Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain-text or other denial-of-service
or man-in-the-middle attacks. That is, a hacker can use a rogue access point to capture sensitive information, such as usernames
and passwords. The hacker can then transmit a series of Clear to Send (CTS) frames. This action mimics an access point, informing
a particular client to transmit, and instructing all the other clients to wait, which results in legitimate clients being
unable to access network resources. Wireless LAN service providers have a strong interest in banning rogue access points from
the air space.
Because rogue access points are inexpensive and readily available, employees sometimes plug unauthorized rogue access points
into existing LANs and build ad hoc wireless networks without their IT department's knowledge or consent. These rogue access
points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall.
Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users
to use the access point to intercept network traffic and hijack client sessions. There is an increased chance of enterprise
security breach when wireless users connect to access points in the enterprise network.
The containment frames are sent immediately after the authorization and associations are detected. The enhanced containment
algorithm provides more effective containment of ad hoc clients.
In a dense RF environment, where maximum rogue access points are suspected, the chances of detecting rogue access points by
a local mode access point and FlexConnect mode access point in channel 157 or channel 161 are less when compared to other
channels. To mitigate this problem, we recommend that you use dedicated monitor mode access points.
local and FlexConnect mode access points
are designed to serve associated clients. These access points spend relatively less time performing off-channel scanning:
about 50 milliseconds on each channel. If you want to perform high rogue detection, a monitor mode access point must be used. Alternatively, you can reduce the scan intervals from 180 seconds to a lesser
value, for example, 120 or 60 seconds, ensuring that the radio goes off-channel more frequently, which improves the chances
of rogue detection. However, the access point continues to spend about 50 milliseconds on each channel.
Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a
home environment, are likely to detect many rogue devices.
Client card implementations might mitigate the effectiveness of ad hoc containment.
It is possible to classify and report rogue access points by using rogue states and user-defined classification rules that
enable rogues to automatically move between states.
Each controller limits the number of rogue containments to three per radio (or six per radio for access points in the monitor mode).
Rogue Location Discovery Protocol (RLDP) detects rogue access points that are configured for open authentication.
RLDP detects rogue access points that use a broadcast Basic Service Set Identifier (BSSID), that is, the access point broadcasts
its Service Set Identifier in beacons.
RLDP detects only those rogue access points that are on the same network. If an access list in the network prevents the sending
of RLDP traffic from the rogue access point to the controller, RLDP does not work.
RLDP does not work on 5-GHz Dynamic Frequency Selection (DFS) channels. However, RLDP works when the managed access point is in the monitor mode on a DFS channel.
If RLDP is enabled on mesh APs, and the APs perform RLDP tasks, the mesh APs are dissociated from the controller. The workaround
is to disable RLDP on mesh APs.
If RLDP is enabled on non-monitor APs, client connectivity outages occur when RLDP is in process.
If the rogue is manually contained, the rogue entry is retained even after the rogue expires.
If the rogue is contained by any other means, such as auto, rule, and AwIPS preventions, the rogue entry is deleted when it expires.
The controller requests to the AAA server for rogue client validation only once. As a result, if rogue client validation fails
on the first attempt then the rogue client will not be detected as a threat any more. To avoid this, add the valid client
entries in the authentication server before enabling Validate Rogue Clients Against AAA.
The controller has to be added to the AAA server as a AAA client with authentication as RADIUS(CISCO IOS/PIX 6.0). Add the
rogue AP in question to the userdatabase with relevant delimiter, username, and password being the MAC address with relevant
delimiter. You must define the [009\001] cisco-av-pair for this user with the following keywords:
rogue-ap-state=contain—Where, rogue-ap-state can be the following: alert/contain/internal/external/threat
rogue-ap-class=malicious—Where, rogue-ap-class can be following keywords: unclassified/malicious/friendly
The allowed combinations of class/state are:
All the valid client MAC details should be registered in the AAA authentication server with the same MAC delimiter options
as set in the RADIUS configuration on the controller. For more information about configuring MAC delimiter options, see the
Configuring RADIUS (GUI) section.
In the 7.4 and earlier releases, if a rogue that was already classified by a rule was not reclassified. In the 7.5 release,
this behavior is enhanced to allow reclassification of rogues based on the priority of the rogue rule. The priority is determined
by using the rogue report that is received by the controller.
All rogues that are marked as friendly or contained state (due to auto or rule or manual) are stored in the flash memory of
the controller. When you reboot the controller loaded with Release 7.4, these rogues are shown as manually changed. If you
wish to reboot the controller, you need to clear all rogue APs and rogue adhoc from the controller, save the configuration,
and then reboot the controller.
All rogues that are marked as friendly or contained state (only due to manual) are stored in the flash memory of the controller.
If you upgrade the controller from the Release 7.4 to 7.6 or later versions, then all rogues stored in the Release 7.4 are
shown as manually classified (if friendly classified) or manually contained. Hence after upgrading the controller from the
Release 7.4 to 7.6 or later versions, you need to delete all rogue APs and rogue adhoc from the controller and then start
configuring rogue detection.
A FlexConnect AP (with rogue detection enabled) in the connected mode takes the containment list from the controller. If
auto-contain SSID and auto contain adhoc are set in the controller, then these configurations are set to all FlexConnect APs
in the connected mode and the AP stores it in its memory.
When the FlexConnect AP moves to a standalone mode, the following tasks are performed:
The containment set by the controller continues.
If the FlexConnect AP detects any rogue AP that has same SSID as that of infra SSID (SSID configured in the controller that
the FlexConnect AP is connected to), then containment gets started if auto contain SSID was enabled from the controller before
moving to the standalone mode.
If the FlexConnect AP detects any adhoc rogue, containment gets started if auto-contain adhoc was enabled from the controller when it was in the connected mode.
When the standalone FlexConnect AP moves back to the connected mode, then the following tasks are performed:
The rogue detector AP fails to co-relate and contain the wired rogue AP on a 5Mhz channel because the MAC address of the rogue
AP for WLAN, LAN, 11a radio and 11bg radio are configured with a difference of +/-1 of the rogue BSSID. In the 8.0 release,
this behavior is enhanced by increasing the range of MAC address, that the rogue detector AP co-relates the wired ARP MAC
and rogue BSSID, by +/-3.
The rogue access points with open authentication can be detected on wire. The NAT wired or rogue wired detection is not supported
in by WLC (both RLDP and rogue detector AP). The non-adjacent MAC address is supported by rogue detector mode of AP and not
In a High Availability scenario, if the rogue detection security level is set to either High or Critical, the rogue timer
on the standby controller starts only after the rogue detection pending stabilization time, which is 300 seconds. Therefore,
the active configurations on the standby controller are reflected only after 300 seconds.
After an AP is moved from rogue detection mode to any other mode or after an AP is moved from sniffer mode to local or monitor
mode, the rogue detection functionality is not retained on the AP. To enable rogue detection functionality on the AP, you
have to explicitly move the AP to the rogue detection mode.
Some rogue devices exhibit RSSI value of –128 dBm although the minimum RSSI has seen configured to a higher value. In some
scenarios, APs show the RSSI value of 0 for some rogue devices. If the controller receives the RSSI value as 0, the controller
invalidates the value and replaces it with –128 dBm so that rogue rules or policies are not applied to the rogue device.
Rogue Location Discovery Protocol
Rogue Location Discovery Protocol (RLDP) is an active approach, which is used when rogue AP has no authentication (Open Authentication)
configured. This mode, which is disabled by default, instructs an active AP to move to the rogue channel and connect to the
rogue as a client. During this time, the active AP sends de-authentication messages to all connected clients and then shuts
down the radio interface. Then, it associates to the rogue AP as a client. The AP then tries to obtain an IP address from
the rogue AP and forwards a User Datagram Protocol (UDP) packet (port 6352) that contains the local AP and rogue connection
information to the controller through the rogue AP. If the controller receives this packet, the alarm is set to notify the
network administrator that a rogue AP was discovered on the wired network with the RLDP feature.
RLDP has 100 % accuracy in rouge AP detection. It detects Open APs and NAT APs.
Use the debug dot11 rldp enable command in order to check if the Lightweight AP associates and receives a DHCP address from the rogue AP. This command also
displays the UDP packet sent by the Lightweight AP to the controller.
A sample of a UDP (destination port 6352) packet sent by the Lightweight AP is shown here: 0020 0a 01 01 0d 0a 01 .......(.*......
0030 01 1e 00 07 85 92 78 01 00 00 00 00 00 00 00 00 ......x......... 0040 00 00 00 00 00 00 00 00 00 00
The first 5 bytes of the data contain the DHCP address given to the local mode AP by the rogue AP. The next 5 bytes are the
IP address of the controller, followed by 6 bytes that represent the rogue AP MAC address. Then, there are 18 bytes of zeroes.
The following steps describe the functioning of RLDP:
Identify the closest Unified AP to the rogue using signal strength values.
The AP then connects to the rogue as a WLAN client, attempting three associations before timing out.
If association is successful, the AP then uses DHCP to obtain an IP address.
If an IP address was obtained, the AP (acting as a WLAN client) sends a UDP packet to each of the controller's IP addresses.
If the controller receives even one of the RLDP packets from the client, that rogue is marked as on-wire.
The RLDP packets are unable to reach the controller if filtering rules are placed between the controller's network and the
network where the rogue device is located.
Caveats of RLDP:
RLDP only works with open rogue APs broadcasting their SSID with authentication and encryption disabled.
RLDP requires that the Managed AP acting as a client is able to obtain an IP address via DHCP on the rogue network.
Manual RLDP can be used to attempt an RLDP trace on a rogue multiple number of times.
During RLDP process, the AP is unable to serve clients. This negatively impacts performance and connectivity for local mode
APs. To avoid this case, RLDP can be selectively enabled for Monitor Mode AP only.
RLDP does not attempt to connect to a rogue AP operating in a 5GHz DFS channel.
RLDP is not supported for use with Cisco autonomous rogue access points. These access points drop the DHCP Discover request
sent by the RLDP client. Also, RLDP is not supported if the rogue access point channel requires dynamic frequency selection
(DFS). If the automatic RLDP attempt does not detect the rogue (due to a noisy RF environment, for example), the controller does
not retry. However, you can initiate RLDP manually on a rogue device.
Detecting Rogue Devices
The controller continuously monitors all the nearby access points and automatically discovers and collects information on
rogue access points and clients. When the controller discovers a rogue access point, it uses the Rogue Location Discovery
Protocol (RLDP) and the rogue detector mode access point is connected to determine if the rogue is attached to your network.
Controller initiates RLDP on rogue devices that have open authenticated and configured. If RLDP uses FlexConnect or local mode access points, then clients are disconnected for that moment. After the RLDP cycle,
the clients are reconnected to the access points. As and when rogue access points are seen (auto-configuration), the RLDP process is initiated.
You can configure the controller to use RLDP on all the access points or only on the access points configured for the monitor
(listen-only) mode. The latter option facilitates automated rogue access point detection in a crowded radio frequency (RF)
space, allowing monitoring without creating unnecessary interference and without affecting the regular data access point functionality.
If you configure the controller to use RLDP on all the access points, the controller always chooses the monitor access point
for RLDP operation if a monitor access point and a local (data) access point are both nearby. If RLDP determines that the
rogue is on your network, you can choose to contain the detected rogue either manually or automatically.
RLDP detects on wire presence of the rogue access points that are configured with open authentication only once, which is
the default retry configuration. Retries can be configured using the config rogue ap rldp retries
You can initiate or trigger RLDP from controller in three ways:
Enter the RLDP initiation command manually from the controller CLI. The equivalent GUI option for initiating RLDP is not supported.
config rogue ap rldp initiate
Schedule RLDP from the controller CLI. The equivalent GUI option for scheduling RLDP is not supported.
config rogue ap rldp schedule
Auto RLDP. You can configure auto RLDP on controller either from controller CLI or GUI but keep in mind the following guidelines:
A rogue access point is moved to a contained state either automatically or manually. The controller selects the best available
access point for containment and pushes the information to the access point. The access point stores the list of containments
per radio. For auto containment, you can configure the controller to use only the monitor mode access point. The containment
operation occurs in the following two ways:
The container access point goes through the list of containments periodically and sends unicast containment frames. For rogue
access point containment, the frames are sent only if a rogue client is associated.
Whenever a contained rogue activity is detected, containment frames are transmitted.
Individual rogue containment involves sending a sequence of unicast disassociation and deauthentication frames.