c_sec_wless_protctn_pol_config_about

Available Languages

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

About Wireless Protection Policies

About Wireless Protection Policies

Use the Wireless Protection Policies page to configure policies for rogue access points, client exclusion, and radio frequency networks.

ClosedAbout Rogue APs and RLDP

Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain-text or other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to capture sensitive information, such as usernames and passwords. The hacker can then transmit a series of Clear to Send (CTS) frames. This action mimics an access point, informing a particular client to transmit, and instructing all the other clients to wait, which results in legitimate clients being unable to access network resources. Wireless LAN service providers have a strong interest in banning rogue access points from the air space.

Rogue Location Discovery Protocol (RLDP) is used when a rogue AP has no authentication (Open Authentication) configured. This mode instructs an active AP to move to the rogue channel and connect to the rogue as a client. During this time, the active AP sends de-authentication messages to all connected clients and then shuts down the radio interface. The AP then tries to obtain an IP address from the rogue AP and forwards a User Datagram Protocol (UDP) packet (port 6352) containing the local AP and rogue connection information to the device through the rogue AP. If the device receives this packet, an alarm is set to notify the network administrator that a rogue AP has been discovered on the network.

ClosedAbout Rogue AP Rules

You can create rules that can organize and display rogue access points as Friendly, Malicious, Custom, or Unclassified.

Manual classification and classification that is the result of auto-containment or rogue-on-wire overrides the rogue rule. If you have manually changed the class and/or the state of a rogue AP, then to apply rogue rules to the AP, you must change it to unclassified and alert condition.

By default, none of the classification rules are enabled on your device and all unknown access points are categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, unclassified access points are reclassified.

ClosedAbout Client Exclusion Policies

You can exclude clients from being able to connect to the WLAN network when one of the following conditions is observed:

  • Five consecutive 802.11 Authentication failures
  • Three consecutive 802.1X Authentication failures
  • IP theft or IP reuse, if the IP address, being obtained by the client, is already assigned to another device.
  • Three consecutive Web Authentication failures.

 

Related Topics Link IconRelated Topics

 

© 2018 Cisco Systems, Inc. All rights reserved.

 

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products