The Rogue Management application is an optional package that you can install on Cisco Digital Network Architecture (DNA) Center. Operating within Cisco DNA Center, the Rogue Management application helps you monitor threats from unauthorized access points (APs). You can access the Rogue Management functionality as a dashboard within Cisco DNA Assurance in the Cisco DNA Center GUI.

Because the Cisco Adaptive Wireless Intrusion Prevention System (aWIPS) is integrated with Cisco DNA Center, you can monitor the aWIPS signatures within the Rogue and aWIPS dashboard.

This guide describes how to activate the Rogue and aWIPS application package on Cisco DNA Center. This guide also explains prerequisites and configurations, describes how to monitor the Rogue and aWIPS dashboard, and offers important notes and limitations.

The Rogue Management application supports the following Cisco AireOS Controller models running Cisco AireOS Release 8.8.111.0 or later.

• Cisco 3504 Wireless Controller

• Cisco 5520 Wireless Controller

• Cisco 8540 Wireless Controller

• Cisco Mobility Express

The following Cisco Catalyst 9800 Series Wireless Controller models support the Rogue Management application:

• Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Series Switches

• Cisco Catalyst 9800-40 Wireless Controller

• Cisco Catalyst 9800-80 Wireless Controller

• Cisco Catalyst 9800-CL Cloud Wireless Controller

• Cisco Catalyst 9800-L Wireless Controller

• Cisco Embedded Wireless Controller on Catalyst Access Points

The aWIPS supports Cisco Catalyst 9800 Series Wireless Controller Release 17.1.x, 17.2.x, and 17.3.x Cisco Catalyst 9100 Series Access Points, and Cisco 802.11ac Wave 2 Aironet Access Points.

The following Cisco Catalyst 9800 Series Wireless Controller models support the aWIPS application:

• Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Series Switches

• Cisco Catalyst 9800-40 Wireless Controller

• Cisco Catalyst 9800-80 Wireless Controller

• Cisco Catalyst 9800-CL Cloud Wireless Controller

• Cisco Catalyst 9800-L Wireless Controller

• Cisco Embedded Wireless Controller on Catalyst Access Points

The Rogue Management application in Cisco DNA Center detects and classifies threats and enables network administrators, network operators, and security operators to monitor network threats. Cisco DNA Center helps in quickly identifying the highest-priority threats and allows you to monitor these threats in the Rogue and aWIPS dashboard within Cisco DNA Assurance.

A rogue device is an unknown AP or client that is detected by the managed APs in your network. A rogue AP can disrupt wireless LAN operations by hijacking legitimate clients. A hacker can use a rogue AP to capture sensitive information, such as usernames and passwords. The hacker can then transmit a series of clear-to-send (CTS) frames. This action mimics an AP informing a particular client to transmit, while instructing all the others to wait. This results in legitimate clients not being able to access network resources. Therefore, wireless LAN service providers have a strong interest in banning rogue APs from air space.

Because rogue APs are inexpensive and readily available, employees sometimes plug unauthorized rogue APs into the existing LANs and build ad hoc wireless networks without the knowledge or consent of the IT department. These rogue APs can be a serious breach of network security when they are plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on a rogue AP, it is easy for unauthorized users to use the AP to intercept network traffic and hijack client sessions. Even more alarming is that wireless users frequently publish insecure AP locations, which increases the odds of having enterprise security breaches.

Cisco DNA Center constantly monitors all the nearby APs and automatically discovers and collects information about rogue APs.

When Cisco DNA Center receives a rogue event from a managed AP, it responds as follows:

• If the unknown AP is not managed by Cisco DNA Center, Cisco DNA Center applies the rogue classification rules.

• If the unknown AP is not using the same SSID as your network, Cisco DNA Center verifies whether the AP is connected to the corporate wired network and extends to the wired network. If the rogue AP is physically connected to the switch port of the corporate network, Cisco DNA Center classifies the AP as Rogue on wire.

  Cisco switches managed by Cisco DNA Center are required for rogue on wire to work.

  Note

  There is a scenario in which an AP that is not rogue on wire may incorrectly get classified as rogue on wire by Cisco DNA Center. This incorrect classification happens when a rogue client roams from a rogue-on-wire AP to a nonrogue-on-wire AP. A new rogue client report with the new rogue AP information is received and a host entry for the client is available on Cisco DNA Center before the deletion of the rogue client information. This happens because it takes some time for the rogue client switch port details to get deleted on the switch and synchronized with Cisco DNA Center. Therefore, the new rogue AP that the client roamed to is classified as rogue on wire before the synchronization happens.

• If the AP is unknown to Cisco DNA Center, and is using the same SSID as your network, Cisco DNA Center classifies the AP as Honeypot.

  Note

  The detected SSID that was earlier classified as Honeypot is not retained in the backup. Therefore, after a restore operation, the SSID is not classified as Honeypot. Even if the SSID is deleted from the wireless controller, the SSID is still classified as Honeypot on Cisco DNA Center. The Honeypot classification does not happen when the detected SSID is not restored back on Cisco DNA Center when the Cisco DNA Center backup is restored.

• If the unknown AP is not using the same SSID as your network and is not connected to the corporate network, Cisco DNA Center verifies whether it is causing any interference. If it is, Cisco DNA Center classifies the AP as Interferer and marks the rogue state as Potential Threat. The threshold level for classifying the interferers on the network is greater than -75 dBm.

• If the unknown AP is not using the same SSID as your network, and is not connected to the corporate network, Cisco DNA Center verifies whether it is a neighbor. If it is a neighbor, Cisco DNA Center classifies the AP as Neighbor and marks the rogue state as Informational. The threshold level for classifying the rogue AP as a neighbor AP is less than or equal to -75 dBm.

The Cisco Adaptive Wireless Intrusion Prevention System (aWIPS) is a wireless intrusion threat detection and mitigation mechanism. aWIPS uses an advanced approach to wireless threat detection and performance management. An AP detects threats and generates alarms. It combines network traffic analysis, network device and topology information, signature-based techniques, and anomaly detection to deliver highly accurate and complete wireless threat prevention.

With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both wired and wireless networks and use that network intelligence to analyze attacks from many sources to pinpoint accurately, and proactively prevent attacks, rather than wait until damage or exposure has occurred.

As the aWIPS functionality is integrated into Cisco DNA Center, the aWIPS can configure and monitor WIPS policies and alarms and report threats.

aWIPS supports the following capabilities:

• Static signatures

• Standalone signature detection

• Alarms

• Static signature file packaged with controller and AP image

Cisco DNA Center supports the following ten standard signatures that detect various denial of service (DoS) attacks:

• Authentication flood: A form of denial of service (DoS) attack that floods an APs client-state table (association table) by imitating many client stations (MAC address spoofing), and sending authentication requests to the AP. Upon reception of each individual authentication request, the target AP creates a client entry in State 1 of the association table. If open system authentication is used for the AP, the AP returns an authentication success frame and moves the client to State 2. If Shared Key Authentication (SHA) is used for the AP, the AP sends an authentication challenge to the attacker's imitated client, which does not respond, and the AP keeps the client in State 1. In either of these scenarios, the AP contains multiple clients hanging in either State 1 or State 2, which fills up the AP association table. When the table reaches its limit, legitimate clients are not able to authenticate and associate with this AP.

• Association flood: A form of DoS attack that aims to exhaust an AP's resources, particularly the client association table, by flooding the AP with many spoofed client associations. An attacker using such a vulnerability can emulate many clients to flood a target AP's client association table by creating many clients. When the client association table overflows, legitimate clients cannot get associated.

• CTS Flood: A form of DoS attack when a specific device sends a bulk CTS control packet to wireless devices sharing same RF medium and it will block wireless devices from using RF medium until CTS flood stops.

• RTS Flood: A form of DoS attack when a specific device sends a bulk RTS control packet to AP for blocking wireless bandwidth that leads to performance disturbance for clients on that AP.

• Broadcast Probe: A form of DoS attack when a specific device tries to flood a managed AP with broadcast probe requests.

• Disassociation Flood: A form of DoS attack that aims to send an AP to the unassociated or unauthenticated State 2 by spoofing disassociation frames from the AP to a client. With client adapter implementations, this form of attack is effective and immediate for disrupting wireless services against this client. Typically, client stations reassociate to regain service until the attacker sends another disassociation frame. An attacker repeatedly spoofs the disassociation frames to keep the client out of service.

• Disassociation Broadcast: A form of DoS attack when a specific device triggers disassociation broadcast to disconnect all clients.

  This attack aims to send an AP's client to the unassociated or unauthenticated State 2 by spoofing disassociation frames from the AP to the broadcast address of all the clients. With current client adapter implementations, this form of attack immediately disrupts wireless services against multiple clients. Typically, client stations reassociate to regain service until the attacker sends another disassociation frame. An attacker repeatedly spoofs the disassociation frames to keep all the clients out of service.

• Deauthentication flood: A form of DoS attack that aims to send an AP's client to the unassociated or unauthenticated State 1 by spoofing deauthentication frames from the AP to the client unicast address. With the current client-adapter implementations, this form of attack immediately disrupts wireless services against the client. Typically, client stations reassociate and reauthenticate to regain service until the attacker sends another deauthentication frame. An attacker repeatedly spoofs the deauthentication frames to keep all the clients out of service.

• Deauthentication broadcast: A form of DoS attack that sends all the clients of an AP to the unassociated or unauthenticated State 1 by spoofing deauthentication frames from the AP to the broadcast address. With client adapter implementation, this form of attack immediately disrupts wireless services against multiple clients. Typically, client stations reassociate and reauthenticate to regain service until the attacker sends another deauthentication frame.

• EAPOL logoff flood: A form of DoS attack when a specific device tries to send Extensible Authentication Protocol over LAN (EAPOL) logoff packets, which are used in the WPA and WPA2 authentication for (DoS).

  Because the EAPOL logoff frame is not authenticated, an attacker can potentially spoof this frame and log out a user from an AP, thus committing a DoS attack. The fact that the client is logged out from the AP is not obvious until the client attempts communication through the WLAN. Typically, the disruption is discovered and the client reassociates and authenticates automatically to regain the wireless connection. Note that the attacker can continuously transmit the spoofed EAPOL-logoff frames.

This table shows the number of rogue APs and rogue clients supported on different versions of Cisco DNA Center appliance.

This table shows the scale information for aWIPS in Cisco DNA Center.