Rogue AP Detection
•RADIUS Authentication enables the access point to discover rogue access points. Enabling RADIUS Authentication causes the access point to check the MAC address/Basic Service Set Identifier (BSSID) of each access point that it finds against a RADIUS server to determine whether the access point is allowed. With RADIUS authentication disabled, the access point can identify its neighboring access points only; it cannot identify whether the access points are allowed or are rogues. If you enable RADIUS authentication, you must configure a RADIUS server for this access point.
•AP Scan Interval specifies the wait‐time between scans. Range: 30 to 10080 minutes. Default: 720 minutes between scans.
•AP Scan Duration sets the length of time for each rogue AP scan. A long scan duration time will detect more access points in the area, but causes more disruption to client access. Range: 100‐ 1000 milliseconds. Default: 350 milliseconds.
•Scan Now button starts an immediate rogue AP scan for the specified radio interface.
•Scan All button scans for all 802.11a and 802.11b/g interfaces.
Note: When the access point scans a channel for neighbor AP’s, wireless clients will not be able to connect to the access point. Frequent scanning, or scans, of a long duration will degrade the access points performance. Therefore, avoid frequent scanning, or scans, of long duration unless there is a reason to believe that more intensive scanning is required to find a rogue AP.
Using the CLI to Configure Rogue AP Detection
Use the rogue‐ap command to detect neighboring access points and access points that are not authorized to participate on the network. Use the interface‐a command to set access point detection parameters for 802.11a interfaces. Use the interface‐g command to set access point detection parameters for 802.11b/g interfaces. Set up the rogue AP feature by specifying the scan duration; interduration (amount of time to make frequency channels active to clients); and the interval between scans. To use rogue AP detection, enable radius authentication using the radius command. To initiate a Rogue AP scan for all interfaces, use the scan command. Use the show rogue‐ap command from the Executive mode to view interface‐a and interface‐g settings and to view scan results for both interfaces.
Example
RoamAbout 4102#configure
Enter configuration commands, one per line. End with CTRL/Z RoamAbout
RoamAbout
configure either syslog or trap or both to receive the rogue APs detected. RoamAbout
RoamAbout
RoamAbout 4102(config)#exit RoamAbout 4102#show
802.11a : Rogue AP Setting
========================================================================
Rogue AP Detection | : | Disabled | |||
Rogue AP Authentication | : | Enabled | |||
Rogue AP Scan | Interval | : | 720 | minutes | |
Rogue AP | Scan | Duration | : | 350 | milliseconds |
Rogue AP | Scan | InterDuration: | 3000 milliseconds | ||
