Enabling Rogue Access Point Detection | Cisco Systems 3.2 specs

Chapter 9 Configuring Radio Resource Management

Enabling Rogue Access Point Detection

Enabling Rogue Access Point Detection

After you have created an RF group of controllers, you need to configure the access points connected to the controllers to detect rogue access points. The access points will then check the beacon/ probe-response frames in neighboring access point messages to see if they contain an authentication information element (IE) that matches that of the RF group. If the check is successful, the frames are authenticated. Otherwise, the authorized access point reports the neighboring access point as a rogue, records its BSSID in a rogue table, and sends the table to the controller.

Using the GUI to Enable Rogue Access Point Detection

Follow these steps to enable rogue access point detection using the GUI.

Step 1 Make sure that each controller in the RF group has been configured with the same RF group name.

Note The name is used to verify the authentication IE in all beacon frames. If the controllers have different names, false alarms will occur.

Step 2 Click Wireless to access the All APs page (see Figure 9-5).

Figure 9-5 All APs Page

Step 3 Click the Detail link for an access point to access the All APs > Details page (see Figure 9-6).

Cisco Wireless LAN Controller Configuration Guide

9-12	OL-8335-02

Image 168

Cisco Systems 3.2 manual Enabling Rogue Access Point Detection, Using the GUI to Enable Rogue Access Point Detection

Contents

Cisco Wireless LAN Controller Configuration Guide Corporate Headquarters Cisco Wireless LAN Controller Configuration Guide N T E N T S Iii Client Location Enabling Web and Secure Web Modes Configuring Ports Configuring the System for SpectraLink NetLink Telephones Vii QoS-Level5-17 ACL-Name5-17 Interface-Name5-18 VLAN-Tag5-18 Viii Using Dhcp Option 43 Radio Resource Monitoring Prerequisites Series Wireless LAN Controllers B-8 Xii Preface Xiii Audience PurposeOrganization Xiv Conventions Xvi Related Publications Obtaining DocumentationCisco.com Xvii Documentation Feedback Product Documentation DVDOrdering Documentation Xviii Reporting Security Problems in Cisco Products Cisco Product Security OverviewXix Submitting a Service Request Obtaining Technical AssistanceCisco Technical Support & Documentation Website Definitions of Service Request Severity Obtaining Additional Publications and InformationXxi Xxii Overview Cisco Wireless LAN Solution Overview Cisco Wlan Solution Components Single-Controller Deployments Multiple-Controller Deployments Single-Controller Deployment Operating System Software Operating System Security Cisco Wlan Solution Wired Security Cisco Wireless LAN Controllers Configuration RequirementsLayer 2 and Layer 3 Lwapp Operation Operational Requirements Client Roaming Primary, Secondary, and Tertiary ControllersSame-Subnet Layer 2 Roaming Inter-Controller Layer 2 Roaming Inter-Subnet Layer 3 Roaming Client LocationSpecial Case Voice Over IP Telephone Roaming Per-Wireless LAN Assignment External Dhcp ServersPer-Interface Assignment Security Considerations Cisco Wlan Solution Wired Connections Cisco Wlan Solution Wireless LANs Access Control Lists Identity Networking File Transfers Enhanced Integration with Cisco Secure ACS Power over Ethernet Pico Cell Functionality Intrusion Detection Service IDS Wireless LAN Controller Platforms Cisco 2000 Series Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers Cisco 2000 Series Wireless LAN Controller Model Numbers Cisco 4100 Series Wireless LAN Controller Model Numbers Cisco 4400 Series Wireless LAN Controller Model Numbers Startup Wizard Cisco Wireless LAN Controller Memory Cisco Wireless LAN Controller Failover Protection Cisco Wireless LAN Controller Automatic Time Setting Network Connections to Cisco Wireless LAN ControllersCisco Wireless LAN Controller Time Zones Cisco 2000 Series Wireless LAN Controllers Cisco 4100 Series Wireless LAN Controllers Cisco 4400 Series Wireless LAN Controllers 6shows connections to the 4100 series controller Rogue Access Points Rogue Access Point Location, Tagging, and Containment Web User Interface and the CLIWeb User Interface Command Line Interface Using the Web-Browser and CLI Interfaces Using the Web-Browser Interface Guidelines for Using the GUIConfiguring the GUI for Https Enabling Web and Secure Web Modes Loading an Externally Generated Https Certificate Show certificate summary Web Administration Certificate file webadmincertname.pem Using the CLI Using Online HelpDisabling the GUI Logging into the CLI Using a Local Serial Connection Using a Remote Ethernet Connection Command Action Logging Out of the CLINavigating the CLI Enter config network mgmt-via-wireless enable Configuring Ports and Interfaces Overview of Ports and Interfaces Ports Distribution System Ports Service Port Interfaces Management Interface AP-Manager Interface Virtual Interface Service-Port Interface Dynamic Interface WLANs Ports, Interfaces, and WLANs Configuring Ports and Interfaces Management Interface Interfaces Service-Port Interface AP-Manager InterfaceVirtual Interface Using the CLI to Configure the Management Interface Using the CLI to Configure the AP-Manager InterfaceConfig interface acl management access-control-list-name Using the CLI to Configure the Virtual Interface Config interface acl ap-manager access-control-list-name Configuring Dynamic Interfaces Using the GUI to Configure Dynamic InterfacesUsing the CLI to Configure the Service-Port Interface Interfaces New Using the CLI to Configure Dynamic Interfaces Configuring Ports Ports Parameter Description Controller Available Data Rates Default Enable Default AutoController Supported Data Rates Configuring Port Mirroring Configuring Spanning Tree Protocol Using the GUI to Configure Spanning Tree Protocol STP State Description Default Off STP Mode DescriptionDefault 10 Controller Spanning Tree Configuration Default Disable Range DefaultRange Using the CLI to Configure Spanning Tree Protocol Default 2 seconds Enabling Link Aggregation 11illustrates LAG 12 Link Aggregation with Catalyst 6500 Neighbor Switch Link Aggregation Guidelines Using the GUI to Enable Link Aggregation 13 General Using the CLI to Enable Link Aggregation Configuring Neighbor Devices to Support LAG Using Link Aggregation Using Multiple AP-Manager Interfaces Examples 14 Two AP-Manager Interfaces 15 Three AP-Manager Interfaces 16 Four AP-Manager Interfaces 17 Interfaces New Connecting Additional Ports Configuring Controller Settings Using the Configuration Wizard Before You Start Resetting the Device to Default Settings Resetting to Default Settings Using the CLIResetting to Default Settings Using the GUI Browse to the Commands/Reset to Factory Defaults Running the Configuration Wizard on the CLI Configuring a Country Code Configuring Time and Date ManuallyConfiguring NTP Managing the System Time and Date Enabling and Disabling 802.11 Bands Country Code Bands Allowed Configuring Administrator Usernames and Passwords Configuring Radius SettingsConfiguring Snmp Settings Enabling Dynamic Transmit Power Control Config 802.11a 802.11bg dtpc enable disableEnabling 802.3x Flow Control Enabling System Logging Configuring Multicast Mode Understanding Multicast ModeGuidelines for Using Multicast Mode Configuring the Supervisor 720 to Support the WiSM Enabling Multicast ModeCommand Multicast Mode Configuring the Supervisor Command PurposeGeneral WiSM Guidelines Switchport mode trunk Channel-group 1 mode on Wism service-vlan vlanInterface GigabitEthernet9/1-4 Interface GigabitEthernet9/5-8 Using the Wireless LAN Controller Network Module Service-module wlan-controller 1/0 reset OL-8335-02 Configuring Security Solutions Cisco Wlan Solution Security Layer 1 SolutionsLayer 2 Solutions Security Overview Layer 3 Solutions Rogue Access Point SolutionsRogue Access Point Challenges Tagging and Containing Rogue Access Points Configuring the System for SpectraLink NetLink Telephones Integrated Security Solutions Using the GUI to Enable Long Preambles Using the CLI to Enable Long Preambles Using Management over Wireless Using the GUI to Enable Management over Wireless Configuring Dhcp Using the CLI to Enable Management over WirelessUsing the GUI to Configure Dhcp Customizing the Web Authentication Login Screen Using the CLI to Configure DhcpConfig wlan disable wlan-id Config wlan enable wlan-id Default Web Authentication Operation Typical Web-Browser Security Alert Typical Web Authentication Login Window Customizing Web Authentication Operation Hiding and Restoring the Cisco Wlan Solution LogoChanging the Web Authentication Login Window Title Config custom-web webmessage message Changing the Web MessageChanging the Logo Clear webmessage Downloading the Logo or Graphic Verifying Web Authentication Changes Config custom-web redirecturl urlCreating a Custom URL Redirect Example Sample Customized Web Authentication Login Window Example of a Customized Web Authentication Login Window Configuring Identity Networking Identity Networking Overview Radius Attributes Used in Identity Networking QoS-LevelACL-Name Interface-Name VLAN-Tag Tunnel Attributes OL-8335-02 Configuring WLANs Wireless LAN Overview Configuring Wireless LANsDisplaying, Creating, Disabling, and Deleting Wireless LANs Activating Wireless LANs Assigning a Wireless LAN to a Dhcp ServerConfiguring MAC Filtering for Wireless LANs Enabling MAC Filtering Assigning Wireless LANs to VLANs Configuring Layer 2 SecurityConfiguring a Timeout for Disabled Clients Dynamic 802.1X Keys and Authorization WEP Keys Dynamic WPA Keys and Encryption Configuring Layer 3 Security Configuring a Wireless LAN for Both Static and Dynamic WEPIPSec Authentication IPSec IKE Authentication IKE Phase 1 Aggressive and Main ModesIKE Lifetime Timeout IKE Diffie-Hellman Group Configuring Quality of Service Web-Based AuthenticationIPSec Passthrough Local Netuser Configuring QoS Enhanced BSS Qbss Config wlan wmm disabled allowed required wlan-idTraffic Type Ieee 802.11e UP Enabling 7920 Support Mode Config wlan 7920-support client-cac-limit enable wlan-id Controlling Lightweight Access Points Lightweight Access Point Overview Cisco 1000 Series Ieee 802.11a/b/g Lightweight Access Points Cisco 1030 Remote Edge Lightweight Access Points Typical 1030 Lightweight Access Point Configuration Cisco 1000 Series Lightweight Access Point Part Numbers Cisco 1000 Series Lightweight Access Point LEDs External Antenna ConnectorsAntenna Sectorization Cisco 1000 Series Lightweight Access Point Connectors Using the DNS for Controller Discovery Cisco 1000 Series Lightweight Access Point Mounting OptionsCisco 1000 Series Lightweight Access Point Monitor Mode Dynamic Frequency Selection Autonomous Access Points Converted to Lightweight Mode Reverting from Lightweight Mode to Autonomous Mode Using a Controller to Return to a Previous Release Using Dhcp Option Access Point VCI String Converted Access Points Send Radio Core Dumps to Controller Enabling Memory Core Dumps from Converted Access PointsDisplay of MAC Addresses for Converted Access Points Config ap get-radio-core-dump slot ap-name Config ap reset-button enable disable ap-nameall Config ap static-ip enable ap-name ip-address mask gateway OL-8335-02 Managing Controller Software Configurations Transferring Files to and from a Controller Upgrading Controller Software Transfer download path absolute-tftp-server-path-to-file Saving Configurations Clearing the Controller ConfigurationErasing the Controller Configuration Resetting the Controller OL-8335-02 Configuring Radio Resource Management Overview of Radio Resource Management Radio Resource Monitoring Dynamic Channel Assignment Dynamic Transmit Power Control Coverage Hole Detection and CorrectionClient and Network Load Balancing Overview of RF Groups RRM BenefitsRF Group Leader Configuring an RF Group RF Group Name Using the GUI to Configure an RF Group General Using the CLI to Configure RF Groups Using the GUI to View RF Group StatusViewing RF Group Status Global Parameters Global Parameters Auto RF Using the CLI to View RF Group Status Auto Enabling Rogue Access Point Detection Using the GUI to Enable Rogue Access Point Detection All APs Details AP Authentication Policy Configuring Dynamic RRM Using the CLI to Enable Rogue Access Point Detection Using the GUI to Configure Dynamic RRM Default EnabledRF Group Default Automatic You click Invoke Channel Update NowRF Channel Assignment Channel Assignment Method Description Default Disabled Tx Power Level Assignment Click Invoke Power Update NowAssignment Method Description Default 10% Default -70 dBmDefault 80% Default 25% Default Noise/Interference/Rogue Monitoring Channels Monitor Intervals Using the CLI to Configure Dynamic RRM Config 802.11a disable Config 802.11b disable Overriding Dynamic RRM Radios Cisco APs Configure Config 802.11a txPower AP1 Config 802.11a disable Config 802.11b disable Viewing Additional RRM Settings Using the CLI Configuring Mobility Groups 10-1 Overview of Mobility 10-2 10-3 Inter-Controller Roaming 10-4 Inter-Subnet Roaming Overview of Mobility Groups 10-5 10-6 Two Mobility Groups Configuring Mobility Groups Determining When to Include Controllers in a Mobility GroupPrerequisites 10-7 Using the GUI to Configure Mobility Groups 10-8 10-9 Mobility Group Member New 10-10 Mobility Group Members Edit All Configuring Auto-Anchor Mobility Using the CLI to Configure Mobility Groups10-11 Guidelines for Using Auto-Anchor Mobility Using the GUI to Configure Auto-Anchor Mobility10-12 10-13 WLANs Using the CLI to Configure Auto-Anchor Mobility 10-14 Safety Considerations Translated Safety Warnings Safety Considerations Bewaar Deze Instructies Warnung Wichtige Sicherheitshinweise Avvertenza Importanti Istruzioni Sulla Sicurezza Aviso Instruções Importantes DE Segurança Guarde Estas Instruções Class 1 Laser Product Warning Aviso Produto a laser de classe Ground Conductor Warning Cisco Wireless LAN Controller Configuration Guide Chassis Warning for Rack-Mounting and Servicing Cisco Wireless LAN Controller Configuration Guide Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Cisco Wireless LAN Controller Configuration Guide Page OL-8335-02 Page OL-8335-02 Page Battery Handling Warning for 4400 Series Controllers Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Equipment Installation Warning Cisco Wireless LAN Controller Configuration Guide OL-8335-02 OL-8335-02 Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Cisco Wireless LAN Controller Configuration Guide Cisco Wireless LAN Controller Configuration Guide OL-8335-02 OL-8335-02 Declarations of Conformity and Regulatory Information Regulatory Information for 1000 Series Access Points ModelFCC Certification number Manufacturer Department of Communications-Canada Canadian Compliance StatementCertification number EMC Declaration of Conformity for RF Exposure 03-5549-6500 Access Points with Ieee 802.11a Radios All Access Points Declaration of Conformity Statements Cisco Wireless LAN Controller Configuration Guide OL-8335-02 OL-8335-02 End User License and Warranty End User License Agreement Cisco Wireless LAN Controller Configuration Guide OL-8335-02 Limited Warranty Appendix C End User License and Warranty Limited Warranty Disclaimer of Warranty Additional Open Source Terms OL-8335-02 System Messages and Access Point LED Patterns Error Message Description System Messages Lradifcurrentchannelchanged Using Client Reason and Status Codes in Trap Logs Client Reason CodesClient Reason Code Description Meaning Client Status Codes Client Status Code Description Meaning Using Lightweight Access Point LEDs LED Conditions Status Numerics IN-1 IN-2 DFS Dhcp IN-3 Help Hold Time parameter IN-4 IN-5 IN-6 IN-7 IN-8