSI, the AP will be off channel for a slightly higher percentage of time. Both the list of channels and scan interval can be adjusted in the RRM configuration. This limits the performance impact to a maximum of 1.5% and intelligence is built into the algorithm to suspend scanning when high-priority QoS frames, such as voice, need to be delivered.

handling-rogue-cuwn-03.gif

This graphic is a depiction of the off-channel scanning algorithm for a local mode AP in the 2.4GHz frequency band. A similar operation is being performed in parallel on the 5GHz radio if the AP has one present. Each red square represents the time spent on the APs home channel, whereas each blue square represents time spent on adjacent channels for scanning purposes.

Monitor Mode Scanning

This operation is performed by Monitor Mode and Adaptive wIPS monitor mode APs which utilizes 100% of the radio's time for scanning all channels in each respective frequency band. This allows a greater speed of detection and enables more time to be spent on each individual channel. Monitor mode APs are also far superior at detecting rogue clients as they have a more comprehensive view of the activity occurring in each channel.

handling-rogue-cuwn-04.gif

This graphic is a depiction of the off-channel scanning algorithm for a monitor mode AP in the 2.4GHz frequency band. A similar operation is being performed in parallel on the 5GHz radio if the AP has one present.

Local Mode and Monitor Mode Comparison

A local mode AP splits its cycles between serving WLAN clients and scanning channels for threats. As a result, it takes a local mode AP longer to cycle through all the channels, and it spends less time collecting data on any particular channel so that client operations are not disrupted. Consequently, rogue and attack detection times are longer (3 to 60 minutes) and a smaller range of over-the-air attacks can be detected than with a monitor mode AP. Furthermore, detection for bursty traffic, such as rogue clients, is much less deterministic because the AP has to be on the channel of the traffic at the same time the traffic is being transmitted or received. This becomes an exercise in probabilities. A monitor mode AP spends all of its cycles scanning channels looking for rogues and over-the-air attacks. A monitor mode AP can simultaneously be used for Adaptive wIPS, location (context-aware) services, and other monitor mode services. When monitor mode APs are deployed, the benefits are lower time-to-detection. When monitor mode APs are additionally configured with Adaptive wIPS, a broader range of over-the-air threats and attacks can be detected.

handling-rogue-cuwn-05.gif

Rogue Identification

If probe response or beacons from a rogue device are heard by either local mode, H-REAP mode, or monitor mode APs, then this information is communicated via CAPWAP to the Wireless LAN controller (WLC) for processing. In order to prevent false positives, a number of methods are used to ensure other managed Cisco-based APs are not identified as a rogue device. These methods include mobility group updates, RF neighbor packets, and white listing autonomous APs via Wireless Control System (WCS).

Rogue Records

While the controller’s database of rogue devices contains only the current set of detected rogues, the WCS also includes an event history and logs rogues that are no longer seen.

Rogue Details

A CAPWAP AP goes off-channel for 50ms in order to listen for rogue clients, monitor for noise, and channel interference. Any detected rogue clients or APs are sent to the controller, which gathers this information:

  • The rogue AP's MAC address

  • Name of the AP detected rogue

  • The rogue connected client(s) MAC address

  • Whether the frames are protected with WPA or WEP

  • The preamble

  • The Signal-to-Noise Ratio (SNR)

  • The Receiver Signal Strength Indicator (RSSI)

  • Channel of Rogue detection

  • Radio in which rogue is detected

  • Rogue SSID (if the rogue SSID is broadcasted)

  • Rogue IP address

  • First and last time the rogue is reported

  • Channel width

Exporting Rogue Events

In order to export rogue events to a third-party Network Management System (NMS) for archival, the WLC permits additional SNMP trap receivers to be added. When a rogue is detected or cleared by the controller, a trap containing this information is communicated to all SNMP trap receivers. One caveat with exporting events via SNMP is that if multiple controllers detect the same rogue, duplicate events are seen by the NMS as correlation is only done at WCS.

Rogue Record Timeout

Once a rogue AP has been added to the WLC's records, it will remain there until it is no longer seen. After a user configurable timeout (1200 seconds default), a rogue in the _unclassified_ category is aged out. Rogues in other states such as _Contained_ and _Friendly_ will persist so that the appropriate classification is applied to them if they reappear.

There is a maximum database size for rogue records that is variable across controller platforms:

  • 21XX and WLCM - 125 rogues

  • 44XX - 625 rogues

  • WiSM - 1250 rogues

  • 5508 - 2000 rogues

Rogue Classification

By default, all rogues that are detected by the Cisco UWN are considered Unclassified. As depicted in this graphic, rogues can be classified on a number of criteria including RSSI, SSID, Security type, on/off network, and number of clients:

handling-rogue-cuwn-06.gif

Rogue Detector AP

A rogue detector AP aims to correlate rogue information heard over the air with ARP information obtained from the wired network. If a MAC address is heard over the air as a rogue AP or client and is also heard on the wired network, then the rogue is determined to be on the wired network. If the rogue is detected to be on the wired network, then the alarm severity for that rogue AP is raised to _critical_. It should be noted that a rogue detector AP is not successful at identifying rogue clients behind a device using NAT.

handling-rogue-cuwn-07.gif

Scalability Considerations

A rogue detector AP can detect up to 500 rogues and 500 rogue clients. If the rogue detector is placed on a trunk with too many rogue devices, then these limits might be exceeded, which causes issues. In order to prevent this from occurring, keep rogue detector APs at the distribution or access layer of your network.

RLDP

The aim of RLDP is to identify if a specific rogue AP is connected to the wired infrastructure. This feature essentially uses the closest Unified AP to connect to the rogue device as a wireless client. After connecting as a client, a packet is sent with the destination address of the WLC to assess if the AP is connected to the wired network. If the rogue is detected to be on the wired network, then the alarm severity for that rogue AP is raised to critical.

handling-rogue-cuwn-08.gif

The algorithm of RLDP is listed here:

  1. Identify the closest Unified AP to the rogue using signal strength values.

  2. The AP then connects to the rogue as a WLAN client, attempting three associations before timing out.

  3. If association is successful, the AP then uses DHCP to obtain an IP address.

  4. If an IP address was obtained, the AP (acting as a WLAN client) sends a UDP packet to each of the controller's IP addresses.

  5. If the controller receives even one of the RLDP packets from the client, that rogue is marked as on-wire with a severity of critical.

Note: The RLDP packets are unable to reach the controller if filtering rules are in place between the controller's network and the network where the rogue device is located.

Caveats of RLDP

  • RLDP only works with open rogue APs broadcasting their SSID with authentication and encryption disabled.

  • RLDP requires that the Managed AP acting as a client is able to obtain an IP address via DHCP on the rogue network

  • Manual RLDP can be used to attempt and RLDP trace on a rogue multiple times.

  • During the RLDP process, the AP is unable to serve clients. This will negatively impact performance and connectivity for local mode APs.

  • RLDP does not attempt to connect to a rogue AP operating in a 5GHz DFS channel.

Switch Port Tracing

Switch port tracing is a rogue AP mitigation technique first implemented in the 5.1 release. Although switch port tracing is initiated at the WCS, it utilizes both CDP and SNMP information to track a rogue down to a specific port in the network. In order for switch port tracing to run, all switches in the network must be added to the WCS with SNMP credentials. Although read-only credentials work for identifying the port the rogue is on, read-write credentials allow the WCS to also shut the port down, thus containing the threat. At this time, this feature works only with Cisco switches that run IOS with CDP enabled, and CDP must also be enabled on the Managed APs.

handling-rogue-cuwn-09.gif

The algorithm for switch port tracing is listed here:

  • The WCS finds the closest AP, which detects the rogue AP over-the-air, and retrieves its CDP neighbors.

  • The WCS then uses SNMP to examine the CAM table within the neighboring switch, looking for a positive match to identify the rogues location.

  • A positive match is based on the exact rogue MAC address, +1/−1 the rogue MAC address, any rogue client MAC addresses, or an OUI match based on the vendor information inherent in a MAC address.

  • If a positive match is not found on the closest switch, the WCS continues searching neighboring switches up to two hops away (by default).

handling-rogue-cuwn-10.gif

Rogue Classification Rules

Rogue classification rules, introduced in the 5.0 release, allow you to define a set of conditions that mark a rogue as either malicious or friendly. These rules are configured at the WCS or the WLC, but they are always performed on the controller as new rogues are discovered.

Read the document Rule Based Rogue Classification in Wireless LAN Controllers (WLC) and Wireless Control System (WCS) for more information on rogue rules in the WLCs.

Rogue Mitigation

Rogue Containment

Containment is a method of using over-the-air packets to temporarily interrupt service on a rogue device until it can physically be removed. Containment works by spoofing de-authentication packets with the spoofed source address of the rogue AP so that any clients associated are kicked off.

handling-rogue-cuwn-11.gif

Rogue Containment Details

A containment initiated on a rogue AP with no clients will only use de-authentication frames sent to the broadcast address:

handling-rogue-cuwn-12.gif

A containment initiated on a rogue AP with client(s) will use de-authentication frames sent to the broadcast address and to the client(s) address:

handling-rogue-cuwn-13.gif

Containment packets are sent at the power level of the managed AP and at the lowest enabled data rate.

Containment sends a minimum of 2 packets every 100ms:

handling-rogue-cuwn-14.gif

Note: From 6.0 release, a containment performed by non-monitor mode APs is sent at an interval of 500ms instead of the 100ms interval used by monitor mode APs.

  • An individual rogue device can be contained by 1 to 4 managed APs which work in conjunction to mitigate the threat temporarily.

  • Containment can be performed using local mode, monitor mode and H-REAP (Connected) mode APs. For local mode of H-REAP APs, a maximum of three rogue devices per radio can be contained. For monitor mode APs, a maximum of six rogue devices per radio can be contained.

Auto-Containment

In addition to manually initiating containment on a rogue device via WCS or the WLC GUI, there is also the ability to automatically launch containment under certain scenarios. This configuration is found under General in the Rogue Policies section of the WCS or controller interface. Each of these features is disabled by default and should only be enabled to nullify the most damaging threats.

  • Rogue on Wire - If a rogue device is identified to be attached to the wired network, then it is automatically placed under containment.

  • Using our SSID - If a rogue device is using an SSID which is the same as that configured on the controller, it is automatically contained. This feature aims to address a honey-pot attack before it causes damage.

  • Valid client on Rogue AP - If a client listed in ACS is found to be associated with a rogue device, containment is launched against that client only, preventing it from associating to any non-managed AP.

  • AdHoc Rogue AP - If an ad-hoc network is discovered, it is automatically contained.

Rogue Containment Caveats

  • Because containment uses a portion of the managed AP's radio time to send the de-authentication frames, the performance to both data and voice clients is negatively impacted by up to 20%. For data clients, the impact is reduced throughput. For voice clients, containment can cause interruptions in conversations and reduced voice quality.

  • Containment can have legal implications when launched against neighboring networks. Ensure that the rogue device is within your network and poses a security risk before you launch the containment.

Switch Port Shutting

Once a switch port is traced using SPT, there is an option to disable that port in WCS. Administrator has to do this exercise manually. An option is available to enable the switch port through WCS if rogue is physically removed from the network.

Configure Rogue Management

Configure Rogue Detection

Rogue detection is enabled in the controller by default.

To find rogue details in a controller using the graphical interface, go to Monitor > Rogues.

handling-rogue-cuwn-15.gif

In this page, different classification for rogues are available:

  • Friendly APs – Aps which are marked as friendly by administrator.

  • Malicious APs – Aps which are identified as malicious using RLDP or Rogue detector AP.

  • Unclassified APs – By default rogue APs will be shown as unclassified list in controller.

  • Rogue Clients – Clients connected to Rogue APs.

  • Adhoc Rogues – Adhoc rogue clients.

  • Rogue AP ignore list – Aps listed through WCS.

Note: If WLC and autonomous AP is managed by the same WCS, WLC will be automatically listing this autonomous AP in Rogue AP ignore list. There is no additional configuration required in WLC to enable this feature.

From the CLI:

(Cisco Controller) >show rogue ap summary

Rogue on wire Auto-Contain....................... Disabled
Rogue using our SSID Auto-Contain................ Disabled
Valid client on rogue AP Auto-Contain............ Disabled
Rogue AP timeout................................. 1200

MAC Address        Classification     # APs # Clients Last Heard
-----------------  ------------------ ----- --------- -----------------------
00:14:1b:5b:1f:90  Unclassified       1     0         Thu Jun 10 19:04:51 2010
00:14:1b:5b:1f:91  Unclassified       1     0         Thu Jun 10 18:58:51 2010
00:14:1b:5b:1f:92  Unclassified       1     0         Thu Jun 10 18:49:50 2010
00:14:1b:5b:1f:93  Unclassified       1     0         Thu Jun 10 18:55:51 2010
00:14:1b:5b:1f:96  Unclassified       1     0         Thu Jun 10 18:58:51 2010
00:17:df:a9:08:00  Unclassified       1     0         Thu Jun 10 18:49:50 2010
00:17:df:a9:08:10  Unclassified       1     0         Thu Jun 10 18:55:51 2010
00:17:df:a9:08:11  Unclassified       1     0         Thu Jun 10 19:04:51 2010
00:17:df:a9:08:12  Unclassified       1     0         Thu Jun 10 18:49:50 2010
00:17:df:a9:08:16  Unclassified       1     0         Thu Jun 10 19:04:51 2010



Click a particular rogue entry in order to get the details of that rogue.

handling-rogue-cuwn-16.gif

From the CLI:

(Cisco Controller) >show rogue ap detailed 00:14:1b:5b:1f:90

Rogue BSSID...................................... 00:14:1b:5b:1f:90
Is Rogue on Wired Network........................ No
Classification................................... Unclassified
Manual Contained................................. No
State............................................ Alert
First Time Rogue was Reported.................... Thu Jun 10 18:37:50 2010
Last Time Rogue was Reported..................... Thu Jun 10 19:04:51 2010
Reported By
    AP 1
        MAC Address.............................. 00:24:97:8a:09:30
        Name..................................... AP_5500
        Radio Type............................... 802.11g
        SSID..................................... doob
        Channel.................................. 6
        RSSI..................................... -51 dBm
        SNR...................................... 27 dB
        Encryption............................... Disabled
        ShortPreamble............................ Enabled
        WPA Support.............................. Disabled
        Last reported by this AP................. Thu Jun 10 19:04:51 2010

Configure Channel Scanning for Rogue Detection

For a local/Hreap mode/Monitor mode AP there is an option under RRM configuration which allows the user to choose which channel is scanned for rogues. Depending on the config, the AP scans all channel/country channel/DCA channel for rogues.

To configure this from the GUI, go to Wireless > 802.11a/802.11b > RRM > General.

handling-rogue-cuwn-17.gif

From the CLI:

(Cisco Controller) >config  advanced 802.11a monitor channel-list ?

all            Monitor all channels
country        Monitor channels used in configured country code
dca            Monitor channels used by automatic channel assignment

To configure these options, go to Security > Wireless Protection Policies > Rogue Policies > General.

  1. Change the timeout for rogue APs.

  2. Enable the detection of ad-hoc rogue networks.

handling-rogue-cuwn-18.gif

From the CLI:

(Cisco Controller) >config rogue ap timeout ?

<seconds>      The number of seconds<240 - 3600> before rogue entries are flushed

(Cisco Controller) >config rogue adhoc enable/disable

Configure Rogue Classification

Manually Classify a Rogue AP

To classify a rogue AP as friendly, malicious, or unclassified, go to Monitor > Rogue > Unclassified APs, and click the particular rogue AP name. Choose the option from the drop-down list.

handling-rogue-cuwn-19.gif

From the CLI:

(Cisco Controller) >config rogue ap ?

classify       Configures rogue access points classification.
friendly       Configures friendly AP devices.
rldp           Configures Rogue Location Discovery Protocol.
ssid           Configures policy for rogue APs advertsing our SSID.
timeout        Configures the expiration time for rogue entries, in seconds.
valid-client   Configures policy for valid clients using rogue APs.

To remove a rogue entry manually from the rogue list, go to Monitor > Rogue > Unclassified APs, and click Remove.

handling-rogue-cuwn-20.gif

To configure a Rogue AP as a friendly AP, go to Security > Wireless Protection Policies > Rogue Policies > Friendly Rogues and add the rogue MAC address.

The added friendly rogue entries can be verified from Monitor > Rogues > Friendly Rogue page.

handling-rogue-cuwn-21.gif

handling-rogue-cuwn-22.gif

Configure a Rogue Detector AP

To configure the AP as a rogue detector using the GUI, go to Wireless > All APs. Choose the AP name and change the AP mode.

handling-rogue-cuwn-23.gif

From the CLI:

(Cisco Controller) >config ap mode rogue AP_Managed

Changing the AP's mode will cause the AP to reboot.
Are you sure you want to continue? (y/n) y

Configure Switchport for a Rogue Detector AP


interface GigabitEthernet1/0/5
description Rogue Detector
switchport trunk encapsulation dot1q
switchport trunk native vlan 113
switchport mode trunk
spanning−tree portfast trunk

Note: The native VLAN in this configuration is one that has IP connectivity to the WLC.

Configure RLDP

To configure RLDP in the controller's GUI, go to Security > Wireless Protection Policies > Rogue Policies > General.

handling-rogue-cuwn-24.gif

Monitor Mode APs – Allows only APs in monitor mode to participate in RLDP.

All APs – Local/Hreap/Monitor mode APs participate in the RLDP process.

Disabled – RLDP is not triggered automatically. However, the user can trigger RLDP manually for a particular MAC address through the CLI.

Note: Monitor mode AP will get preference over local/Hreap AP for performing RLDP if both of them are detecting a particular rogue above -85dbm RSSI.

From the CLI:

(Cisco Controller) >config rogue ap rldp enable ?

alarm-only     Enables RLDP and alarm if rogue is detected
auto-contain   Enables RLDP, alarm and auto-contain if rogue is detected.

(Cisco Controller) >config rogue ap rldp enable alarm-only ?

monitor-ap-only Perform RLDP only on monitor AP

RLDP scheduling and triggering manually is configurable only through Command 
    prompt

To Initiate RLDP manually:

(Cisco Controller) >config rogue ap rldp initiate ?

<MAC addr>     Enter the MAC address of the rogue AP (e.g. 01:01:01:01:01:01).
For Scheduling RLDP

Note: RLDP scheduling and option to configure RLDP retries are two options 
    introduced in 7.0 through CLI

RLDP Scheduling :

(Cisco Controller) >config rogue ap rldp schedule ?

add            Enter the days when RLDP scheduling to be done.
delete         Enter the days when RLDP scheduling needs to be deleted.
enable         Configure to enable RLDP scheduling.
disable        Configure to disable RLDP scheduling.


(Cisco Controller) >config rogue ap rldp schedule add ?

mon            Configure Monday for RLDP scheduling.
tue            Configure Tuesday for RLDP scheduling.
wed            Configure Wednesday for RLDP scheduling.
thu            Configure Thursday for RLDP scheduling.
fri            Configure Friday for RLDP scheduling.
sat            Configure Saturday for RLDP scheduling.
sun            Configure Sunday for RLDP scheduling.



RLDP retries can be configured using the command 

(Cisco Controller) >config rogue ap rldp retries ?

<count>        Enter the no.of times(1 - 5) RLDP to be tried per Rogue AP.

To configure AAA validation for rogue clients, go to Security > Wireless Protection Policies > Rogue Policies > General.

Enabling this option makes sure the rogue client/AP address is verified with the AAA server before classifying it as malicious.

handling-rogue-cuwn-25.gif

From the CLI:

(Cisco Controller) >config rogue client aaa ?

disable        Disables use of AAA/local database to detect valid mac addresses.
enable         Enables use of AAA/local database to detect valid mac addresses.

To validate a particular rogue client is a wired rogue, there is an option to check the reachability of that particular rogue from the controller (if the controller is able to detect the rogue client IP address). This option can be accessed in the rogue client's detail page and is available only through the graphical interface.

handling-rogue-cuwn-26.gif

To configure switch port tracing, refer to the document Rogue Management White Paper (registered customers only) .

Configure Rogue Mitigation

Configure Manual Containment:

In order to contain a rogue AP manually, go to Monitor > Rogues > Unclassified.

handling-rogue-cuwn-27.gif

From the CLI:

(Cisco Controller) >config rogue client ?

aaa            Configures to validate if a rogue client is a valid client using
                   AAA/local database.
alert          Configure the rogue client to the alarm state.
contain        Start containing a rogue client.

(Cisco Controller) >config rogue client contain 01:22:33:44:55:66 ?

<num of APs>   Enter the maximum number of Cisco APs to actively contain the
                   rogue client [1-4].

Note: A particular rogue can be contained using 1-4 APs. By default, the controller uses one AP for containing a client. If two APs are able to detect a particular rogue, the AP with the highest RSSI contains the client regardless of the AP mode.

To configure auto containment, go to Security > Wireless Protection Policies > Rogue Policies > General, and enable all applicable options for your network.

handling-rogue-cuwn-28.gif

From the CLI:

(Cisco Controller) >config rogue adhoc ?

alert          Stop Auto-Containment, generate a trap upon detection of the
                   adhoc rogue.
auto-contain   Automatically containing adhoc rogue.
contain        Start containing adhoc rogue.
disable        Disable detection and reporting of Ad-Hoc rogues.
enable         Enable detection and reporting of Ad-Hoc rogues.
external       Acknowledge presence of a adhoc rogue.

(Cisco Controller) >config rogue adhoc auto-contain ?
(Cisco Controller) >config rogue adhoc auto-contain
 Warning! Using this feature may have legal consequences
         Do you want to continue(y/n) :y

Troubleshoot

If the rogue is not detected:

  • Verify that rogue detection is enabled on the AP using this command. By default, rogue detection is enabled on the AP.

    (Cisco_Controller) >show ap config general Managed_AP
    
    Cisco AP Identifier.............................. 2
    Cisco AP Name.................................... Managed_AP
    Country code..................................... US  - United States
    Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
    AP Country code.................................. US  - United States
    AP Regulatory Domain............................. 802.11bg:-A    802.11a:-A
    Switch Port Number .............................. 2
    MAC Address...................................... 00:1d:a1:cc:0e:9e
    IP Address Configuration......................... DHCP
    IP Address....................................... 10.8.99.104
    IP NetMask....................................... 255.255.255.0
    Gateway IP Addr.................................. 10.8.99.1
    CAPWAP Path MTU.................................. 1485
    Telnet State..................................... Enabled
    Ssh State........................................ Disabled
    Cisco AP Location................................ india-banaglore
    Cisco AP Group Name.............................. default-group
    Primary Cisco Switch Name........................ Cisco_e9:d9:23
    Primary Cisco Switch IP Address.................. 10.44.81.20
    Secondary Cisco Switch Name......................
    Secondary Cisco Switch IP Address................ Not Configured
    Tertiary Cisco Switch Name.......................
    Tertiary Cisco Switch IP Address................. Not Configured
    Administrative State ............................ ADMIN_ENABLED
    Operation State ................................. REGISTERED
    Mirroring Mode .................................. Disabled
    AP Mode ......................................... Local
    Public Safety ................................... Disabled
    AP SubMode ...................................... Not Configured
    Remote AP Debug ................................. Disabled
    Logging trap severity level ..................... informational
    Logging syslog facility ......................... kern
    S/W  Version .................................... 7.0.98.0
    Boot  Version ................................... 12.3.7.1
    Mini IOS Version ................................ 3.0.51.0
    Stats Reporting Period .......................... 209
    LED State........................................ Enabled
    PoE Pre-Standard Switch.......................... Enabled
    PoE Power Injector MAC Addr...................... Override
    Power Type/Mode.................................. Power injector / Normal mode
    Number Of Slots.................................. 2
    AP Model......................................... AIR-LAP1242AG-A-K9
    AP Image......................................... C1240-K9W8-M
    IOS Version...................................... 12.4(23c)JA
    Reset Button..................................... Enabled
    AP Serial Number................................. FTX1137B22V
    AP Certificate Type.............................. Manufacture Installed
    AP User Mode..................................... AUTOMATIC
    AP User Name..................................... Not Configured
    AP Dot1x User Mode............................... GLOBAL
    AP Dot1x User Name............................... Cisco12
    Cisco AP system logging host..................... 255.255.255.255
    AP Up Time....................................... 13 days, 15 h 01 m 33 s
    AP LWAPP Up Time................................. 13 days, 15 h 00 m 40 s
    Join Date and Time............................... Tue Jun  1 10:36:38 2010
    
    Join Taken Time.................................. 0 days, 00 h 00 m 52 s
    Ethernet Port Duplex............................. Auto
    Ethernet Port Speed.............................. Auto
    AP Link Latency.................................. Enabled
     Current Delay................................... 0 ms
     Maximum Delay................................... 56 ms
     Minimum Delay................................... 2 ms
     Last updated (based on AP Up Time).............. 13 days, 15 h 00 m 44 s
    Rogue Detection.................................. Enabled
    AP TCP MSS Adjust................................ Disabled
    

    Rogue detection can be enabled on an AP using this command:

    (Cisco Controller) >config rogue detection enable ?
    all                    Applies the configuration to all connected APs.
    <Cisco AP>     Enter the name of the Cisco AP.
    
  • A local mode AP scans only country channels/DCA channels depending on the configuration. If the rogue is in any other channel, the controller is not able to identify the rogue if you do not have monitor mode APs in the network. Issue this command in order to verify:

    (Cisco Controller) >show advanced 802.11a monitor
    
    Default 802.11a AP monitoring
      802.11a Monitor Mode........................... enable
      802.11a Monitor Mode for Mesh AP Backhaul...... disable
      802.11a Monitor Channels....................... Country channels
      802.11a AP Coverage Interval................... 180 seconds
      802.11a AP Load Interval....................... 60 seconds
      802.11a AP Noise Interval...................... 180 seconds
      802.11a AP Signal Strength Interval............ 60 seconds
    
  • Rogue AP may not be broadcasting the SSID.

  • Make sure the rogue AP's MAC address is not added in the friendly rogue list or white listed through WCS.

  • Beacons from the rogue AP may not be reachable to the AP detecting rogues. This can be verified by capturing the packet using a sniffer close to the AP-detecting rogue.

  • A local mode AP may take up to 9 minutes to detect a rogue (3 cycles 180x3).

  • Cisco APs are not able to detect rogues on frequencies like the public safety channel (4.9 Ghz).

  • Cisco APs are not able to detect rogues working on FHSS (Frequency Hopping Spread Spectrum).

Useful debugs

debug client < mac> (If rogue mac is known)

debug dot11 rogue enable

(Cisco_Controller) >*apfRogueTask: Jun 15 01:45:09.009: 00:27:0d:8d:14:12 
    Looking for Rogue 00:27:0d:8d:14:12 in known AP table
*apfRogueTask: Jun 15 01:45:09.009: 00:27:0d:8d:14:12 Rogue AP 00:27:0d:8d:14:12
    is not found either in AP list or neighbor, known or Mobility group AP lists
*apfRogueTask: Jun 15 01:45:09.009: 00:27:0d:8d:14:12 Change state from 0 to 1 
    for rogue AP 00:27:0d:8d:14:12
*apfRogueTask: Jun 15 01:45:09.009: 00:27:0d:8d:14:12 rg change state Rogue AP: 
    00:27:0d:8d:14:12

*apfRogueTask: Jun 15 01:45:09.009: 00:27:0d:8d:14:12 New RSSI report from AP 
    00:1b:0d:d4:54:20  rssi -74, snr -9 wepMode 129
*apfRogueTask: Jun 15 01:45:09.010: 00:27:0d:8d:14:12 rg send new rssi -74 
*apfRogueTask: Jun 15 01:45:09.010: 00:27:0d:8d:14:12 Updated AP report 
    00:1b:0d:d4:54:20  rssi -74, snr -9 
*apfRogueTask: Jun 15 01:45:09.010: 00:27:0d:8d:14:12 Manual Contained Flag = 0

*apfRogueTask: Jun 15 01:45:09.010: 00:27:0d:8d:14:12 rg new Rogue AP: 
    00:27:0d:8d:14:12

*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Found Rogue AP: 
    00:24:97:2d:bf:90 on slot 0

*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Added Rogue AP: 
    00:24:97:2d:bf:90

*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Looking for Rogue 
    00:24:97:2d:bf:90 in known AP table
*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Rogue AP 00:24:97:2d:bf:90
    is not found either in AP list or neighbor, known or Mobility group AP lists
*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Change state from 0 to 1 
    for rogue AP 00:24:97:2d:bf:90
*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 rg change state Rogue AP: 
    00:24:97:2d:bf:90

*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 New RSSI report from AP 
    00:1b:0d:d4:54:20  rssi -56, snr 34 wepMode 129
*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 rg send new rssi -56 
*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Updated AP report 
    00:1b:0d:d4:54:20  rssi -56, snr 34 
*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Manual Contained Flag = 0

*apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 rg new Rogue AP: 
    00:24:97:2d:bf:90

*apfRogueTask: Jun 15 01:45:09.010: 9c:af:ca:0f:bd:40 Found Rogue AP: 
    9c:af:ca:0f:bd:40 on slot 0

*apfRogueTask: Jun 15 01:45:09.010: 9c:af:ca:0f:bd:40 Added Rogue AP: 
    9c:af:ca:0f:bd:40 

*apfRogueTask: Jun 15 01:45:09.010: 9c:af:ca:0f:bd:40 Looking for Rogue 
    9c:af:ca:0f:bd:40 in known AP table
*apfRogueTask: Jun 15 01:45:09.010: 9c:af:ca:0f:bd:40 Rogue AP 9c:af:ca:0f:bd:40
    is not found eithe*apfRogueTask: Jun 15 01:45:09.011: 00:25:45:a2:e1:62 
    Updated AP report 00:1b:0d:d4:54:20  rssi -73, snr 24 
*apfRogueTask: Jun 15 01:45:09.012: 00:25:45:a2:e1:62 Manual Contained Flag = 0

*apfRogueTask: Jun 15 01:45:09.012: 00:25:45:a2:e1:62 rg new Rogue AP: 
    00:25:45:a2:e1:62

*apfRogueTask: Jun 15 01:45:09.012: 00:24:c4:ad:c0:40 Found Rogue AP: 
    00:24:c4:ad:c0:40 on slot 0

*apfRogueTask: Jun 15 01:45:09.012: 00:24:c4:ad:c0:40 Added Rogue AP: 
    00:24:c4:ad:c0:40

Expected Trap Logs

Once a Rogue Is Detected


9Fri Jun 18 06:40:06 2010 Rogue AP : 00:1e:f7:74:f3:50 detected on Base Radio
MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g) with RSSI: -97 and SNR:
1 and Classification: unclassified 

10Fri Jun 18 06:40:06 2010 Rogue AP : 00:22:0c:97:af:83 detected on Base Radio
MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g) with RSSI: -81 and SNR: 18
and Classification: unclassified 
	
11Fri Jun 18 06:40:06 2010 Rogue AP : 00:26:cb:9f:8a:21 detected on Base Radio
MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g) with RSSI: -82 and SNR: 20
and Classification: unclassified 

12Fri Jun 18 06:40:06 2010 Rogue AP : 00:26:cb:82:5d:c0 detected on Base Radio
MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g) with RSSI: -98 and SNR: -2
and Classification: unclassified

Once a Rogue Entry Is Removed from the Rogue List

50Fri Jun 18 06:36:06 2010 Rogue AP : 00:1c:57:42:53:40 removed from Base Radio 
MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g)

51Fri Jun 18 06:36:06 2010 Rogue AP : 00:3a:98:5c:57:a0 removed from Base Radio
MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g)

Recommendations

  1. Configure the channel scanning to all channels if you suspect potential rogues in your network

  2. Depending on the layout of the wired network, the number and location of rogue detector APs can vary from one per floor to one per building. It is advisable to have at least one rogue detector AP in each floor of a building. Because a rogue detector AP requires a trunk to all layer 2 network broadcast domains that should be monitored, placement is dependent on the logical layout of the network.

If the Rogue Is Not Getting Classified

  • Verify the rogue rules are configured properly.

  • If the rogue is in the DFS channel, RLDP does not work.

  • RLDP works only if the rogue's WLAN is open and DHCP is available.

  • If the local mode AP is serving the client in the DFS channel, it will not participate in RLDP process.

Useful debugs

(Cisco Controller) > debug dot11 rogue rule enable
(Cisco Controller) > debug dot11 rldp enable

Received Request to detect rogue: 00:1A:1E:85:21:B0
00:1a:1e:85:21:b0 found closest monitor AP 00:17:df:a7:20:d0slot =1 channel = 44
Found RAD: 0x158f1ea0, slotId = 1
rldp started association, attempt 1
Successfully associated with rogue: 00:1A:1E:85:21:B0 


!--- ASSOCIATING TO ROGUE AP


Starting dhcp
00:1a:1e:85:21:b0 RLDP DHCP SELECTING for rogue 00:1a:1e:85:21:b0
00:1a:1e:85:21:b0 Initializing RLDP DHCP for rogue 00:1a:1e:85:21:b0
.00:1a:1e:85:21:b0 RLDP DHCPSTATE_INIT for rogue 00:1a:1e:85:21:b0
00:1a:1e:85:21:b0 RLDP DHCPSTATE_REQUESTING sending for rogue 00:1a:1e:85:21:b0
00:1a:1e:85:21:b0 Sending DHCP packet through rogue AP 00:1a:1e:85:21:b0
00:1a:1e:85:21:b0 RLDP DHCP REQUEST RECV for rogue 00:1a:1e:85:21:b0
00:1a:1e:85:21:b0 RLDP DHCP REQUEST received for rogue 00:1a:1e:85:21:b0
00:1a:1e:85:21:b0 RLDP DHCP BOUND state for rogue 00:1a:1e:85:21:b0
Returning IP 172.20.226.246, netmask 255.255.255.192, gw 172.20.226.193 


!--- GETTING IP FROM ROGUE


Found Gateway MacAddr: 00:1D:70:F0:D4:C1
Send ARLDP to 172.20.226.198 (00:1D:70:F0:D4:C1) (gateway)
Sending ARLDP packet to 00:1d:70:f0:d4:c1 from 00:17:df:a7:20:de
Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80)
Sending ARLDP packet to 00:1f:9e:9b:29:80 from 00:17:df:a7:20:de
Send ARLDP to 0.0.0.0 (00:1D:70:F0:D4:C1) (gateway)
Sending ARLDP packet to 00:1d:70:f0:d4:c1 from 00:17:df:a7:20:de  


!--- SENDING ARLDP PACKET


Received 32 byte ARLDP message from: 172.20.226.24642
Packet Dump:
sourceIp: 172.20.226.246
destIp: 172.20.226.197
Rogue Mac: 00:1A:1E:85:21:B0 


!--- RECEIVING ARLDP PACKET


security: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Recommendations

  1. Initiate RLDP manually on suspicious rogue entries.

  2. Schedule RLDP periodically.

  3. If you have known rogue entries, add them in the friendly list or enable validation with AAA and make sure known client entries are there in the AAA database.

  4. RLDP can be deployed on local or monitor mode APs. For most scalable deployments, and to eliminate any impact on client service, RLDP should be deployed on monitor mode APs when possible. However, this recommendation requires that a monitor mode AP overlay be deployed with a typical ratio as 1 monitor mode AP for every 5 local mode APs. APs in Adaptive wIPS monitor mode can also be leveraged for this task.

Rogue Detector AP

Rogue entry in a rogue detector can be seen using this command in the AP console. For wired rogues, the flag will be set.

Rogue_Detector_5500#show capwap rm rogue detector
 CAPWAP Rogue Detector Mode
  Current Rogue Table:
  Rogue hindex = 0: MAC 0023.ebdc.1ac6, flag = 0, unusedCount = 1
  Rogue hindex = 2: MAC 0023.04c9.72b9, flag = 1, unusedCount = 1


!--- once the flag is set, rogue is detected on wire


  Rogue hindex = 2: MAC 0023.ebdc.1ac4, flag = 0, unusedCount = 1
  Rogue hindex = 3: MAC 0026.cb4d.6e20, flag = 0, unusedCount = 1
  Rogue hindex = 4: MAC 0026.cb9f.841f, flag = 0, unusedCount = 1
  Rogue hindex = 4: MAC 0023.04c9.72bf, flag = 0, unusedCount = 1
  Rogue hindex = 4: MAC 0023.ebdc.1ac2, flag = 0, unusedCount = 1
  Rogue hindex = 4: MAC 001c.0f80.d450, flag = 0, unusedCount = 1
  Rogue hindex = 6: MAC 0023.04c9.72bd, flag = 0, unusedCount = 1

Useful debug Commands in an AP Console

Rogue_Detector#debug capwap rm rogue detector

*Jun 18 08:37:59.747: ROGUE_DET: Received a rogue table update of length 170
*Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1ac4
*Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1ac5
*Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1aca
*Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1acb
*Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1acc
*Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1acd
*Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1acf
*Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0024.1431.e9ef
*Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0024.148a.ca2b
*Jun 18 08:37:59.748: ROGUE_DET: Got wired mac 0024.148a.ca2d
*Jun 18 08:37:59.748: ROGUE_DET: Got wired mac 0024.148a.ca2f
*Jun 18 08:37:59.748: ROGUE_DET: Got wired mac 0024.14e8.3570
*Jun 18 08:37:59.748: ROGUE_DET: Got wired mac 0024.14e8.3574
*Jun 18 08:37:59.748: ROGUE_DET: Got wired mac 0024.14e8.357b
*Jun 18 08:37:59.748: ROGUE_DET: Got wired mac 0024.14e8.357c
*Jun 18 08:37:59.749: ROGUE_DET: Got wired mac 0024.14e8.357d
*Jun 18 08:37:59.749: ROGUE_DET: Got wired mac 0024.14e8.357f
*Jun 18 08:37:59.749: ROGUE_DET: Got wired mac 0024.14e8.3dcd
*Jun 18 08:37:59.749: ROGUE_DET: Got wired mac 0024.14e8.3ff0
*Jun 18 08:37:59.749: ROGUE_DET: Got wired mac 0024.14e8.3ff2
*Jun 18 08:37:59.774: ROGUE_DET: Got wired mac 0040.96b9.4aec
*Jun 18 08:37:59.774: ROGUE_DET: Got wired mac 0040.96b9.4b77
*Jun 18 08:37:59.774: ROGUE_DET: Flushing rogue entry 0040.96b9.4794
*Jun 18 08:37:59.774: ROGUE_DET: Flushing rogue entry 0022.0c97.af80
*Jun 18 08:37:59.775: ROGUE_DET: Flushing rogue entry 0024.9789.5710
*Jun 18 08:38:19.325: ROGUE_DET: Got ARP src 001d.a1cc.0e9e
*Jun 18 08:38:19.325: ROGUE_DET: Got wired mac 001d.a1cc.0e9e
*Jun 18 08:39:19.323: ROGUE_DET: Got ARP src 001d.a1cc.0e9e
*Jun 18 08:39:19.324: ROGUE_DET: Got wired mac 001d.a1cc.0e9e

If Rogue Containment Does Not Occur:

  1. The local/Hreap mode AP can contain 3 devices at a time per radio, and the monitor mode AP can contain 6 devices per radio. As a result, make sure the AP is already containing the maximum number of devices permitted. In this scenario, the client is in a containment pending state.

  2. Verify auto containment rules.

Expected Trap Logs

Fri Jul 23 12:49:10 2010Rogue AP: Rogue with MAC Address: 00:17:0f:34:48:a1
    has been contained manually by 2 APs 8

Fri Jul 23 12:49:10 2010 Rogue AP : 00:17:0f:34:48:a1 with Contained mode added 
    to the Classified AP List.

Conclusion

Rogue detection and containment within the Cisco centralized controller solution is the most effective and least intrusive method in the industry. The flexibility provided to the network administrator allows for a more customized fit that can accommodate any network requirements.

Related Information

Updated: Aug 10, 2010
Document ID: 112045