Rogue detection is enabled by default on a Wireless LAN Controller & you can view detected Rogue APs in “Monitor > Rogue > Unclassified APs” section. Here is screen capture of that in one of my controller.
In a typical campus environment there are lots of other APs in the environment. Some of them are not posing threat and can classified as friendly. Most of them are belongs to 3rd party shops, other organization sharing the premises, etc. So these AP you can categorized as “Friendly External“. Another category of friendly APs are “internal” which mean those are belong to your organization, but not managed by your WLCs. You can categorized them as “Friendly Internal“
Let’s create a Rogue Rule to classify certain APs which advertize known SSIDs (belong to another organization in your premises) as Friendly External. You can do this via GUI in “Security > Wireless Protection Policies > Rogue Rules” section. You have to give a Rule Name & Rule Type as “Friendly” with State as ” External”.
Once you create the rule, you can add conditions. In this example we will use SSID as condition & use “match any” as match operation. If you configure as “match all”, all conditions to be met in order to classify as Friendly External. In this example we will configure “SuniTAFE-STUDENTS”, “SuniTAFE-STAFF”, “SuniTAFE-Guest” avertising SSID as Friendly External.
Here are complete list of conditions which can be used for Rogue Classification.
1. SSID—Requires that the rogue access point have a specific user-configured SSID. If you choose this option, enter the SSID in the User Configured SSID text box, and click Add SSID.
2. RSSI—Requires that the rogue access point have a minimum received signal strength indication (RSSI) value. For example, if the rogue access point has an RSSI that is greater than the configured value, then the access point could be classified as malicious. If you choose this option, enter the minimum RSSI value in the Minimum RSSI text box. The valid range is -95 to -50 dBm (inclusive), and the default value is 0 dBm.
3. Duration—Requires that the rogue access point be detected for a minimum period of time. If you choose this option, enter a value for the minimum detection period in the Time Duration text box. The valid range is 0 to 3600 seconds (inclusive), and the default value is 0 seconds.
4. Client Count—Requires that a minimum number of clients be associated to the rogue access point. For example, if the number of clients associated to the rogue access point is greater than or equal to the configured value, then the access point could be classified as malicious. If you choose this option, enter the minimum number of clients to be associated to the rogue access point in the Minimum Number of Rogue Clients text box. The valid range is 1 to 10 (inclusive), and the default value is 0.
5. No Encryption—Requires that the rogue access point’s advertised WLAN does not have encryption enabled. If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it. No further configuration is required for this option.
6. Managed SSID—Requires that the rogue access point’s managed SSID (the SSID configured for the WLAN) be known to the controller. No further configuration is required for this option.
Note The SSID and Managed SSID conditions cannot be used with the Match All operation because these two SSID lists are mutually exclusive. If you define a rule with Match All and have these two conditions configured, the rogue access points are never classified as friendly or malicious because one of the conditions can never be met.
You can configure up to 64 rogue classification rules per controller using the controller GUI or CLI. If you look at controller configuration you will see the following CLI commands related to the rogue classification.
config rogue rule add ap priority 1 classify friendly notify all state external SuniTAFE config rogue rule match any SuniTAFE config rogue rule condition ap set ssid SuniTAFE-GUEST SuniTAFE config rogue rule condition ap set ssid SuniTAFE-STAFF SuniTAFE config rogue rule condition ap set ssid SuniTAFE-STUDENTS SuniTAFE config rogue rule enable SuniTAFE
In the above shown Rogue classification in one of my production WLC which is on WLC 7.4.100.6 software code.
We will see how to configure this on WLC 7.0.116.0 which is the version in the CCIEW v2.0 lab exam. Here how you can create a Rogue Rule under Security Section.
As you can see, you cannot set STATE in to one of “Internal, External or Alert” on the global setting in this version. You can change it to either “Internal” or “External” by clicking each individual AP. By default it is set to “Internal”
Now if you go to “Monitor > Rogue > Friendly AP” you would see something like this.
You can configure this feature via CLI as well. Here is the steps to do that via CLI.
(WLC2) >config rogue ? adhoc Configures adhoc rogue (IBSS). ap Configures rogue access points. auto-contain Configures rogue auto-containment parameters. client Configures rogue clients. detection Configures APs to detect rogue devices and configure reporting interval for monitor-mode APs rule Configures rogue classification rules. (WLC2) >config rogue rule ? add Adds a rule with Match Any criteria. Maximum of 64 rules are allowed. classify Classifies a rule. condition Configures a condition. delete Deletes a rule. disable Disables a rule. enable Enables a rule. match Configures matching criteria for a rule. priority Configures rule priority. (WLC2) >config rogue rule add ? ap Configures rules for APs. (WLC2) >config rogue rule add ap ? priority Configures priority for a rule. (WLC2) >config rogue rule add ap priority 1 ? classify Classifies a rule. (WLC2) >config rogue rule add ap priority 1 classify friendly ? <rule-name> Rogue classification rule name. (WLC2) >config rogue rule add ap priority 1 classify friendly ROGUE-1 Rule 'ROGUE-1' created successfully. Use 'config rogue rule enable ROGUE-1' to activate the rule. (WLC2) >config rogue rule match any ROGUE-1 Rule is already set to this match operation. (WLC2) >config rogue rule condition ? ap Configures condition for the APs. (WLC2) >config rogue rule condition ap ? set Configures a condition for the rule. delete Deletes a condition from the rule. (WLC2) >config rogue rule condition ap set ? client-count Requires a minimum number of clients to be associated with the rogue AP. duration Requires that the rogue has been detected for a minimum period of time. managed-ssid Requires the SSID to be known to the controller. no-encryption Requires that the advertised WLAN does not have encryption enabled. rssi Requires a minimum RSSI value. ssid Requires a specific SSID. (WLC2) >config rogue rule condition ap set ssid ? <ssid> Enter SSID name. (WLC2) >config rogue rule condition ap set ssid mrn-cciew ? <rule-name> Rogue classification rule name. (WLC2) >config rogue rule condition ap set ssid mrn-cciew ROGUE-1 (WLC2) >config rogue rule enable ROGUE-1
You can verify using following CLI commands.
(WLC2) >show rogue rule summary Priority Rule Name State Type Match Hit Count -------- ----------------------- -------- ------------- ----- --------- 1 ROGUE-1 Enabled Friendly Any 1 Priority......................................... 1 Rule Name........................................ ROGUE-1 State............................................ Enabled Type............................................. Friendly Match Operation.................................. Any Hit Count........................................ 1 Total Conditions................................. 1 Condition 1 type......................................... Ssid SSID Count................................... 1 SSID 1....................................... mrn-cciew (WLC2) >show rogue ap summary Rogue on wire Auto-Contain....................... Disabled Rogue using our SSID Auto-Contain................ Disabled Valid client on rogue AP Auto-Contain............ Disabled Rogue AP timeout................................. 1200 Monitor Mode Report Interval..................... 10 MAC Address Classification # APs # Clients Last Heard ----------------- ------------------ ----- --------- ----------------------- 00:26:99:34:20:60 Friendly 1 0 Sat Jun 1 22:48:27 2013 00:26:99:34:20:6e Unclassified 1 0 Sat Jun 1 22:42:29 2013 00:26:99:34:20:6f Friendly 1 0 Sat Jun 1 22:48:27 2013 9c:c7:a6:29:e1:99 Friendly 1 0 Sat Jun 1 22:48:27 2013 (WLC2) >show rogue ap detailed 9c:c7:a6:29:e1:99 Rogue BSSID...................................... 9c:c7:a6:29:e1:99 Is Rogue on Wired Network........................ No Classification................................... Friendly Manual Contained................................. No State............................................ External First Time Rogue was Reported.................... Sat Jun 1 22:29:57 2013 Last Time Rogue was Reported..................... Sat Jun 1 22:48:27 2013 Reported By AP 1 MAC Address.............................. a0:cf:5b:9e:e8:20 Name..................................... LAP2 Radio Type............................... 802.11n5G SSID..................................... mrn-cciew Channel.................................. (44,48) RSSI..................................... -25 dBm SNR...................................... 71 dB Encryption............................... Enabled ShortPreamble............................ Not Supported WPA Support.............................. Enabled Last reported by this AP................. Sat Jun 1 22:48:27 2013 (WLC2) >show rogue ap detailed 00:26:99:34:20:60 Rogue BSSID...................................... 00:26:99:34:20:60 Is Rogue on Wired Network........................ No Classification................................... Friendly Manual Contained................................. No Rule Name........................................ ROGUE-1 State............................................ Alert First Time Rogue was Reported.................... Sat Jun 1 22:39:30 2013 Last Time Rogue was Reported..................... Sat Jun 1 22:54:25 2013 Reported By AP 1 MAC Address.............................. a0:cf:5b:9e:e8:20 Name..................................... LAP2 Radio Type............................... 802.11a SSID..................................... mrn-cciew Channel.................................. 36 RSSI..................................... -79 dBm SNR...................................... 18 dB Encryption............................... Enabled ShortPreamble............................ Not Supported WPA Support.............................. Enabled Last reported by this AP................. Sat Jun 1 22:54:25 2013
You can change a Rogue AP’s state as below.
(WLC2) >config rogue ap classify ? friendly Configures rogue access point classification to friendly. malicious Configures rogue access point classification to malicious. unclassified Configures rogue access point classification to unclassified. (WLC2) >config rogue ap classify friendly ? state Configures rogue access points rogue state. (WLC2) >config rogue ap classify friendly state ? external Acknowledge presence of an access point. internal Trust a foreign access point. (WLC2) >config rogue ap classify friendly state internal ? <MAC addr> Enter the MAC address of the rogue AP (e.g. 01:01:01:01:01:01). (WLC2) >config rogue ap classify friendly state internal 00:26:99:34:20:60 (WLC2) >config rogue ap classify friendly state internal 9c:c7:a6:29:e1:99
Now let’s say you have few other SSIDs to add to list as “Friendly AP” so you can do it like this. In my example I would configure “LTUWireless2″ & “eduroam” SSID advertising AP as friendly as well.
(WLC2) >config rogue rule condition ap set ssid LTUWireless2 ROGUE-1 (WLC2) >config rogue rule condition ap set ssid eduroam ROGUE-1 (WLC2) >show rogue rule detailed ROGUE-1 Priority......................................... 1 Rule Name........................................ ROGUE-1 State............................................ Disabled Type............................................. Friendly Match Operation.................................. Any Hit Count........................................ 1 Total Conditions................................. 1 Condition 1 type......................................... Ssid SSID Count................................... 3 SSID 1....................................... LTUWireless2 SSID 2....................................... eduroam SSID 3....................................... mrn-cciew
Now we will add another condition only these SSID beacon hear above -90dBm only we will classify as Friendly Rogue. In this case you have to have 3 rules each with match condition all (both SSID & RSSI). Will delele the existing condition & write the new 3 rules as below.
(WLC2) > config rogue rule condition ap delete all ROGUE-1 config rogue rule add ap priority 1 classify friendly ROGUE-1 config rogue rule match all ROGUE-1 config rogue rule condition ap set ssid mrn-cciew ROGUE-1 config rogue rule condition ap set rssi -90 ROGUE-1 config rogue rule enable ROGUE-1 config rogue rule add ap priority 2 classify friendly ROGUE-2 config rogue rule match all ROGUE-2 config rogue rule condition ap set ssid LTUWireless2 ROGUE-2 config rogue rule condition ap set rssi -90 ROGUE-2 config rogue rule enable ROGUE-2 config rogue rule add ap priority 3 classify friendly ROGUE-3 config rogue rule match all ROGUE-3 config rogue rule condition ap set ssid eduroam ROGUE-3 config rogue rule condition ap set rssi -90 ROGUE-3 config rogue rule enable ROGUE-3 (WLC2) >show rogue rule summary Priority Rule Name State Type Match Hit Count -------- ----------------------- -------- ------------- ----- --------- 1 ROGUE-1 Enabled Friendly All 1 2 ROGUE-2 Enabled Friendly All 0 3 ROGUE-3 Enabled Friendly All 1 (WLC2) >show rogue rule detailed ROGUE-1 Priority......................................... 1 Rule Name........................................ ROGUE-1 State............................................ Enabled Type............................................. Friendly Match Operation.................................. All Hit Count........................................ 1 Total Conditions................................. 2 Condition 1 type......................................... Rssi value (dBm).................................. -90 Condition 2 type......................................... Ssid SSID Count................................... 1 SSID 1....................................... mrn-cciew (WLC2) >show rogue rule detailed ROGUE-2 Priority......................................... 2 Rule Name........................................ ROGUE-2 State............................................ Enabled Type............................................. Friendly Match Operation.................................. All Hit Count........................................ 0 Total Conditions................................. 2 Condition 1 type......................................... Rssi value (dBm).................................. -90 Condition 2 type......................................... Ssid SSID Count................................... 1 SSID 1....................................... LTUWireless2 (WLC2) >show rogue rule detailed ROGUE-3 Priority......................................... 3 Rule Name........................................ ROGUE-3 State............................................ Enabled Type............................................. Friendly Match Operation.................................. All Hit Count........................................ 1 Total Conditions................................. 2 Condition 1 type......................................... Rssi value (dBm).................................. -90 Condition 2 type......................................... Ssid SSID Count................................... 1 SSID 1....................................... eduroam
In a future post we will look at how to manage these Rogue AP (Containing)
