Classifying Rogue Access Points

Rogue AP classifications

A rogue AP classification is a wireless security mechanism that

  • enables administrators to group rogue APs as Friendly, Malicious, Custom, , or Unclassified,

  • uses configurable rules to automate the categorization and state assignment of unauthorized APs, and

  • allows both automatic and manual reclassification of rogues based on network security requirements.

Additional reference information

  • By default, no classification rules are active, so all unknown access points are assigned the Unclassified state. Administrators must enable classification rules to begin organizing rogue access points.

  • When rules are enabled, all rogue access points in the Alert state are reclassified automatically based on the latest conditions and rule configurations.

  • Changing or adding a rule triggers reclassification of all applicable rogue access points that are in the Alert state.

  • You can manually move any rogue or ad hoc rogue access point to Unclassified and state, which represents the default state. Manually moved rogues are subject to rule-based reclassification.

  • Rule-based classification does not apply to ad hoc rogues and rogue clients.

  • You can configure up to 64 rogue classification rules per controller .

How the controller classifies rogue access points

When the controller software receives a rogue report from one of its managed access points, it follows this process:

  • If the unknown access point is listed in the friendly MAC address list, the controller classifies it as Friendly.

  • If it is not on the friendly MAC list, the controller applies the configured rogue classification rules.

  • Rule-based classification is not applied to rogue access points that were manually classified.

  • If a rogue matches the criteria in a classification rule, the controller assigns the classification type specified in that rule.

  • If a rogue does not match any configured rules, it remains Unclassified.

  • If a rogue access point is detected on the same wired network, the controller marks its state as Threat and classifies it as Malicious automatically (regardless of rules). You can manually contain such rogues, changing their state to Contained. If the rogue becomes unavailable, the controller moves it to the Alert state until you manually contain it.

  • Administrators can always manually change the classification type and state of an access point as needed.

  • Before classification, rogue access points are marked Pending.

Examples: Classification mapping

Rule-Based Classification Type

Rogue State

Custom

  • Alert—No action is taken other than notifying the management station. The management station in the controller manages the controller and wired networks.

  • Contained—The unknown AP is contained. If none of the managed APs are available for containment, the rogue is in Contained Pending state.

Delete

Deletes the rogue AP.
Friendly

  • Internal—If the unknown AP poses no threat to WLAN security, you can manually configure it as Friendly, Internal. An example of this would be the APs in your lab network.

  • External—If the unknown AP is outside the network and poses no threat to WLAN security, you can manually configure it as Friendly, External. An example of this would be the AP in your neighboring coffee shop.

  • Alert— No action is taken other than notifying the management station. The management station manages the controller and wired networks.

Malicious

  • Alert— No action is taken other than notifying the management station. The management station manages the controller and wired networks.

  • Threat—The unknown AP is found to be on the network and poses a threat to WLAN security.

  • Contained—The unknown AP is contained. If none of the managed APs are available for containment, the rogue is in Contained Pending state.

Unclassified

  • Alert— No action is taken other than notifying the management station. The management station manages the controller and wired networks.

  • Contained—The unknown AP is contained. If none of the managed APs are available for containment, the rogue is in contained pending state.

As mentioned earlier, the controller can automatically change the classification type and rogue state of an unknown AP based on user-defined rules. Alternatively, you can manually move the unknown AP to a different classification type and rogue state.

Allowable classification type and rogue state transitions

Assigning rogue APs classifications is like sorting emails automatically into spam or inbox based on filters (rules), while still allowing the user to manually move an email to a different folder when needed.

Rogue containment methods

A rogue containment method is a wireless security approach that

  • detects unauthorized access points in the network environment,

  • applies different containment strategies including manual, rule-based, and auto-containment, and

  • prioritizes and restricts the actions of access points based on containment configuration and AP operating mode.

Containment methods and priorities

  • Manual rogue containment (Priority 1): Administrators manually designate which rogue APs to contain, offering the highest control and flexibility. Containment levels can range from 1 to 4 APs participating.

  • Rule-based rogue containment (Priority 2): The controller automatically contains rogue APs based on predefined rules, always using 1 AP for containment.

  • Auto-containment (Priority 3): The controller automatically contains rogue APs, but only when specific options (such as "Using our SSID", "A valid client on the Rogue AP", or "Ad-hoc Rogue AP") are enabled.

Auto-containment for monitor mode APs

  • When you enable 'Auto Containment only for Monitor Mode APs', only monitor mode APs perform auto-containment. Local or FlexConnect mode APs do not.

  • This option applies only to auto-containment. It does not affect your manual or rule-based methods.

  • Other AP modes (local or FlexConnect) still enforce rogue containment actions outside the scope of this auto-containment setting.

Containment prioritization and exceptions

  • Manual containment always takes highest priority, followed by rule-based, with auto-containment last.

  • If a rogue AP matches both manual or rule-based configurations, auto-containment does not occur for that AP.

Example

An ad-hoc rogue AP detected with a valid client connected triggers auto-containment by monitor mode APs only if the corresponding option is enabled. If manual containment is also configured for this rogue AP, manual containment takes precedence and disables auto-containment for that case.

Guidelines and restrictions for classifying Rogue APs

Classifying Custom type rogues is tied to rogue rules. Therefore, it is not possible to manually classify a rogue as Custom. Custom class change can occur only when rogue rules are used.

Some SNMP traps are sent for containment by rule and every 30 minutes for rogue classification change.

Rogue rules are applied on every incoming new rogue report in the controller in the order of their priority.

After a rogue satisfies a rule and is classified, it does not move down the priority list for the same report.

Previously classified rogue gets re-classified on every new rogue report with the following restrictions:

  • Rogues which are classified as friendly by rule and whose state is set to ALERT, go through re-classification on receiving the new rogue report.

  • If a rogue is classified as friendly by the administrator manually, then the state is INTERNAL and it does not get re-classified on successive rogue reports.

  • If rogue is classified as malicious, irrespective of the state it does not get re-classified on subsequent rogue reports.

The rogue classification rules are re-evaluated at every report received by the managed access points. Hence, a rogue access point can move from one state to another, if a different rule matches the last report.

If a rogue AP is classified as friendly or ignored, all rogue clients associated with it are not tracked.

Until the controller discovers all the APs through neighbor reports from APs, the rogue APs are kept in unconfigured state for three minutes after they are detected. After 3 minutes, the rogue policy is applied on the rogue APs and the APs are moved to unclassified, friendly, malicious, or custom class. Rogue APs kept in unconfigured state means that no rogue policy has yet been applied on them.

When a rogue BSSID is submitted for a containment on Cisco Catalyst 9800 Series Wireless Controller, if the controller has enough resources, it will contain. The APs that detect the particular contained rogue AP starts broadcasting the DEAUTH packets.

Wireless client connected to the contained rogue BSSID will disconnect once DEAUTH packets are received. However, when the client assumes being in a connected state, repeatedly tries to reconnect and the wireless client's user browsing experience would be badly affected.

Also, in a high RF environment like that of a stadium, though DEAUTH packets are broadcasted, client does not receive all of them because of RF disturbance. In this scenario, the client may not be fully disconnected but will be affected badly.

The rouge AP manual classification limit has been enhanced from 625 to 10,000 configurations at a time. The rouge client manual classification limit has been enhanced from 625 to 10,000 configurations at a time.

How to Classify Rogue Access Points

Classify a rogue AP manually (GUI)

Set the correct classification for rogue access points to maintain wireless network security and compliance.
Use this task after the system detects unclassified APs and you need to determine their status.

Procedure

Step 1

Choose Monitoring > Wireless > Rogues.

Step 2

In the Unclassified tab, select an AP to view the detail in the lower pane.

Step 3

Use the Class Type drop-down to set the status.

Step 4

Click Apply.

The AP is reclassified and removed from the unclassified list; its status is updated accordingly.

Classify rogue APs and clients manually (CLI)

Classify rogue access points and clients to enhance network security.
This procedure is used in environments where rogue access points and clients need to be identified and managed to prevent unauthorized access to the network.

Before you begin

Ensure you have the necessary permissions to configure the device.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Detect and report the ad hoc rogue.

Example:

Device(config)# wireless wps rogue adhoc alert mac-addr

Enter one of these options after you enter the adhoc keyword:

  • alert—Sets the ad hoc rogue access point to alert mode. If you choose this option, enter the MAC address for the mac-addr parameter.

  • auto-contain—Sets the automatically containing ad hoc rogue to auto-contain mode.

  • contain—Sets the containing ad hoc rogue access point to contain mode. If you choose this option, enter the MAC address for the mac-addr parameter and containment level for the containment-level parameter. The valid range for containment-level is from 1 to 4.

  • external—Sets the ad hoc rogue access point as external. If you choose this option, enter the MAC address for the mac-addr parameter.

  • internal—Sets the ad hoc rogue access point as internal. If you choose this option, enter the MAC address for the mac-addr parameter.

Step 3

Configure the rogue APs.

Example:

Device(config)# wireless wps rogue ap malicious mac-addr state contain containment-level

Example:

Device(config)# wireless wps rogue ap malicious 74a0.2f45.c520 state contain 3

Enter one of the following options after the ap keyword:

  • friendly—Configures the friendly rogue access points. If you choose this option, enter the MAC address for the mac-addr parameter. After that enter the state keyword followed by either of these options: internal or external.

  • malicious—Configures the malicious rogue access points. If you choose this option, enter the MAC address for the mac-addr parameter. After that enter the state keyword followed by either of these options: alert or contain.

  • alert—Sets the malicious rogue access point to alert mode.

  • contain—Sets the malicious rogue access point to contain mode. If you choose this option, enter the containment level for the containment-level parameter. The valid range is from 1 to 4.

Step 4

Configure the rogue clients.

Example:

Device(config)# wireless wps rogue client contain mac-addr containment-level

Example:

Device(config)# wireless wps rogue client contain 74a0.2f45.c520 2

Enter the following option after you enter the client keyword:

contain—Contains the rogue client. After you choose this option, enter the MAC address for the mac-addr parameter and the containment level for containment-level parameter. The valid range for containment-level is from 1 to 4.

Step 5

Return to privileged EXEC mode.

Example:

Device(config)# end

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Configure rogue classification rules (GUI)

Procedure

Step 1

Choose Configuration > Security > Wireless Protection Policies.

Step 2

In the Wireless Protection Policies page, choose Rogue AP Rules tab.

Step 3

On the Rogue AP Rules page, click the name of the Rule or click Add to create a new one.

Step 4

In the Add/Edit Rogue AP Rule window that is displayed, enter the name of the rule in the Rule Name field.

Step 5

Choose the rule type from the following Rule Type drop-down list options:

  • Friendly

  • Malicious

  • Unclassified

  • Custom

Configure rogue classification rules (CLI)

Establish rules for classifying rogue access points to enhance network security.
This configuration is used in environments where rogue access points need to be identified and classified to prevent unauthorized access.

Before you begin

Ensure you have the necessary permissions to configure rogue classification rules on the device.

Procedure

Step 1

Enter global configuration mode.

Example:

Device# configure terminal

Step 2

Create or enable a rule and set its priority.

Example:

Device(config)# wireless wps rogue rule rule-name priority priority

When creating a rule, you must enter the priority for the rule.

Note

 
After creating a rule, you can edit the rule and change the priority only for the rogue rules that are disabled. You cannot change the priority for the rogue rules that are enabled. While editing, changing the priority for a rogue rule is optional.

Step 3

Classify a rule.

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3
Device(config-rule)# classify friendly state {alert | external | internal}

Specifies the classification that needs to be applied to the rogue access points matching this rule.

  • friendly—Configures the friendly rogue access points. After that enter the state keyword followed by either of these options: alert , internal , or external . If you select an internal option, it indicates that you trust a foreign access point. If you select an external option, it indicates that you acknowledge the presence of a rogue access point.

  • malicious—Configures the malicious rogue access points. After that enter the state keyword followed by either of these options: alert or contained.

  • alert—Sets the malicious rogue access point to alert mode.

  • contained—Sets the malicious rogue access point to contained mode.

Step 4

Add conditions to a rule.

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3
Device(config-rule)# condition {client-count condition_value | duration duration_value | encryption | infrastructure | rssi | ssid ssid_name | wildcard-ssid}

Adds the following conditions to a rule, which the rogue access point must meet:

  • client-count —Requires that a minimum number of clients be associated to the rogue access point. For example, if the number of clients associated to the rogue access point is greater than or equal to the configured value, the access point could be classified as Malicious. If you choose this option, enter the minimum number of clients to be associated to the rogue access point for the value parameter. The valid range is from 1 to 10 (inclusive), and the default value is 0.

  • duration —Requires that the rogue access point be detected for a minimum period of time. If you choose this option, enter a value for the minimum detection period for the duration_value parameter. The valid range is from 0 to 3600 seconds (inclusive), and the default value is 0 seconds.

  • encryption —Requires that the advertised WLAN does not have encryption enabled. You can choose any for any type of encryption, off for no encryption, wpa1 for WPA encryption, wpa2 for WPA2 encryption, wpa3-owe for WPA3 OWE encryption, or wpa3-sae for WPA3 SAE encryption.

  • infrastructure —Requires the SSID to be known to the controller.

  • rssi Requires the rogue access point to be detected with a minimum RSSI value. If the classification is Friendly, the condition requires the rogue access point to be detected with a maximum RSSI value. The valid range is from –95 to –50 dBm (inclusive).

  • ssid —Requires the rogue access point to have a specific SSID. You could specify up to 25 different SSIDs. You should specify an SSID that is not managed by the controller. If you choose this option, enter the SSID for the ssid_name parameter. The SSID is added to the configured SSID list you just created.

  • wildcard-ssid —Allows you to specify an expression that could match an SSID string. You can specify up to 25 of these SSIDs.

Step 5

Specify matching conditions for the rule.

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3
Device(config-rule)# match {all | any}

Specifies whether a detected rogue access point must meet all or any of the conditions specified by the rule for the rule to be matched and the rogue access point to adopt the classification type of the rule.

Step 6

Set a command to its default.

Example:

Device(config-rule)# default

Step 7

Exit the sub-mode.

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3
Device(config-rule)# exit
Device(config)#

Step 8

Disable a particular rogue rule.

Example:

Device(config)# wireless wps rogue rule rule_3 priority 3
Device(config-rule)# shutdown

Disables a particular rogue rule. In this example, the rule rule_3 is disabled.

Step 9

Return to privileged EXEC mode.

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Step 10

Enter global configuration mode.

Example:

Device# configure terminal

Step 11

Disable all the rogue rules.

Example:

Device(config)# wireless wps rogue rule shutdown

Step 12

Return to privileged EXEC mode.

Example:

Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
You have now configured the rogue classification rules, enabling effective management of rogue access points in the network..

Monitor rogue classification rules

You can monitor the rogue classification rules using these commands.

Table 1. Commands for monitoring rogue classification rules

Command

Purpose

show wireless wps rogue rule detailed

Displays detailed information of a classification rule.
show wireless wps rogue rule summary

Displays a summary of the classification rules.

Examples: classifying rogue AP

This example shows how to classify a rogue AP with MAC address 00:11:22:33:44:55 as malicious and mark it for being contained by 2 managed APs:

Device# configure terminal
Device(config)# wireless wps rogue ap malicious 0011.2233.4455 state contain 2
This example shows how to create a rule that can categorize a rogue AP that is using SSID my-friendly-ssid, and it is seen for at least for 1000 seconds as friendly internal:

Device# configure terminal
Device(config)# wireless wps rogue rule ap1 priority 1
Device(config-rule)# condition ssid my-friendly-ssid
Device(config-rule)# condition duration 1000
Device(config-rule)# match all
Device(config-rule)# classify friendly state internal
Device(config-rule)# no shutdown
This example shows how to apply a condition that a rogue access point must meet: 

Device# configure terminal
Device(config)# wireless wps rogue rule ap1 priority 1
Device(config-rule)# condition client-count 5
Device(config-rule)# condition duration 1000
Device(config-rule)# no shutdown
Device(config-rule)# end

This example shows a condition to classify rogue devices with the controller SSIDs as malicious:


Device# configure terminal
Device(config)# wireless wps rogue rule ap1 priority 1
Device(config-rule)#  classify malicious state alert
Device(config-rule)#  condition duration 30
Device(config-rule)#  condition infrastructure ssid
Device(config-rule)#  match all
Device(config-rule)#  no shutdown 
Device(config-rule)# end