Check point 4400

Introduction

Wireless networks extend wired networks and increase worker productivity and access to information.

However, an unauthorized wireless network presents an additional layer of security concern. Less check point 4400 is put check point 4400 port security on wired networks, and wireless networks are an easy extension to wired networks.

Therefore, an employee who brings his or her own Access Point (Cisco or Non Cisco) into a well-secured wireless or wired infrastructure and allows unauthorized users access to this otherwise secured network, can easily compromise a check point 4400 network.

Rogue detection allows the network administrator to monitor and eliminate this security concern.

Cisco Unified Network Architecture provides methods for rogue detection that enable a complete rogue identification and containment solution without the need for expensive and hard-to-justify overlay networks and tools.

Prerequisites

Requirements

This document assumes you are familiar with basic controller configurations.

Components Used

This document is not restricted to specific software and hardware versions.

The information in this document is based on these software and hardware versions:

  • Cisco Unified Controllers (2100, 5500, 4400,WiSM, and NM-WLC Series) running version 7.0

  • Control and Provisioning of Wireless Access Point Protocol (CAPWAP)-based LAPs - 1130AG, 1140, 3500, 1200, 1230AG, 1240AG, 1250, and 1260 Series LAPs

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Rogue Overview

Any device that shares your spectrum and is not managed by you can be considered a rogue.

A rogue becomes dangerous in these scenarios:

  • When setup to use the same SSID as your network (honeypot).

  • When it is detected on the wired network also.

  • Ad-hoc rogues are also a big check point 4400 by an outsider, most times, with malicious intent.

There are three main phases of rogue device management in the Cisco Unified Wireless Network (UWN) solution:

  • Detection – Radio Resource Management (RRM) scanning is used to detect the presence of rogue devices.

  • Classification check point 4400 Rogue Location Discovery Protocol (RLDP), Rogue Detectors and switch port tracing are used to identify if the rogue device is connected to the wired network.

    Rogue classification rules also assist in filtering rogues into specific categories based on their characteristics.

  • Mitigation – Switch port shutting, rogue location, and rogue containment are used in tracking down its physical location and to nullify the threat of the rogue device.

Rogue Management Theory of Operation

Rogue Detection

A rogue is essentially any device that is sharing your spectrum, but is not in your control.

This includes rogue Access Points (APs), wireless router, rogue clients, and rogue ad-hoc networks. The Cisco UWN uses a number of methods to detect Wi-Fi-based rogue devices including off-channel scanning and dedicated monitor mode capabilities. Cisco Spectrum Expert can also be used to identify rogue devices not based check point 4400 the 802.11 protocol, such as Bluetooth bridges.

Off-Channel Scanning

This operation is performed by Local mode and H−REAP (in connected mode) APs and utilizes a time-slicing technique which allows client service and channel scanning using the same radio.

By going off channel for check point 4400 period of 50ms every 16 seconds, the AP, by default, only spends a small percentage of its time not serving clients.

Also, note there is a 10ms channel change interval that will occur. In the default scan interval of 180 seconds, each 2.4Ghz FCC channel (1−11) is scanned at least once. For other regulatory domains, such as ETSI, the AP will be off channel for a slightly higher percentage of time. Both the list of channels and scan interval can be adjusted in the RRM configuration. This limits the performance impact to a maximum of 1.5% and intelligence is built into the algorithm to suspend scanning when high-priority QoS frames, such as voice, need to be delivered.

This graphic is a depiction of the off-channel scanning algorithm for a local mode AP in the 2.4GHz frequency band.

A similar operation is being performed in parallel on the 5GHz radio if the AP has one present. Each red square represents the time spent check point 4400 the APs home channel, whereas each blue square represents time spent on adjacent channels for scanning purposes.

Monitor Mode Scanning

This operation is performed by Monitor Mode and Adaptive wIPS monitor mode APs which utilizes 100% of the radio's time for scanning all channels in each respective frequency band.

This allows a greater speed of detection and enables more time to be spent on each individual channel. Monitor mode APs are also far superior at check point 4400 rogue clients as they have a more comprehensive view of the activity occurring in each channel.

This graphic is a depiction of the off-channel scanning algorithm for a monitor mode AP in the 2.4GHz frequency band.

A similar operation is being performed in parallel on the 5GHz radio if the AP has one present.

Local Mode and Monitor Mode Comparison

A local mode AP splits its cycles between serving WLAN clients and scanning channels for threats.

As a result, it takes a local mode AP longer to cycle through all the channels, and it spends less time collecting data on any particular channel so that client operations are not disrupted.

Consequently, rogue and attack detection times are longer (3 to 60 minutes) and a smaller range of over-the-air check point 4400 can be detected than with a monitor mode AP. Furthermore, detection for bursty traffic, such as rogue check point 4400, is much less deterministic because the AP has to be on the channel of the traffic at the same time the traffic is being transmitted or received.

This becomes an exercise in probabilities. A monitor mode AP spends all of its cycles scanning channels looking for rogues and over-the-air attacks. A monitor mode AP can simultaneously be used for Adaptive wIPS, location (context-aware) services, and other monitor mode services.

When monitor mode APs are deployed, the benefits are lower time-to-detection. When monitor mode APs are additionally configured with Adaptive wIPS, a broader range of over-the-air threats and attacks can be detected.

Rogue Identification

If probe response or beacons from a rogue device are heard by either local mode, H-REAP mode, or monitor mode APs, then this information is communicated via CAPWAP to the Wireless LAN controller (WLC) for processing.

In order to prevent false positives, a number of methods are used to ensure other managed Cisco-based APs are not identified as a rogue device. These methods include mobility group updates, RF neighbor packets, and white listing autonomous APs via Wireless Control System (WCS).

Rogue Records

While the controller’s database of rogue devices contains only the current set of detected rogues, the WCS also includes an event history and logs rogues that are no longer seen.

Rogue Details

A CAPWAP AP goes off-channel for 50ms in order to listen for rogue clients, monitor for noise, and channel interference.

Any detected rogue clients check point 4400 APs are sent to the controller, which gathers this information:

  • The rogue AP's MAC address

  • Name of the AP detected rogue

  • The rogue connected client(s) MAC address

  • Whether the frames are protected with WPA or WEP

  • The preamble

  • The Signal-to-Noise Ratio (SNR)

  • The Receiver Signal Strength Indicator (RSSI)

  • Channel of Rogue detection

  • Radio in which rogue is detected

  • Rogue SSID (if the rogue SSID is broadcasted)

  • Rogue IP address

  • First and last time the rogue is reported

  • Channel width

Exporting Rogue Events

In order to export rogue events to a third-party Network Management System (NMS) for archival, the WLC permits additional SNMP trap receivers to be added.

When a rogue is detected or cleared by the controller, a trap containing this information is communicated to all SNMP trap receivers. One caveat with exporting events via SNMP is that if multiple controllers detect the same rogue, duplicate events are seen by the NMS as correlation is only done at WCS.

Rogue Check point 4400 Timeout

Once a rogue AP has been added to the WLC's records, it will remain there until it is no longer seen.

After a user configurable timeout (1200 seconds default), a rogue in the _unclassified_ category is aged out. Rogues in other states such as _Contained_ and check point 4400 will persist so that the appropriate classification is applied to them if they reappear.

There is a maximum database size for rogue records that is variable across controller platforms:

  • 21XX and WLCM - check point 4400 rogues

  • 44XX - 625 rogues

  • WiSM - 1250 rogues

  • 5508 - 2000 check point 4400 Classification

    By default, all rogues that are detected by the Cisco UWN are considered Unclassified.

    As depicted in this graphic, rogues can be classified on a number check point 4400 criteria including RSSI, SSID, Security type, on/off network, and number of clients:

    Rogue Detector AP

    A rogue detector AP aims to correlate rogue information heard over the air with ARP information obtained from the wired network.

    If a MAC address is heard over the air as a rogue Check point 4400 or client and is also heard on the wired network, then the rogue is check point 4400 to be on the wired network. If the rogue is detected to be on the wired network, then the alarm severity for that rogue AP is raised to _critical_.

    It should be noted that a rogue detector AP is not successful at identifying rogue clients behind a device using Check point 4400 src="https://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-handling-rogue-cuwn-07.gif">

    Scalability Considerations

    A rogue detector AP can detect up to 500 rogues and 500 rogue clients.

    If the check point 4400 detector is placed on a trunk with too many rogue devices, then these limits might be exceeded, which causes issues. In order to prevent this from occurring, keep rogue detector APs at the distribution or access layer of your network.

    RLDP

    The aim of RLDP is to identify if a specific rogue AP is connected check point 4400 the wired infrastructure. This feature essentially uses the closest Unified AP to connect to the rogue device as a wireless client.

    After connecting as a client, a packet is sent with the destination address of the WLC to assess if the AP is connected to the wired network. If the rogue is detected to be on the wired network, then the alarm severity for that rogue AP is raised to check point 4400 src="https://www.cisco.com/c/dam/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-handling-rogue-cuwn-08.gif">

    The algorithm of Check point 4400 is listed here:

    1. Identify the closest Unified AP to the rogue using check point 4400 strength values.

    2. The AP then connects to the rogue as a WLAN client, attempting three associations before timing out.

    3. If association is successful, the AP then uses DHCP to obtain an IP address.

    4. If an IP address was check point 4400, the AP (acting as a WLAN client) sends a UDP packet to each of the controller's IP addresses.

    5. If the controller receives even one of the RLDP packets from the client, that rogue is marked as on-wire with a severity of critical.

    Note: The RLDP packets are unable to reach the controller if filtering rules are in place between the controller's network and the network where the rogue device is located.

    Caveats of RLDP

    • RLDP only works with open rogue APs broadcasting their SSID with authentication and encryption disabled.

    • RLDP requires that the Managed AP acting as a client is able to obtain an IP address via DHCP on the rogue network

    • Manual RLDP can be used to attempt and RLDP trace on a rogue multiple times.

    • During the RLDP process, the AP is unable check point 4400 serve clients.

      This will negatively impact performance and connectivity for local mode APs.

    • RLDP does not attempt to connect to a rogue AP operating in check point 4400 5GHz DFS channel.

    Switch Port Tracing

    Switch port tracing is a rogue AP mitigation technique first implemented in the 5.1 release.

    Although switch port tracing is initiated at the WCS, it utilizes both CDP and SNMP information to track a rogue down to a specific port in the network. In order check point 4400 switch check point 4400 tracing to run, all switches in the network must be added to the WCS with SNMP credentials. Although read-only credentials work for identifying the port the rogue is on, read-write credentials allow the WCS to also shut the port down, thus containing the threat.

    At this time, this check point 4400 works only with Cisco switches that run IOS with CDP enabled, and CDP must also be enabled on the Managed APs.

    The algorithm for switch port tracing is listed here:

    • The WCS finds the closest AP, which detects the rogue AP over-the-air, and retrieves its CDP neighbors.

    • The WCS then uses SNMP to examine the CAM table within the neighboring switch, looking for a positive match to identify the rogues location.

    • A positive match is based on the exact rogue MAC address, +1/−1 the rogue MAC address, any rogue client MAC addresses, or an OUI match based on the vendor information inherent in a MAC check point 4400 a positive match is not found on the closest switch, the WCS continues searching neighboring switches up to two hops away (by default).

    Rogue Classification Rules

    Rogue classification rules, introduced in the 5.0 release, allow you to define a set of conditions that mark a rogue as either malicious or friendly.

    These rules are configured at the WCS or the WLC, but they are always performed on the controller as new rogues are discovered.

    Read the document Rule Based Check point 4400 Classification in Wireless LAN Controllers (WLC) and Wireless Control System (WCS) for more information on rogue rules in the WLCs.

    Rogue Mitigation

    Rogue Containment

    Containment is a method of using over-the-air packets to temporarily interrupt service on a rogue device until it can physically be removed.

    Containment works by spoofing de-authentication packets with the spoofed check point 4400 address of the rogue AP so that any check point 4400 associated are kicked off.

    Rogue Containment Details

    A containment initiated on check point 4400 rogue AP with no clients will only use de-authentication frames sent to the broadcast address:

    A containment initiated on a rogue AP with client(s) will use de-authentication frames sent to the broadcast address and to the client(s) address:

    Containment packets are sent check point 4400 the power level of the managed AP and at the lowest enabled data rate.

    Containment sends a minimum of 2 packets every 100ms:

    Note: From 6.0 release, a containment performed by non-monitor mode APs is sent at an interval of 500ms instead of the 100ms interval used by monitor mode APs.

    • An individual rogue device can be contained by 1 check point 4400 4 managed APs which work in conjunction to mitigate the threat temporarily.

    • Containment can be performed using local mode, monitor mode and H-REAP (Connected) mode APs.

      For local mode of H-REAP APs, a maximum of three rogue devices per radio can be contained. For monitor mode APs, a maximum of six rogue devices per radio can be contained.

    Auto-Containment

    In addition to manually initiating containment on a rogue device via WCS or the WLC GUI, there is also the ability to automatically launch containment under certain scenarios. This configuration is found under General in the Rogue Policies section of the WCS or controller interface.

    Each of these features is check point 4400 by default and should only be enabled to nullify the most damaging threats.

    • Rogue on Wire - If a rogue device is identified to be attached to the wired network, then it is automatically placed under containment.

    • Using our SSID - If a rogue device is using an SSID which is the same as that configured on the controller, it is automatically contained.

      This feature aims to address a honey-pot attack before it causes damage.

    • Valid client on Rogue AP - If a client listed in ACS is found to be associated with a rogue device, containment is launched against that client only, preventing it from associating to any non-managed AP.

    • AdHoc Rogue AP - If an ad-hoc network is discovered, it is automatically contained.

    Rogue Containment Caveats

    • Because containment uses a portion of the managed AP's radio time to send the de-authentication frames, the performance to both data and voice clients is negatively impacted by check point 4400 to 20%.

      For data clients, the impact is reduced throughput. For voice clients, containment can cause interruptions in conversations and reduced voice quality.

    • Containment can have legal implications when launched against neighboring networks. Ensure that the rogue device is within your network and poses a security risk before you launch the containment.

    Switch Port Shutting

    Once a switch port is traced using SPT, there is an option to disable that port in WCS.

    Administrator has to do this exercise manually. An option is available to enable the switch port through WCS if rogue is physically removed from the network.

    Configure Rogue Management

    Configure Rogue Detection

    Rogue detection is enabled in the controller by default.

    To find rogue details in a controller using the graphical interface, go to Monitor > Rogues.

    In this page, different check point 4400 for rogues are available:

    • Friendly APs – Aps which are marked as friendly by administrator.

    • Malicious APs – Aps which are identified as malicious using RLDP or Rogue detector AP.

    • Unclassified APs – By default rogue APs will be shown as unclassified list in controller.

    • Rogue Clients – Clients connected to Rogue Check point 4400 Rogues – Adhoc rogue clients.

    • Rogue AP ignore list – Aps listed through WCS.

    Note: If WLC and check point 4400 AP is managed by the same WCS, WLC will be automatically listing this autonomous AP in Rogue AP ignore list.

    There is no additional configuration required in WLC to enable this feature.

    From the CLI:

    (Cisco Controller) >show rogue ap summary Rogue on wire Auto-Contain. Disabled Rogue using our SSID Auto-Contain. Disabled Valid client on rogue AP Auto-Contain.

    Disabled Rogue AP timeout. 1200 MAC Address Classification # APs # Clients Last Heard ----------------- ------------------ ----- --------- ----------------------- 00:14:1b:5b:1f:90 Unclassified 1 0 Thu Jun 10 19:04:51 2010 00:14:1b:5b:1f:91 Unclassified 1 0 Thu Jun 10 18:58:51 2010 00:14:1b:5b:1f:92 Unclassified 1 0 Thu Jun 10 18:49:50 2010 00:14:1b:5b:1f:93 Unclassified 1 0 Thu Jun 10 18:55:51 2010 00:14:1b:5b:1f:96 Unclassified 1 0 Thu Jun 10 18:58:51 2010 00:17:df:a9:08:00 Unclassified 1 0 Thu Jun 10 18:49:50 2010 00:17:df:a9:08:10 Unclassified check point 4400 1 0 check point 4400 Thu Jun 10 18:55:51 2010 00:17:df:a9:08:11 Unclassified 1 0 Check point 4400 Jun 10 19:04:51 2010 00:17:df:a9:08:12 Unclassified 1 0 Thu Jun 10 18:49:50 2010 00:17:df:a9:08:16 Unclassified check point 4400 1 0 Thu Jun 10 19:04:51 2010

    Click a particular rogue entry in order to get the details of that rogue.

    From the CLI:

    (Cisco Controller) >show rogue ap detailed 00:14:1b:5b:1f:90 Rogue BSSID.

    00:14:1b:5b:1f:90 Is Rogue on Wired Network.

    check point 4400

    No Classification. Unclassified Manual Contained. No State. Alert First Time Rogue was Reported. Thu Jun 10 18:37:50 2010 Last Time Rogue was Reported. Thu Jun 10 19:04:51 2010 Reported By check point 4400 AP 1 check point 4400 check point 4400 MAC Address. 00:24:97:8a:09:30 Name. AP_5500 Radio Type. 802.11g SSID.

    doob check point 4400 Channel. 6 RSSI. -51 dBm SNR. 27 dB Encryption. Disabled ShortPreamble. Enabled WPA Check point 4400. Disabled Last reported by this AP. Thu Jun 10 19:04:51 2010

    Configure Channel Scanning for Rogue Detection

    For a local/Hreap mode/Monitor mode AP there is an option under RRM configuration which allows the user to choose which channel is scanned for rogues.

    Depending on the config, the AP scans all channel/country channel/DCA channel for rogues.

    To configure this from the GUI, go to Wireless > 802.11a/802.11b > RRM > General.

    From the CLI:

    (Cisco Controller) >config advanced 802.11a monitor channel-list ? all Monitor all channels country Monitor channels used in configured country code dca Monitor channels used by automatic channel assignment

    To configure these options, go to Security > Wireless Protection Policies > Rogue Policies > check point 4400 the timeout for rogue APs.

  • Enable the detection check point 4400 ad-hoc rogue networks.

  • From the CLI:

    (Cisco Controller) >config rogue ap timeout ? <seconds> The number of seconds<240 - 3600> before rogue entries are flushed (Cisco Controller) >config rogue adhoc enable/disable

    Configure Rogue Classification

    Manually Classify a Rogue AP

    To classify a rogue AP as friendly, malicious, or unclassified, go to Monitor > Rogue > Unclassified APs, and click the particular rogue AP name.

    Choose the option from the drop-down list.

    From the CLI:

    (Cisco Controller) >config rogue ap ? check point 4400 classify Configures rogue access points classification.

    friendly check point 4400 Configures friendly AP devices. rldp check point 4400 Configures Rogue Location Discovery Protocol. ssid Configures policy for rogue APs advertsing our SSID. timeout Configures the expiration time for rogue entries, in seconds. valid-client Configures policy for valid clients using rogue APs.

    To remove a rogue entry manually from the rogue list, go to Monitor > Rogue > Unclassified APs, and click Remove.

    To configure a Rogue AP as a friendly AP, go to Security > Wireless Protection Policies > Rogue Policies > Friendly Rogues and add the rogue MAC address.

    The added friendly rogue entries can be verified from Monitor > Rogues > Friendly Rogue page.

    Configure a Rogue Detector AP

    To configure the AP as a rogue detector using the GUI, go to Wireless > All APs.

    Choose the AP name and change the AP mode.

    From the CLI:

    (Cisco Controller) >config ap mode rogue AP_Managed Changing the AP's mode will cause the AP to reboot. Are you sure you want to continue? (y/n) y

    Configure Switchport for a Rogue Detector AP

    interface GigabitEthernet1/0/5 description Rogue Detector switchport trunk encapsulation dot1q switchport trunk native vlan 113 switchport mode trunk spanning−tree portfast trunk

    Note: The native VLAN in this configuration is one that has IP connectivity to the WLC.

    Configure RLDP

    To configure RLDP in the controller's GUI, go to Security > Wireless Protection Policies > Rogue Policies > General.

    Monitor Mode APs – Allows only APs in monitor mode to participate in RLDP.

    All APs – Local/Hreap/Monitor mode APs participate in the RLDP process.

    Disabled – RLDP is not triggered automatically.

    However, the user can trigger RLDP manually for a particular MAC address through the CLI.

    Note: Monitor mode AP will get preference over local/Hreap AP for performing RLDP if both of them are detecting a particular check point 4400 above -85dbm RSSI.

    From the CLI:

    (Cisco Controller) >config rogue ap rldp enable ? alarm-only Enables RLDP and alarm if rogue is detected auto-contain Enables RLDP, alarm check point 4400 auto-contain if rogue check point 4400 detected.

    (Cisco Controller) >config rogue ap rldp enable alarm-only ? monitor-ap-only Perform RLDP only on monitor AP RLDP scheduling and triggering manually is configurable only through Command prompt To Initiate RLDP manually: (Cisco Controller) >config rogue ap rldp initiate ? <MAC addr> Enter the MAC address of the rogue AP (e.g.

    check point 4400. For Scheduling RLDP Note: RLDP scheduling and option to configure RLDP retries are two options introduced in 7.0 through CLI RLDP Scheduling : (Cisco Controller) >config rogue ap rldp schedule ? add Enter the days when RLDP scheduling to be done.

    delete Enter the days when RLDP scheduling needs to be deleted. enable Configure to enable RLDP scheduling. disable Configure to disable RLDP scheduling. (Cisco Controller) >config rogue ap rldp check point 4400 add ? mon Configure Monday for RLDP scheduling. tue Configure Tuesday for RLDP scheduling. wed Configure Wednesday for RLDP scheduling. thu Configure Thursday for RLDP scheduling. fri Configure Friday for RLDP scheduling.

    sat Configure Saturday for RLDP scheduling. sun Configure Sunday for RLDP check point 4400. RLDP retries can be configured using the command (Cisco Controller) >config rogue ap rldp retries ? <count> Enter the no.of times(1 - 5) RLDP to be tried per Rogue AP.

    To configure AAA validation for check point 4400 clients, go to Security > Wireless Protection Policies > Rogue Policies > General.

    Enabling this option check point 4400 sure the rogue client/AP address is verified with the AAA server before classifying it as malicious.

    From the CLI:

    (Cisco Controller) >config rogue client aaa ? disable Disables use of AAA/local database to detect valid mac addresses.

    enable Enables use of AAA/local database to detect valid mac addresses.

    To validate a particular rogue client is a wired check point 4400, there is an option to check the reachability of that particular rogue from the controller (if the controller is able to detect the rogue client IP address).

    This option can be accessed in the rogue client's detail page and is available only through the graphical interface.

    To configure switch port tracing, refer to the document Rogue Management White Paper (registered customers only) .

    Configure Rogue Mitigation

    Configure Manual Containment:

    In order to contain a rogue AP check point 4400, go to Monitor > Rogues > Unclassified.

    From the CLI:

    (Cisco Controller) >config rogue client ? aaa Configures to validate if a rogue client is a valid client using AAA/local database.

    alert Configure the rogue client to the alarm state. contain Start containing a rogue client. (Cisco Controller) >config rogue client contain 01:22:33:44:55:66 ? <num of APs> Enter the maximum number of Cisco APs to actively contain the rogue client [1-4].

    Note: A particular rogue check point 4400 be contained using 1-4 APs. By default, the controller uses one AP for containing a client. If two APs are able to detect a particular rogue, the AP with the highest RSSI contains the client regardless of the AP mode.

    To configure auto containment, go to check point 4400 > Wireless Protection Policies > Rogue Policies > General, and enable all applicable options for your network.

    From the CLI:

    (Cisco Controller) >config rogue adhoc ? alert Stop Auto-Containment, generate a trap upon detection of the check point 4400 adhoc rogue.

    auto-contain check point 4400 Automatically containing adhoc rogue. contain Start check point 4400 adhoc rogue. disable Disable detection and reporting of Ad-Hoc rogues.

    enable check point 4400 Enable detection and reporting of Ad-Hoc rogues. external Acknowledge presence of a adhoc rogue. (Cisco Controller) >config rogue adhoc auto-contain ? (Cisco Controller) check point 4400 rogue adhoc auto-contain Warning!

    Using this feature may have legal consequences Do check point 4400 want to continue(y/n) :y

    Troubleshoot

    If the rogue is not detected:

    • Verify that rogue check point 4400 is enabled on the AP using this command. By default, rogue detection is enabled on the AP.

      (Cisco_Controller) >show ap config general Managed_AP Cisco AP Identifier.

      2 Cisco AP Name. Managed_AP Country code. US - United States Regulatory Domain allowed by Country.

      check point 4400

      802.11bg:-A 802.11a:-A AP Country code. US - United States AP Regulatory Domain. 802.11bg:-A 802.11a:-A Switch Port Number . 2 MAC Address. 00:1d:a1:cc:0e:9e IP Address Configuration. DHCP IP Address. 10.8.99.104 IP NetMask. 255.255.255.0 Gateway IP Addr. 10.8.99.1 CAPWAP Path MTU. 1485 Telnet State. Enabled Ssh State. Disabled Cisco AP Location. india-banaglore Cisco AP Group Name. default-group Primary Cisco Switch Name.

      Cisco_e9:d9:23 Primary Cisco Switch IP Address. 10.44.81.20 Secondary Cisco Switch Name. Secondary Cisco Switch IP Address. Not Configured Tertiary Cisco Switch Name. Tertiary Cisco Switch IP Address. Not Configured Administrative State . ADMIN_ENABLED Operation State . REGISTERED Mirroring Mode . Disabled AP Mode . Local Public Safety . Disabled AP SubMode . Not Configured Remote AP Debug . Disabled Logging trap severity level . informational Logging syslog facility .

      kern S/W Version . 7.0.98.0 Boot Version . 12.3.7.1 Mini IOS Version . 3.0.51.0 Stats Reporting Period . 209 LED State. Enabled PoE Pre-Standard Switch. Enabled PoE Power Injector MAC Addr. Override Power Type/Mode. Power injector / Normal mode Number Of Slots. 2 AP Model. AIR-LAP1242AG-A-K9 AP Image.

      C1240-K9W8-M IOS Version. 12.4(23c)JA Reset Button. Enabled AP Serial Number. FTX1137B22V AP Certificate Type. Manufacture Installed AP User Mode. AUTOMATIC AP User Name. Not Configured AP Dot1x User Mode. GLOBAL AP Dot1x User Name. Cisco12 Cisco AP system logging host. 255.255.255.255 AP Up Time. 13 days, 15 h 01 m 33 s AP LWAPP Up Time.

      13 days, 15 h 00 m 40 s Join Date and Time. Tue Jun 1 10:36:38 2010 Join Taken Time. 0 days, 00 h 00 m 52 s Ethernet Port Duplex. Auto Ethernet Port Speed. Auto AP Link Latency. Enabled Current Delay.

      0 ms Maximum Delay. 56 ms Minimum Delay. 2 ms Last updated (based on AP Up Time). 13 days, 15 h 00 m 44 s Rogue Detection. Enabled AP TCP MSS Adjust. Disabled

      Rogue detection can be enabled on an AP using this command:

      (Cisco Controller) >config rogue detection enable ? all Applies the configuration to all connected APs. <Cisco AP> check point 4400 Enter the name of the Cisco AP.

    • A local mode AP scans only country channels/DCA channels depending on the configuration. If the rogue is in any other channel, the controller is not able to identify the rogue if you do not have monitor mode APs in the network. Issue this command in order to verify:

      (Cisco Controller) check point 4400 advanced 802.11a monitor Default 802.11a AP monitoring 802.11a Monitor Mode. enable 802.11a Monitor Mode for Mesh AP Backhaul. disable 802.11a Monitor Channels.

      Country channels 802.11a AP Coverage Interval. 180 seconds 802.11a AP Load Interval. 60 seconds 802.11a AP Noise Interval. 180 seconds 802.11a AP Signal Strength Interval. 60 seconds

    • Rogue AP may not be broadcasting the SSID.

    • Make sure the rogue AP's MAC address is not added in the friendly rogue list or white listed through WCS.

    • Beacons from the rogue AP may not be reachable to the AP detecting rogues.

      This can be verified by capturing the packet using a sniffer close to the AP-detecting rogue.

    • A local mode AP may take up to 9 check point 4400 to detect a rogue (3 check point 4400 180x3).

    • Cisco APs are not able to detect rogues on frequencies like the public safety channel (4.9 Ghz).

    • Cisco APs are not able to detect rogues working on FHSS (Frequency Hopping Spread Spectrum).

    Useful debugs

    debug client < mac> (If rogue mac is known)
    debug dot11 rogue enable (Cisco_Controller) >*apfRogueTask: Jun 15 01:45:09.009: 00:27:0d:8d:14:12 check point 4400 Looking for Rogue 00:27:0d:8d:14:12 in known AP table *apfRogueTask: Jun 15 01:45:09.009: 00:27:0d:8d:14:12 Rogue AP 00:27:0d:8d:14:12 is not found either in AP list or neighbor, known or Mobility group AP lists *apfRogueTask: Jun 15 01:45:09.009: 00:27:0d:8d:14:12 Change state from 0 to 1 for rogue AP 00:27:0d:8d:14:12 *apfRogueTask: Jun 15 01:45:09.009: 00:27:0d:8d:14:12 rg change state Rogue AP: 00:27:0d:8d:14:12 *apfRogueTask: Jun 15 01:45:09.009: 00:27:0d:8d:14:12 New RSSI report from AP 00:1b:0d:d4:54:20 rssi -74, snr -9 wepMode 129 *apfRogueTask: Jun 15 01:45:09.010: 00:27:0d:8d:14:12 rg send new check point 4400 -74 *apfRogueTask: Jun 15 01:45:09.010: 00:27:0d:8d:14:12 Updated AP report 00:1b:0d:d4:54:20 rssi -74, snr -9 *apfRogueTask: Jun 15 01:45:09.010: 00:27:0d:8d:14:12 Manual Contained Flag = 0 *apfRogueTask: Jun 15 01:45:09.010: 00:27:0d:8d:14:12 rg new Rogue AP: 00:27:0d:8d:14:12 *apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Found Rogue AP: check point 4400 00:24:97:2d:bf:90 on slot 0 *apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Added Rogue AP: 00:24:97:2d:bf:90 *apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Looking for Rogue 00:24:97:2d:bf:90 in known AP table *apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Rogue AP 00:24:97:2d:bf:90 is not found check point 4400 in AP list or neighbor, known or Mobility group AP lists *apfRogueTask: Jun 15 01:45:09.010: check point 4400 Change state from 0 to 1 for rogue AP 00:24:97:2d:bf:90 *apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 rg change state Rogue AP: 00:24:97:2d:bf:90 *apfRogueTask: Jun 15 check point 4400 00:24:97:2d:bf:90 New RSSI report from AP 00:1b:0d:d4:54:20 rssi -56, check point 4400 34 wepMode 129 *apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 rg send new rssi -56 *apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Updated AP report 00:1b:0d:d4:54:20 rssi -56, snr 34 *apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 Manual Contained Flag = 0 *apfRogueTask: Jun 15 01:45:09.010: 00:24:97:2d:bf:90 rg new Rogue AP: 00:24:97:2d:bf:90 *apfRogueTask: Jun 15 01:45:09.010: 9c:af:ca:0f:bd:40 Found Rogue AP: 9c:af:ca:0f:bd:40 on slot 0 *apfRogueTask: Jun 15 01:45:09.010: 9c:af:ca:0f:bd:40 Added Rogue AP: 9c:af:ca:0f:bd:40 *apfRogueTask: Jun 15 01:45:09.010: 9c:af:ca:0f:bd:40 Looking for Rogue 9c:af:ca:0f:bd:40 in known AP table *apfRogueTask: Jun 15 01:45:09.010: 9c:af:ca:0f:bd:40 Rogue AP 9c:af:ca:0f:bd:40 is not found eithe*apfRogueTask: Jun 15 01:45:09.011: 00:25:45:a2:e1:62 Updated AP report 00:1b:0d:d4:54:20 rssi -73, snr 24 *apfRogueTask: Jun 15 01:45:09.012: 00:25:45:a2:e1:62 Manual Contained Flag = 0 *apfRogueTask: Jun 15 01:45:09.012: 00:25:45:a2:e1:62 rg new Rogue AP: 00:25:45:a2:e1:62 *apfRogueTask: Jun 15 01:45:09.012: 00:24:c4:ad:c0:40 Found Rogue AP: 00:24:c4:ad:c0:40 on slot 0 *apfRogueTask: Jun 15 01:45:09.012: 00:24:c4:ad:c0:40 Added Rogue AP: 00:24:c4:ad:c0:40

    Expected Trap Logs

    Once a Rogue Is Detected

    9Fri Jun 18 06:40:06 2010 Rogue AP : 00:1e:f7:74:f3:50 detected on Base Radio MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g) with RSSI: -97 and SNR: 1 and Classification: unclassified 10Fri Jun 18 06:40:06 2010 Rogue AP : 00:22:0c:97:af:83 detected on Base Radio MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g) with RSSI: -81 and SNR: 18 and Classification: unclassified 11Fri Jun 18 06:40:06 2010 Rogue AP : 00:26:cb:9f:8a:21 detected on Base Radio MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g) with RSSI: -82 and Check point 4400 20 and Classification: unclassified 12Fri Jun 18 06:40:06 2010 Rogue AP : 00:26:cb:82:5d:c0 detected on Base Radio MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g) with RSSI: -98 and SNR: -2 and Classification: unclassified

    Once a Rogue Entry Is Removed from check point 4400 Rogue List

    50Fri Jun 18 06:36:06 check point 4400 Rogue AP : 00:1c:57:42:53:40 removed from Base Radio MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g) 51Fri Jun 18 06:36:06 2010 Rogue AP : 00:3a:98:5c:57:a0 removed from Base Radio MAC : 00:1d:71:22:f2:c0 Interface no:0(802.11b/g)

    Recommendations

    1. Configure the channel scanning to all channels if you suspect potential rogues in your network

    2. Depending on the layout of the wired network, the number and location of rogue detector APs can vary from one per floor to one per building.

      It is advisable to have at least one rogue detector AP in each floor of a building. Because a rogue detector AP requires a trunk to all layer 2 network broadcast check point 4400 that should be monitored, placement is dependent on the logical layout of the network.

    If the Rogue Is Not Getting Classified

    • Verify the rogue rules are configured properly.

    • If the rogue is in the DFS channel, RLDP does not work.

    • RLDP works only if the rogue's WLAN is open and DHCP is available.

    • If the local mode AP is serving the client in the DFS channel, it will not participate in RLDP process.

    Useful debugs

    (Cisco Controller) > debug dot11 rogue rule enable (Cisco Controller) > debug dot11 rldp enable Received Request to detect rogue: 00:1A:1E:85:21:B0 00:1a:1e:85:21:b0 found closest monitor AP 00:17:df:a7:20:d0slot =1 channel = 44 Found RAD: 0x158f1ea0, slotId = 1 rldp started association, attempt 1 Successfully associated with rogue: 00:1A:1E:85:21:B0 !--- ASSOCIATING TO ROGUE AP Starting dhcp 00:1a:1e:85:21:b0 RLDP DHCP SELECTING for rogue 00:1a:1e:85:21:b0 00:1a:1e:85:21:b0 Initializing RLDP DHCP for rogue 00:1a:1e:85:21:b0 .00:1a:1e:85:21:b0 RLDP DHCPSTATE_INIT for rogue 00:1a:1e:85:21:b0 00:1a:1e:85:21:b0 RLDP DHCPSTATE_REQUESTING sending for rogue 00:1a:1e:85:21:b0 00:1a:1e:85:21:b0 Sending DHCP packet through rogue AP 00:1a:1e:85:21:b0 00:1a:1e:85:21:b0 RLDP DHCP REQUEST RECV for rogue 00:1a:1e:85:21:b0 00:1a:1e:85:21:b0 RLDP DHCP REQUEST received for rogue 00:1a:1e:85:21:b0 00:1a:1e:85:21:b0 RLDP DHCP BOUND state for rogue 00:1a:1e:85:21:b0 Returning IP 172.20.226.246, netmask 255.255.255.192, gw 172.20.226.193 !--- GETTING IP FROM ROGUE Found Gateway MacAddr: 00:1D:70:F0:D4:C1 Send ARLDP to 172.20.226.198 (00:1D:70:F0:D4:C1) (gateway) Sending ARLDP packet to 00:1d:70:f0:d4:c1 from 00:17:df:a7:20:de Send ARLDP to 172.20.226.197 (00:1F:9E:9B:29:80) Sending ARLDP packet to 00:1f:9e:9b:29:80 from 00:17:df:a7:20:de Send ARLDP to 0.0.0.0 (00:1D:70:F0:D4:C1) (gateway) Sending ARLDP packet to 00:1d:70:f0:d4:c1 from 00:17:df:a7:20:de !--- SENDING ARLDP PACKET Received 32 byte ARLDP message from: 172.20.226.24642 Packet Dump: sourceIp: 172.20.226.246 destIp: 172.20.226.197 Rogue Mac: 00:1A:1E:85:21:B0 check point 4400 !--- RECEIVING ARLDP PACKET security: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    Recommendations

    1. Initiate RLDP manually on suspicious rogue entries.

    2. Schedule RLDP periodically.

    3. If you check point 4400 known rogue entries, add them in the friendly list or enable validation with Check point 4400 and make sure known client entries are there in the AAA database.

    4. RLDP can be deployed on local or monitor mode APs.

      For most scalable deployments, and to eliminate any impact on client service, RLDP should be deployed on monitor mode APs when possible. However, this recommendation requires that a monitor mode AP overlay be deployed with a typical ratio as 1 monitor mode AP for every 5 local mode APs.

      APs in Adaptive wIPS monitor mode can also be leveraged for this task.

    Rogue Detector AP

    Rogue entry in a rogue detector can be seen using this command in the AP console. For wired rogues, the flag will be set.

    Rogue_Detector_5500#show capwap rm rogue detector CAPWAP Rogue Detector Mode Current Rogue Table: Rogue hindex = 0: MAC 0023.ebdc.1ac6, flag = 0, unusedCount = 1 Rogue hindex = 2: MAC 0023.04c9.72b9, flag = 1, unusedCount = 1!--- once the flag is set, rogue is detected on wire Rogue hindex = 2: MAC 0023.ebdc.1ac4, flag = 0, unusedCount = 1 Rogue hindex = 3: MAC 0026.cb4d.6e20, flag = 0, unusedCount = 1 Rogue check point 4400 = 4: MAC 0026.cb9f.841f, flag = 0, unusedCount = 1 Rogue hindex = 4: MAC 0023.04c9.72bf, flag = 0, unusedCount = 1 Rogue hindex check point 4400 4: MAC 0023.ebdc.1ac2, flag = 0, unusedCount = 1 Rogue hindex = 4: MAC 001c.0f80.d450, flag = 0, unusedCount = 1 Rogue hindex = 6: MAC 0023.04c9.72bd, flag = 0, unusedCount = 1

    Useful debug Commands in an AP Console

    Rogue_Detector#debug capwap rm rogue detector *Jun 18 08:37:59.747: ROGUE_DET: Received a rogue table update of length 170 *Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1ac4 *Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1ac5 *Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1aca *Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1acb *Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1acc *Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0023.ebdc.1acd *Jun 18 check point 4400 ROGUE_DET: Got wired mac 0023.ebdc.1acf *Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0024.1431.e9ef *Jun 18 08:37:59.747: ROGUE_DET: Got wired mac 0024.148a.ca2b *Jun 18 08:37:59.748: ROGUE_DET: Got check point 4400 mac 0024.148a.ca2d *Jun 18 08:37:59.748: ROGUE_DET: Got wired mac 0024.148a.ca2f *Jun 18 08:37:59.748: ROGUE_DET: Got wired mac 0024.14e8.3570 *Jun 18 08:37:59.748: ROGUE_DET: Got wired mac 0024.14e8.3574 *Jun 18 08:37:59.748: ROGUE_DET: Got wired mac 0024.14e8.357b *Jun 18 08:37:59.748: ROGUE_DET: Check point 4400 wired mac 0024.14e8.357c *Jun 18 08:37:59.749: ROGUE_DET: Got wired mac 0024.14e8.357d *Jun 18 08:37:59.749: ROGUE_DET: Got wired mac 0024.14e8.357f *Jun 18 08:37:59.749: ROGUE_DET: Got wired mac 0024.14e8.3dcd *Jun 18 08:37:59.749: ROGUE_DET: Got wired mac 0024.14e8.3ff0 *Jun 18 08:37:59.749: ROGUE_DET: Check point 4400 wired mac 0024.14e8.3ff2 *Jun 18 08:37:59.774: ROGUE_DET: Got wired mac 0040.96b9.4aec *Jun 18 08:37:59.774: ROGUE_DET: Got wired mac 0040.96b9.4b77 *Jun 18 08:37:59.774: ROGUE_DET: Flushing rogue entry 0040.96b9.4794 *Jun 18 08:37:59.774: ROGUE_DET: Flushing rogue entry 0022.0c97.af80 *Jun 18 08:37:59.775: Check point 4400 Flushing rogue entry 0024.9789.5710 *Jun 18 08:38:19.325: ROGUE_DET: Got Check point 4400 src 001d.a1cc.0e9e *Jun 18 08:38:19.325: ROGUE_DET: Got wired mac 001d.a1cc.0e9e *Jun 18 08:39:19.323: ROGUE_DET: Got ARP src 001d.a1cc.0e9e *Jun 18 08:39:19.324: ROGUE_DET: Got wired check point 4400 001d.a1cc.0e9e check point 4400 Rogue Containment Does Not Occur:

    1. The local/Hreap mode AP can contain 3 devices at a time per radio, and the monitor mode AP can check point 4400 6 devices per radio.

      As a result, make sure the AP is already containing the maximum number of devices check point 4400. In this scenario, check point 4400 client is in a containment pending state.

    2. Verify auto containment rules.

    Expected Trap Logs

    Fri Jul 23 12:49:10 2010Rogue AP: Rogue with MAC Address: 00:17:0f:34:48:a1 has been contained manually by 2 APs 8 Fri Jul 23 12:49:10 2010 Rogue AP : 00:17:0f:34:48:a1 with Contained mode added to the Classified AP List.

    Conclusion

    Rogue detection and containment within the Cisco centralized controller solution is the most effective and least intrusive method in the industry. The flexibility provided check point 4400 the network administrator allows for a more customized fit that can accommodate any network requirements.

    Related Information

Источник: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-handling-rogue-cuwn-00.html

Copyright © 2018