Home
Support

Cisco Catalyst Center Rogue Management and aWIPS Application Quick Start Guide, Release 3.1.x

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Table of contents

Expand all sections

About this document

Catalyst Center Rogue Management and aWIPS Application

Introduction to the Rogue Management and aWIPS application
About Rogue Management
About Advanced Wireless Intrusion Prevention System
Scale information
Basic setup workflow

Install Catalyst Center Rogue Management Application Package

Application management
Download and Install the Rogue Management and aWIPS application package

Monitor the Rogue and aWIPS Dashboard

Access the Rogue Management and aWIPS application
Monitor the Rogue Management and aWIPS dashboard
Monitor network rogue threats
Get rogue AP and rogue client details from the Threat 360° view
Download aWIPS profile forensic capture from the Threat 360° view
Deploy your device configurations now or later
Preview and deploy your device configurations

aWIPS Profiles

About aWIPS profiles
Create an aWIPS profile configuration workflow
View an aWIPS profile
Assign an aWIPS profile to the network device
Edit an aWIPS profile
Delete an aWIPS profile
Enable or disable aWIPS or aWIPS forensic capture

Rogue AP Containment on Wired and Wireless Networks

Rogue AP Containment overview
Wired rogue AP containment
Wireless Rogue AP Containment
Cisco Rogue AP Containment Actions Compatibility Matrix
View tasks and audit logs of rogue AP containment type

Custom Classification of Rogue APs

About the allowed list workflow
Set up the allowed list workflow
About custom rogue rule creation
Edit a rogue rule
Delete a rogue rule
Create a custom rogue rule
About rogue rule profiles
Edit a rogue rule profile
Delete a rogue rule profile
Create a rogue rule profile
View the allowed access points list
About the allowed vendor list
View vendor rule list information
Edit a vendor rule
Delete a vendor rule
Create a list of allowed vendors

Rogue and aWIPS Event Notifications

Information about the rogue and aWIPS event notifications

About Rogue Management

Updated: December 15, 2025

Want to summarize with AI?

Overview

About Rogue Management The NetFlow Options Template serves as a distinctive template record designed to communicate the format of data associated with the NetFlow operation. Instead of sharing details about IP flows, these options serve the purpose of providing metadata pertaining to the NetFlow process itself.

The Rogue Management application in Catalyst Center detects and classifies threats and enables network administrators, network operators, and security operators to monitor network threats. Catalyst Center helps you quickly identify the highest-priority threats and allows you to monitor these threats in the Rogue and aWIPS dashboard within Cisco Catalyst Assurance.

A rogue device is an unknown AP or client that is detected by the managed APs in your network. A rogue AP can disrupt wireless LAN operations by hijacking legitimate clients. A hacker can use a rogue AP to capture sensitive information such as usernames and passwords. The hacker can then transmit a series of clear-to-send (CTS) frames. This action mimics an AP informing a particular client to transmit, while instructing all the others to wait. This results in legitimate clients not being able to access network resources. Therefore, wireless LAN service providers have a strong interest in banning rogue APs from air space.

Because rogue APs are inexpensive and readily available, employees sometimes plug unauthorized rogue APs into existing LANs and build ad hoc wireless networks without the consent of the IT department. These rogue APs can be a serious breach of network security when they are plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on a rogue AP, unauthorized users can easily use the AP to intercept network traffic and hijack client sessions. Even more alarming, wireless users frequently publish insecure AP locations, which increases the odds of enterprise security breaches.

Catalyst Center constantly monitors all the nearby APs and automatically discovers and collects information about rogue APs.

When Catalyst Center receives a rogue event from a managed AP, it responds as follows:

If the unknown AP is not managed by Catalyst Center, Catalyst Center applies the rogue classification rules.
If the unknown AP is not using the same SSID as your network, Catalyst Center verifies whether the AP is connected to the corporate wired network and extends to the wired network. If the rogue AP is physically connected to the switch port of the corporate network, Catalyst Center classifies the AP as Rogue on wire.

Cisco switches managed by Catalyst Center are required for rogue on wire to work.

Note

There is a scenario in which an AP that is not rogue on wire may incorrectly get classified as rogue on wire by Catalyst Center. This incorrect classification happens when a rogue client roams from a rogue-on-wire AP to a nonrogue-on-wire AP. A new rogue client report with the new rogue AP information is received and a host entry for the client is available on Catalyst Center before the deletion of the rogue client information. This happens because it takes some time for the rogue client switch port details to get deleted on the switch and synchronized with Catalyst Center. Therefore, the new rogue AP that the client roamed to is classified as rogue on wire before the synchronization happens.
If the AP is unknown to Catalyst Center, and is using the same SSID as your network, Catalyst Center classifies the AP as a Honeypot.
Note
- The detected SSID that was earlier classified as Honeypot is not retained in the backup. Therefore, after a restore operation, the SSID is not classified as Honeypot.
- Even if the SSID is deleted from the wireless controller, the SSID is still classified as Honeypot on Catalyst Center. The Honeypot classification does not happen when the detected SSID is not restored back on Catalyst Center when the Catalyst Center backup is restored.
If the unknown AP is not using the same SSID as your network and is not connected to the corporate network, Catalyst Center verifies whether it is causing any interference. If it is, Catalyst Center classifies the AP as Interferer and marks the rogue state as Potential Threat. The threshold level for classifying the interferers on the network is greater than -75 dBm.
If the unknown AP is not using the same SSID as your network, and is not connected to the corporate network, Catalyst Center verifies whether it is a neighbor. If it is a neighbor, Catalyst Center classifies the AP as Neighbor and marks the rogue state as Informational. A rogue AP is classified as a neighbor AP if the threshold level is less than or equal to -75 dBm.

Need help?

Open a support case

(Requires a Cisco Service Contract)

About Rogue Management

Overview

Need help?

Related topics