Rogue access points can
disrupt wireless LAN operations by hijacking legitimate clients and using
plain-text or other denial-of-service or man-in-the-middle attacks. That is, a
hacker can use a rogue access point to capture sensitive information, such as
usernames and passwords. The hacker can then transmit a series of Clear to Send
(CTS) frames. This action mimics an access point, informing a particular client
to transmit, and instructing all the other clients to wait, which results in
legitimate clients being unable to access network resources. Wireless LAN
service providers have a strong interest in banning rogue access points from
the air space.
Because rogue access points
are inexpensive and readily available, employees sometimes plug unauthorized
rogue access points into existing LANs and build ad hoc wireless networks
without their IT department's knowledge or consent. These rogue access points
can be a serious breach of network security because they can be plugged into a
network port behind the corporate firewall. Because employees generally do not
enable any security settings on the rogue access point, it is easy for
unauthorized users to use the access point to intercept network traffic and
hijack client sessions. Even more alarming, wireless users frequently publish
unsecure access point locations, increasing the odds of having enterprise
security breached.
The following are some
guidelines to manage rogue devices:
-
The containment frames are
sent immediately after the authorization and associations are detected. The
enhanced containment algorithm provides more effective containment of ad hoc
clients.
-
-
The
are designed to serve associated clients. These access
points spend relatively less time performing off-channel scanning: about 50
milliseconds on each channel. If you want to perform high rogue detection, a
monitor mode access point must be used. Alternatively, you can reduce the scan
intervals from 180 seconds to a lesser value, for example, 120 or 60 seconds,
ensuring that the radio goes off-channel more frequently, which improves the
chances of rogue detection. However, the access point will still spend about 50
milliseconds on each channel.
-
Rogue detection is disabled
by default for OfficeExtend access points because these access points, which
are deployed in a home environment, are likely to detect a large number of
rogue devices.
-
Client card
implementations might mitigate the effectiveness of ad hoc containment.
-
It is possible to classify
and report rogue access points through the use of rogue states and user-defined
classification rules that enable rogues to automatically move between states.
-
Each controller limits the
number of rogue containments to three per radio (or six per radio for access
points in the monitor mode).
-
Rogue Location
Discovery Protocol (RLDP) detects rogue access points that are configured for
open authentication.
-
RLDP detects
rogue access points that use a broadcast Basic Service Set Identifier (BSSID),
that is, the access point broadcasts its Service Set Identifier in beacons.
-
RLDP detects only
those rogue access points that are on the same network. If an access list in
the network prevents the sending of RLDP traffic from the rogue access point to
the controller, RLDP does not work.
-
RLDP does not
work on 5-GHz dynamic frequency selection (DFS) channels. However, RLDP works
when the managed access point is in the monitor mode on a DFS channel.
-
If RLDP is enabled
on mesh APs, and the APs perform RLDP tasks, the mesh APs are dissociated from
the controller. The workaround is to disable RLDP on mesh APs.
-
If RLDP is enabled
on nonmonitor APs, client connectivity outages occur when RLDP is in process.
-
If the rogue is
manually contained, the rogue entry is retained even after the rogue expires.
-
If the rogue is
contained by any other means, such as auto, rule, and AwIPS preventions, the
rogue entry is deleted when it expires.
-
The controller
will request to AAA server for rogue client validation only once. As a result,
if rogue client validation fails on the first attempt then the rogue client
will not be detected as a threat any more. To avoid this, add the valid client
entries in the authentication server before enabling
Validate
Rogue Clients Against AAA.
-
In the 7.4 and
earlier releases, if a rogue that was already classified by a rule was not
reclassified. In the 7.5 release, this behavior is enhanced to allow
reclassification of rogues based on the priority of the rogue rule. The
priority is determined by using the rogue report that is received by the
controller.
- The rogue detector AP fails
to co-relate and contain the wired rogue AP on a 5Mhz channel because the MAC
address of the rogue AP for WLAN, LAN, 11a radio and 11bg radio are configured
with a difference of +/-1 of the rogue BSSID. In the 8.0 release, this behavior
is enhanced by increasing the range of MAC address, that the rogue detector AP
co-relates the wired ARP MAC and rogue BSSID, by +/-3.
Detecting Rogue
Devices
The controller
continuously monitors all the nearby access points and automatically discovers
and collects information on rogue access points and clients. When the
controller discovers a rogue access point, it uses the Rogue Location Discovery
Protocol (RLDP) and the rogue detector mode access point is connected to
determine if the rogue is attached to your network.
Controller
initiates RLDP on rogue devices that have open authenticated and configured. If
RLDP uses Flexconnect or local mode access points, then clients are
disconnected for that moment. After the RLDP cycle, the clients are reconnected
to the access points. As and when rogue access points are seen
(auto-configuration), the RLDP process is initiated.
You can configure the
controller to use RLDP on all the access points or only on the access points
configured for the monitor (listen-only) mode. The latter option facilitates
automated rogue access point detection in a crowded radio frequency (RF) space,
allowing monitoring without creating unnecessary interference and without
affecting the regular data access point functionality. If you configure the
controller to use RLDP on all the access points, the controller always chooses
the monitor access point for RLDP operation if a monitor access point and a
local (data) access point are both nearby. If RLDP determines that the rogue is
on your network, you can choose to contain the detected rogue either manually
or automatically.
RLDP detects on
wire presence of the rogue access points that are configured with open
authentication only once, which is the default retry configuration. Retries can
be configured using the
config rogue ap rldp
retries command.
You can initiate
or trigger RLDP from controller in three ways:
- Enter the RLDP initiation
command manually from the controller CLI. The equivalent GUI option for
initiating RLDP is not supported.
config rogue ap rldp initiate
mac-address
- Schedule RLDP from the
controller CLI. The equivalent GUI option for scheduling RLDP is not supported.
config rogue ap rldp schedule
- Auto RLDP. You can
configure auto RLDP on controller either from controller CLI or GUI but keep in
mind the following guidelines:
- The auto RLDP option can be
configured only when the rogue detection security level is set to custom.
- Either auto RLDP or
schedule of RLDP can be enabled at a time.
A rogue access point is moved
to a contained state either automatically or manually. The controller selects
the best available access point for containment and pushes the information to
the access point. The access point stores the list of containments per radio.
For auto containment, you can configure the controller to use only the monitor
mode access point. The containment operation occurs in the following two ways:
-
The container access point
goes through the list of containments periodically and sends unicast
containment frames. For rogue access point containment, the frames are sent
only if a rogue client is associated.
-
Whenever a contained rogue
activity is detected, containment frames are transmitted.
Individual rogue containment
involves sending a sequence of unicast disassociation and deauthentication
frames.
Cisco Prime
Infrastructure Interaction and Rogue Detection
Cisco Prime
Infrastructure supports rule-based classification and uses the
classification rules configured on the controller. The controller sends traps
to
Cisco Prime
Infrastructure after the following events:
-
If an unknown access point
moves to the Friendly state for the first time, the controller sends a trap to
Cisco Prime
Infrastructure only if the rogue state is Alert. It does not send a trap
if the rogue state is Internal or External.
-
If a rogue entry is removed
after the timeout expires, the controller sends a trap to
Cisco Prime
Infrastructure for rogue access points categorized as Malicious (Alert,
Threat) or Unclassified (Alert). The controller does not remove rogue entries
with the following rogue states: Contained, Contained Pending, Internal, and
External.