Rogue Access Point Classification
![]() Note |
Manual classification and classification that is the result of auto-containment or rogue-on-wire overrides the rogue rule. If you have manually changed the class and/or the state of a rogue AP, then to apply rogue rules to the AP, you must change it to unclassified and alert condition. |
![]() Note |
If you manually move any rogue device to contained state (any class) or friendly state, this information is stored in the standby Cisco WLC flash memory; however, the database is not updated. When HA switchover occurs, the rogue list from the previously standby Cisco WLC flash memory is loaded. |
By default, none of the classification rules are enabled. Therefore, all unknown access points are categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the unclassified access points are reclassified. Whenever you change a rule, it is applied to all access points (friendly, malicious, custom, and unclassified) in the Alert state only.
You can configure up to 64 rogue classification rules per controller.
You can also apply rogue rules to ad hoc rogues except for client count condition.
The number of rogue clients that can be stored in the database table of a rogue access point is 256.
![]() Note |
For the RSSI condition of rogue rule, reclassification occurs only if the RSSI change is more than 2 dBm of the configured RSSI value. |
The rogue rule may not work properly if friendly rogue rule is configured with RSSI as a condition. Then, you need to modify the rules with the expectation that friendly rule is using maximum RSSI and modify rules accordingly.
-
The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the controller classifies the access point as Friendly.
-
If the unknown access point is not in the friendly MAC address list, the controller starts applying rogue classification rules.
-
If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically only if the rogue is in the Alert state.
-
The controller applies the first rule based on priority. If the rogue access point matches the criteria specified by the rule, the controller classifies the rogue according to the classification type configured for the rule.
-
If the rogue access point does not match any of the configured rules, the controller classifies the rogue as Unclassified.
-
The controller repeats the previous steps for all rogue access points.
-
If RLDP determines that the rogue access point is on the network, the controller marks the rogue state as Threat and classifies it as Malicious automatically, even if no rules are configured. You can then manually contain the rogue (unless you have configured RLDP to automatically contain the rogue), which would change the rogue state to Contained. If the rogue access point is not on the network, the controller marks the rogue state as Alert, and you can manually contain the rogue.
-
If desired, you can manually move the access point to a different classification type and rogue state.
Rule-Based Classification Type |
Rogue States |
---|---|
Friendly |
|
Malicious |
|
Custom |
|
Unclassified |
|
-
From Known to Friendly, Internal
-
From Acknowledged to Friendly, External
-
From Contained to Malicious, Contained
If the rogue state is Contained, you have to uncontain the rogue access point before you can change the classification type. If you want to move a rogue access point from Malicious to Unclassified, you must delete the access point and allow the controller to reclassify it.
This section contains the following subsections: