Classifying Rogue Access Points

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About Classifying Rogue Access Points

The controller software enables you to create rules that can organize and display rogue access points as Friendly, Malicious, or Unclassified.

By default, none of the classification rules are used. You need to enable them. Therefore, all unknown access points are categorized as Unclassified. When you create or change a rule, configure conditions, and enable it, all rogue access points are then reclassified. Whenever you change a rule, it is applied to all the access points (friendly, malicious, and unclassified) in the Alert state only.

If you move any rogue or ad hoc rogue manually to unclassified and Alert state, it means that the rogue is moved to the default state. Rogue rules apply to all the rogues that are manually moved to unclassified and Alert state.

Note

Rule-based rogue classification does not apply to ad hoc rogues and rogue clients.
You can configure up to 64 rogue classification rules per controller.

When the controller receives a rogue report from one of its managed access points, it responds as follows:

If the unknown access point is in the friendly MAC address list, the controller classifies the access point as Friendly.
If the unknown access point is not in the friendly MAC address list, the controller starts applying the rogue classification rules to the access point.
If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically only if the rogue is in the Alert state.
If the rogue access point matches the configured rules criteria, the controller classifies the rogue based on the classification type configured for that rule.
If the rogue access point does not match any of the configured rules, the rogue remains unclassified.

The controller repeats the previous steps for all the rogue access points.
If the rogue access point is detected on the same wired network, the controller marks the rogue state as Threat and classifies it as Malicious automatically, even if there are no configured rules. You can then manually contain the rogue to change the rogue state to Contained. If the rogue access point is not available on the network, the controller marks the rogue state as Alert. You can then manually contain the rogue.
If desired, you can manually move the access point to a different classification type and rogue state.

Table 1. Classification Mapping
Rule-Based Classification Type	Rogue State
Friendly	Internal—If the unknown access point is inside the network and poses no threat to WLAN security, you can manually configure it as Friendly, Internal. An example of this would be the access points in your lab network. External—If the unknown access point is outside the network and poses no threat to WLAN security, you can manually configure it as Friendly, External. An example of this would be the access point in your neighboring coffee shop. Alert—The unknown access point is moved to Alert if it is not in the neighbor list or in the user-configured friendly MAC list.
Malicious	Alert—The unknown access point is moved to Alert if it is not in the neighbor list or in the user-configured friendly MAC list. Threat—The unknown access point is found to be on the network and poses a threat to WLAN security. Contained—The unknown access point is contained. Contained Pending—The unknown access point is marked Contained, but the action is delayed due to unavailable resources.
Unclassified	Pending—On first detection, the unknown access point is put in the Pending state for 3 minutes. During this time, the managed access points determine if the unknown access point is a neighbor access point. Alert—The unknown access point is moved to Alert if it is not in the neighbor list or in the user-configured friendly MAC list. Contained—The unknown access point is contained. Contained Pending—The unknown access point is marked Contained, but the action is delayed due to unavailable resources.

The classification and state of the rogue access points are configured as follows:

From Known to Friendly, Internal
From Acknowledged to Friendly, External
From Contained to Malicious, Contained

As mentioned earlier, the controller can automatically change the classification type and rogue state of an unknown access point based on user-defined rules. Alternatively, you can manually move the unknown access point to a different classification type and rogue state.

Table 2. Allowable Classification Type and Rogue State Transitions
From	To
Friendly (Internal, External, Alert)	Malicious (Alert)
Friendly (Internal, External, Alert)	Unclassified (Alert)
Friendly (Alert)	Friendly (Internal, External)
Malicious (Alert, Threat)	Friendly (Internal, External)
Malicious (Contained, Contained Pending)	Malicious (Alert)
Unclassified (Alert, Threat)	Friendly (Internal, External)
Unclassified (Contained, Contained Pending)	Unclassified (Alert)
Unclassified (Alert)	Malicious (Alert)

If the rogue state is Contained, you have to uncontain the rogue access point before you can change the classification type. If you want to move a rogue access point from Malicious to Unclassified, you must delete the access point and allow the controller to reclassify it.

Restrictions on Classifying Rogue Access Points

Classifying Custom type rogues is tied to rogue rules. Therefore, it is not possible to manually classify a rogue as Custom. Custom class change can occur only when rogue rules are used.
Some are sent for containment by rule and every 30 minutes for rogue classification change. For custom classification, the first trap does not contain the severity score because the trap has existed before the custom classification. The severity score is obtained from the subsequent trap that is generated after 30 minutes if the rogue is classified.
Rogue rules are applied on every incoming new rogue report in the controller in the order of their priority.
After a rogue satisfies a higher priority rule and is classified, it does not move down the priority list for the same report.
Previously classified rogue gets re-classified on every new rogue report with the following restrictions:
- Rogues which are classified as friendly by rule and whose state is set to ALERT, go through re-classification on receiving the new rogue report.
- If a rogue is classified as friendly by the administrator manually, then the state is INTERNAL and it does not get re-classified on successive rogue reports.
- If rogue is classified as malicious, irrespective of the state it does not get re-classified on subsequent rogue reports.
Transition of the rogue's state from friendly to malicious is possible by multiple rogue rules if some attribute is missing in new rogue report.
Transition of the rogue's state from malicious to any other classification is not possible by any rogue rule.
If a rogue AP is classified as friendly, it means that the rogue AP exists in the vicinity, is a known AP, and need not be tracked. Therefore, all the rogue clients are either deleted or not tracked if they are associated with the friendly rogue AP.

When service set identifiers (SSIDs) are defined as part of a rogue rule, and details of the rogue rule are displayed using the show wireless wps rogue rule detailed command, the output differs in Cisco IOS XE Release 3.7E and prior releases and Cisco IOS XE Denali 16.1.1 and later releases.

The following is sample output from the show wireless wps rogue rule detailed command in Cisco IOS XE Release 3.6E and prior releases:

Switch# show wireless wps rogue rule detailed test

Priority                                    : 1
Rule Name                                   : wpstest
State                                       : Disabled
Type                                        : Pending
Match Operation                             : Any
Hit Count                                   : 0
Total Conditions                            : 1
Condition :
  type                                      : Ssid
  SSID Count                                : 2 
  SSID 1                                    : ssid1
  SSID 2                                    : ssid2

The following is sample output from the show wireless wps rogue rule detailed command in Cisco IOS XE Denali 16.1.1 and later releases:

Switch# show wireless wps rogue rule detailed test

Priority                                    : 1
Rule Name                                   : wpstest
State                                       : Disabled
Type                                        : Pending
Match Operation                             : Any
Hit Count                                   : 0
Total Conditions                            : 1
Condition :
  type                                      : Ssid
  SSID Count                                : 2 
  SSID                                      : ssid1
  SSID                                      : ssid2

How to Classify Rogue Access Points

Configuring Rogue Classification Rules (CLI)

SUMMARY STEPS

configure terminal
wireless wps rogue rule rule-name priority priority
classify {friendly | malicious}
condition {client-count condition_value| duration | encryption | infrastructure | rssi | ssid}
match {all | any}
default
exit
shutdown
end
configure terminal
wireless wps rogue rule shutdown
end

DETAILED STEPS

Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless wps rogue rule rule-name priority priority

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3

Creates or enables a rule. While creating a rule, you must enter the priority for the rule.

Note

After creating a rule, you can edit the rule and change the priority only for the rogue rules that are disabled. You cannot change the priority for the rogue rules that are enabled. While editing, changing the priority for a rogue rule is optional.

Step 3

classify {friendly | malicious}

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3

Device(config-rule)# classify friendly

Classifies a rule.

Step 4

condition {client-count condition_value| duration | encryption | infrastructure | rssi | ssid}

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3

Device(config-rule)# condition client-count 5

Adds the following conditions to a rule, which the rogue access point must meet:

client-count —Requires that a minimum number of clients be associated to the rogue access point. For example, if the number of clients associated to the rogue access point is greater than or equal to the configured value, the access point could be classified as Malicious. If you choose this option, enter the minimum number of clients to be associated to the rogue access point for the condition_value parameter. The valid range is from 1 to 10 (inclusive), and the default value is 0.
duration —Requires that the rogue access point be detected for a minimum period of time. If you choose this option, enter a value for the minimum detection period for the condition_value parameter. The valid range is from 0 to 3600 seconds (inclusive), and the default value is 0 seconds.
encryption —Requires that the advertised WLAN does not have encryption enabled.
infrastructure —Requires the SSID to be known to the controller.
rssi —Requires that the rogue access point have a minimum RSSI value. For example, if the rogue access point has an RSSI that is greater than the configured value, then the access point could be classified as malicious. If you choose this option, enter the minimum RSSI value for the condition_value parameter . The valid range is from –95 to –50 dBm (inclusive), and the default value is 0 dBm.
ssid —Requires the rogue access point to have a specific SSID. You should an SSID that is not managed by the controller. If you choose this option, enter the SSID for the condition_value parameter. The SSID is added to the user-configured SSID list.

Step 5

match {all | any}

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3

Device(config-rule)# match all

Specifies whether a detected rogue access point must meet all or any of the conditions specified by the rule for the rule to be matched and the rogue access point to adopt the classification type of the rule.

Step 6

default

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3

Device(config-rule)# default

Sets a command to its default.

Step 7

exit

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3

Device(config-rule)# exit

Device(config)#

Exits the sub-mode.

Step 8

shutdown

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3

Device(config-rule)# shutdown

Disables a particular rogue rule. In this example, the rule rule_3 is disabled.

Step 9

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Step 10

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 11

wireless wps rogue rule shutdown

Example:

Device(config)# wireless wps rogue rule shutdown

Disables all the rogue rules.

Step 12

end

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Examples: Classifying Rogue Access Points

This example shows how to create a rule that can organize and display rogue access points as Friendly:


Device# configure terminal
Device(config)# wireless wps rogue rule ap1 priority 1
Device(config-rule)# classify friendly
Device(config-rule)# end

This example shows how to apply a condition that a rogue access point must meet:


Device# configure terminal
Device(config)# wireless wps rogue rule ap1 priority 1
Device(config-rule)# condition client-count 5
Device(config-rule)# condition duration 1000
Device(config-rule)# end

Additional References for Classifying Rogue Access Points

Related Topic	Document Title
Security commands	Security Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

Standards and RFCs


Standard/RFC	Title
None	`—`

MIBs


MIB	MIBs Link
All the supported MIBs for this release.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

Technical Assistance


Description	Link
The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies. To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds. Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.	http://www.cisco.com/support

Feature History and Information For Classifying Rogue Access Points


Release	Feature Information
Cisco IOS XE 3.3SE	This feature was introduced.

Software Configuration Guide, Cisco IOS XE Denali 16.3.x (Catalyst 3650 Switches)

Bias-Free Language

Book Title

Software Configuration Guide, Cisco IOS XE Denali 16.3.x (Catalyst 3650 Switches)

Chapter Title