Cisco Systems OL-8376-01 manual Detecting Rogue APs

Chapter 1 FAQs and Troubleshooting

Intrusion Detection System FAQs and Troubleshooting

Detecting Rogue APs

Q.How does WLSE detect rogue APs?

A.Here is a brief summary of the rogue AP detection logic:

a.A rogue AP appears and starts sending out beacons and responding to probe-requests.

b.A nearby managed and RM-enabledAP or client detects the beacon (same channel or off-channel) or probe response (off-channel). The AP or client sends back a beacon report of the rogue AP in the next scheduled RM report. The scheduled internal RM reporting interval is 90 seconds, so this step can take up to 90 seconds to complete.

c.The WLSE Radio Manager (RM) receives the beacon report, recognizes that this AP is not in the system (not a managed AP, and not a previously detected radio), and triggers the rogue AP switch-port tracing logic. The WLSE RM does not issue a rogue AP fault at this time.

d.The WLSE RM waits for 3 measurement intervals (3x90, or 270 seconds) for other surrounding APs or clients to report the same radio. This delay allows as many APs as possible to detect the rogue and helps pinpoint the rogue’s location (which is reported in Step e.) When other APs or clients detect this radio, the reporting AP and the reported RSSI of the rogue AP are stored or updated in the WLSE RM database. This period of time also allows the switch port tracing logic to try to locate the switch port to which this rogue AP might connect. This logic happens in parallel. Depending on the size of the network, the switch port tracing logic may or may not finish before the end of this interval (270 seconds).

e.The WLSE RM issues a rogue AP fault. These first steps (b - e) can take from 270 to 360 seconds (3x90 to 4x90) to generate a fault against a particular rogue AP. After the fault has been generated, the fault notifications follow the standard WLSE fault notification process. (You must set up the e-mail notification to receive it.) The fault details page is updated so that when you click on the rogue AP’s location, the system will have enough information (if it is available) to do a location triangulation based on the RSSI from the different reporting APs.

f.The AP or client continues to update the rogue AP’s RSSI, and the Radio Manager continues to update this information in the WLSE. This allows the WLSE to keep the rogue AP’s location current and not limited to the position when it was first detected.

Q.What is the difference between a rogue and a friendly AP?

A.In WLSE, friendly stations are unknown stations that the administrator has identified as “okay”; all other are rogues. Unlike a rogue AP, a friendly AP will not trigger a rogue AP fault (that is, a friendly AP will not be detected as a rogue). To change the category type of a rogue AP to Friendly, select IDS > Manage Rogues.

Q.How does the WLSE distinguish between a rogue device and an ad-hoc device?

A.APs and clients detect beacons in the air and send the beacon information to the WLSE via the WDS. These beacons are standard 802.11 frames. If the beacon information does not match a managed radio in the WLSE (by MAC address), the WLSE will identify it as an Unknown Station.

An unknown station is either infrastructure or ad-hoc (IBSS). This determination is made from the beacon report; the 802.11 frame contains a byte indicating whether or not the beacon is IBSS (ad-hoc) or not (infrastructure). WLSE relies solely on this flag in the beacon to make this determination.

FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine