Rogue AP Containment on Wired and Wireless Networks

Rogue AP Containment Overview

The Catalyst Center Rogue AP Containment feature contains the wired and wireless rogue APs. In case of wired rogue AP containment, Catalyst Center brings the ACCESS mode switchport interface to the DOWN state in which the rogue AP is attached. In case of Wireless Rogue AP Containment, Catalyst Center instructs the strongest detecting wireless controller to initiate containment on wireless rogue BSSIDs. The wireless controller, in turn, instructs the strongest detecting APs for those BSSIDs to stream the deauthentication packets to disrupt the communication between the rogue APs and the wireless clients of that rogue AP.

Rogue AP containment is further classified as:

  • Wired Rogue AP Containment: The rogue AP MAC addresses classified as Rogue on Wire on the Catalyst Center rogue threat dashboard.

  • Wireless Rogue AP Containment: The rogue AP MAC addresses classified as Honeypot, Interferer, or Neighbor on the Catalyst Center rogue threat dashboard.

Rogue AP containment is supported on Cisco AireOS Controllers and Cisco Catalyst 9800 Series Wireless Controllers.


Note

Containment is not supported on aWIPS threats.

Wired Rogue AP Containment

The Wired Rogue AP Containment feature allows Catalyst Center to shut down the ACCESS mode interface on the switch to which a rogue AP is physically attached. Catalyst Center performs wired rogue AP containment only on ACCESS mode interfaces, because shutting down any other mode might bring the network down.

If the rogue AP is attached to non-ACCESS mode interfaces, the network admin must contain the interface either manually or through a CLI command.

This procedure describes how to perform wired rogue AP containment on an ACCESS mode interface classified as Rogue on Wire in Catalyst Center.

Before you begin

Download and install the Rogue and aWIPS application package. For more information, see Download and Install the Rogue Management and aWIPS Application Package.

Ensure that you have write permission from the provision API, scheduler API, and rogue side to perform this procedure.

Procedure

Step 1

From the main menu, choose Assurance > Rogue and aWIPS > Threats.

Step 2

Click the rogue AP MAC address is classified as Rogue on Wire in the Threat MAC address column.

The Threat 360 window appears.

Step 3

From the Action drop-down list, choose Shutdown Switchport.

A warning dialog box displays the list of ACCESS mode interfaces to be shut down on the corresponding device, and Configuration Preview information.

Note

 

The Shutdown Switchport option appears in the Action drop-down list only when the rogue AP MAC address is marked as Rogue on Wire. For more information, see the Cisco Rogue AP Containment Actions Compatibility Matrix.

The Shutdown Switchport action is irreversible. You must manually bring the switchport back up.

Step 4

In the Configuration Preview tab, review the configurations and click Yes.

Note

 

Configuration Preview tab appears only when Configuration Preview is enabled. For information on how to enable Configuration Preview, see the "Enable Visibility and Control of Configurations" topic in the Cisco Catalyst Center Administrator Guide.

Step 5

The Threat 360 window displays the wired rogue AP containment status:

  • A banner with a blue check mark indicates that the wired rogue AP containment request is in progress.

  • A banner with a green check mark indicates that the wired rogue AP containment is initiated successfully on the corresponding interface.

  • A banner with a red check mark indicates that the wired rogue AP containment request failed.

Note

 

  • After containment is initiated, it takes some time for the interface state to be updated from Rogue on Wire to another threat classification type.

  • The Rogue on Wire classification type changes to another classification type upon the arrival of the next wireless rogue message for the same rogue AP.

If a rogue AP MAC address is classified as Rogue on Wire, but no ACCESS mode interfaces are up to initiate the containment, Catalyst Center disables the Shutdown Switchport option in the Action drop-down list.

Note

 

You cannot initiate Wireless Rogue AP Containment unless the rogue AP to which it corresponds to is as long as in the Rogue on Wire classification type. For more information, see Wireless Rogue AP Containment.

Wireless Rogue AP Containment

The Wireless Rogue AP Containment feature allows Catalyst Center to contain the wireless clients connected to a rogue AP.

Containment is illegal in some countries because it disrupts the communication between the clients attached to a rogue AP. Catalyst Center warns you about the legal consequences while initiating wireless rogue AP containment.

This procedure describes how to start and stop wireless rogue AP containment on wireless clients connected to a rogue AP.

Before you begin

Download and install the Rogue and aWIPS application package. For more information, see Download and Install the Rogue Management and aWIPS Application Package.

Ensure that you have write permission from the provision API and scheduler API to perform this procedure.

Procedure

Step 1

From the main menu, choose Assurance > Rogue and aWIPS > Threats.

Step 2

To perform wireless rogue AP containment, click a rogue AP MAC address listed under the Threat MAC address column, marked as Honeypot, Interferer, or Neighbor classification types.

Note

 

Cisco Catalyst 9800 Series Wireless Controller has a limit of only 625 rogue containment configurations at a time. Once the limit is reached, containment won't work for any new rogues on those devices.

The Threat 360 window is displayed.

Note

 

A rogue AP MAC address comprises multiple rogue BSSIDs.

Step 3

From the Action drop-down list, choose Start Containment and Configuration Preview.

A warning dialog box with information about the legal consequences and a list of rogue BSSIDs to be contained on wireless controller and Configuration Preview is displayed.

Note

 

The Start Containment option appears in the Action drop-down list only when the rogue AP MAC address is marked as Honeypot, Interferer, or Neighbor classification type. For more information, see the Cisco Rogue AP Containment Actions Compatibility Matrix.

Step 4

By default, the Rogue BSSID list is displayed.

In the Configuration Preview tab, review the configurations and click Yes.

Note

 

The Configuration Preview tab is displayed only when the Configuration Preview is enabled. For information on how to enable Configuration Preview, see the "Enable Visibility and Control of Configurations" topic in the Cisco Catalyst Center Administrator Guide.

Step 5

The Threat 360 window displays the wired rogue AP containment status as follows:

  • Banner with a blue check mark indicates that the wireless rogue AP containment request is in progress.

  • Banner with a green check mark indicates that the wireless rogue AP containment request is submitted successfully to the strongest detecting AP. A red vertical line appears next to the strongest detecting AP based on the RSSI value.

  • Banner with a red check mark indicates that the wireless rogue AP containment request has failed.

Note

 

After containment is initiated, it takes some time for the Containment Status column to get update with another wireless containment status.

In the Threat 360 window, hover your cursor over the i icon next to the Containment column. A tooltip stating This always shows current Wireless Containment Status is displayed.

Step 6

Catalyst Center allows you to monitor the Containment Status of a wireless rogue AP in the Rogue and aWIPS dashboard threat table within Assurance.

Hover your cursor over the i icon adjacent to the Containment Status column to view the following possible values.

Table 1. Wireless Containment Status Possible Values

Wireless Containment Status

Meaning

Contained

Rogue AP actively contained by the wireless controller.

Pending

Wireless controller has kept this rogue in containment Pending state.

Open

Rogue AP is not contained.

Partial

Some of the rogue BSSIDs are in Open state and the rest of them are either in the Contained or the Containment Pending state.

Note

 

For a rogue AP with wireless containment status as Partial, an i icon appears adjacent to Partial state under the Containment column in the Threat 360 window. Hover your cursor over the i icon to view the current wireless containment status of the Rogue SSIDs.

The wireless controller can keep the wireless rogue AP containment in Pending state because of the following reasons:

  • Resource outage: After the rogue BSSID containment request is submitted, the wireless controller puts the rogue BSSID containment either in Containment or Containment Pending state because of the three rogue BSSIDs per radio limitation for client-serving radios, and six rogue BSSIDs per radio limitation for monitor mode. When the radio exceeds the specified limitation, the next submitted rogue BSSID for containment goes to the Pending state by the wireless controller until one of the rogue BSSIDs goes out of Contained state.

  • Protected Management Frames (PMF): The wireless controller does not initiate containment as long as the Protected Management Frames (PMF) are enabled on rogue BSSIDs and the containment status in Pending state. When the PMF is disabled, the wireless controller initiates the containment.

  • Dynamic Frequency Selection (DFS): The wireless controller keeps the containment status in Pending state and does not attempt to contain the rogue BSSID if it broadcasts on the Dynamic Frequency Selection (DFS) channels. After the rogue BSSID moves out of the DFS channel, the wireless controller initiates the containment.

Step 7

To bring back all the rogue BSSIDs of the wireless rogue AP marked in Contained, Pending or Partial state to Open state, click the corresponding rogue AP MAC address listed under the Threat MAC address column.

The Threat 360 window appears.

Step 8

From the Action drop-down list, choose Stop Containment.

Note

 

The Stop Containment option appears in the Action drop-down list only when wireless rogue AP is in Contained, Pending or Partial state. For more information, see the Cisco Rogue AP Containment Actions Compatibility Matrix.

  • A blue check mark is displayed as a banner on the Threat 360 window, indicating the progress of the Stop Containment process on the wireless rogue AP.

  • A green check mark is displayed as a banner on the Threat 360 window, indicating the progress of the Stop Containment process on the wireless rogue AP.

Cisco Rogue AP Containment Actions Compatibility Matrix

The following table shows the behavior of rogue AP containment actions for the current state of rogue APs on the Threat 360 window.

Table 2. Rogue AP Containment Actions Compatibility Matrix

Rogue AP Threat Type

Rogue AP Current Containment State

Start Containment Option in Actions Drop-Down List

Stop Containment Option in Actions Drop-Down List

Beacon Wrong Channel

Open

Disabled

Disabled

Contained/Pending/Partial

Disabled

Enabled

Beacon DS Attack

Open

Disabled

Disabled

Contained/Pending/Partial

Disabled

Enabled

AP Impersonation

Open

Disabled

Disabled

Contained/Pending/Partial

Disabled

Enabled

Rogue on Wire

Open/Contained/Pending/Partial

Not Visible

Shutdown Switchport is shown

Not Visible

Shutdown Switchport is shown

Allowed List

Open

Disabled

Disabled

Contained/Pending/Partial

Disabled

Enabled

Honeypot

Open

Enabled

Disabled

Contained/Pending/Partial

Disabled

Enabled

Interferer

 Open

Enabled

Disabled

Contained/Pending/Partial

Disabled

Enabled

Friendly

 Open

Disabled

Disabled

Contained/Pending/Partial

Disabled

Enabled

Neighbor

 Open

Enabled

Disabled

Contained/Pending/Partial

Disabled

Enabled

Custom Rule (High, Potential)

Open

Enabled

Disabled

Contained/Pending/Partial

Disabled

Enabled

Custom Rule (Informational)

Open

Disabled

Disabled

Contained/Pending/Partial

Disabled

Enabled

View Tasks and Audit Logs of Rogue AP Containment Type

In case of containment failure, Catalyst Center allows you to view the tasks and audit logs of submitted requests of wired and wireless rogue AP containment.

Procedure

Step 1

From the main menu, choose Activities > Tasks.

Step 2

In the left pane, under Type, click Task to view only tasks.

Step 3

In the left pane, do the following to view only wired and wireless rogue AP containment tasks:

  1. Expand Categories.

  2. Click Show all.

  3. In the Search field, enter ROGUE.

  4. Check the ROGUE check box.

Step 4

Click the task name to open a slide-in pane with more information, such as the rogue AP containment operation details, status, date, and time.

Step 5

To view the audit logs with the rogue AP containment type and corresponding device IP address information, click the menu icon and choose Activities > Audit Logs.

Note

 

  • For Cisco AireOS, the containment request audit logs show the CLI commands.

  • For Cisco Catalyst 9800 Series Wireless Controllers, the containment request audit logs show the NETCONF requests.

  • For Wired Rogue AP containment, the audit logs show the CLI commands executed on the switch to bring the switchport down.