The containment frames are
sent immediately after the authorization and associations are detected. The
enhanced containment algorithm provides more effective containment of ad hoc
In a dense RF environment,
where maximum rogue access points are suspected, the chances of detecting rogue
access points by a local mode access point and FlexConnect mode access point in
channel 157 or channel 161 are less when compared to other channels. To
mitigate this problem, we recommend that you use dedicated monitor mode access
local and FlexConnect mode
access points are designed to serve associated clients. These access
points spend relatively less time performing off-channel scanning: about 50
milliseconds on each channel. If you want to perform high rogue detection, a
monitor mode access point must be used. Alternatively, you can reduce the scan
intervals from 180 seconds to a lesser value, for example, 120 or 60 seconds,
ensuring that the radio goes off-channel more frequently, which improves the
chances of rogue detection. However, the access point will still spend about 50
milliseconds on each channel.
Rogue detection is disabled
by default for OfficeExtend access points because these access points, which
are deployed in a home environment, are likely to detect a large number of
implementations might mitigate the effectiveness of ad hoc containment.
It is possible to classify
and report rogue access points through the use of rogue states and user-defined
classification rules that enable rogues to automatically move between states.
Each controller limits the
number of rogue containment to three per radio (or six per radio for access
points in the monitor mode).
Discovery Protocol (RLDP) detects rogue access points that are configured for
rogue access points that use a broadcast Basic Service Set Identifier (BSSID),
that is, the access point broadcasts its Service Set Identifier in beacons.
RLDP detects only
those rogue access points that are on the same network. If an access list in
the network prevents the sending of RLDP traffic from the rogue access point to
the controller, RLDP does not work.
RLDP does not
work on 5-GHz dynamic frequency selection (DFS) channels. However, RLDP works
when the managed access point is in the monitor mode on a DFS channel.
If RLDP is enabled
on mesh APs, and the APs perform RLDP tasks, the mesh APs are dissociated from
the controller. The workaround is to disable RLDP on mesh APs.
If RLDP is enabled
on nonmonitor APs, client connectivity outages occur when RLDP is in process.
If the rogue is
manually contained, the rogue entry is retained even after the rogue expires.
If the rogue is
contained by any other means, such as auto, rule, and AwIPS preventions, the
rogue entry is deleted when it expires.
will request to AAA server for rogue client validation only once. As a result,
if rogue client validation fails on the first attempt then the rogue client
will not be detected as a threat any more. To avoid this, add the valid client
entries in the authentication server before enabling
Rogue Clients Against AAA.
In the 7.4 and
earlier releases, if a rogue that was already classified by a rule was not
reclassified. In the 7.5 release, this behavior is enhanced to allow
reclassification of rogues based on the priority of the rogue rule. The
priority is determined by using the rogue report that is received by the
- The rogue detector AP fails
to co-relate and contain the wired rogue AP on a 5Mhz channel because the MAC
address of the rogue AP for WLAN, LAN, 11a radio and 11bg radio are configured
with a difference of +/-1 of the rogue BSSID. In the 8.0 release, this behavior
is enhanced by increasing the range of MAC address, that the rogue detector AP
co-relates the wired ARP MAC and rogue BSSID, by +/-3.
The rogue access
points with open authentication can be detected on wire. The NAT wired or rogue
wired detection is not supported in by WLC (both RLDP and rogue detector AP).
The non-adjacent MAC address is supported by rogue detector mode of AP and not
In a High
Availability scenario, if the rogue detection security level is set to either
High or Critical, the rogue timer on the standby Cisco WLC starts only after
the rogue detection pending stabilization time, which is 300 seconds.
Therefore, the active configurations on the standby Cisco WLC are reflected
only after 300 seconds.