Rogue detection is enabled by default on a Wireless LAN Controller & you can view detected Rogue APs in “Monitor > Rogue > Unclassified APs” section. Here is screen capture of that in one of my controller.
In a typical campus environment there are lots of other APs in the environment. Some of them are not posing threat and can classified as friendly. Most of them are belongs to 3rd party shops, other organization sharing the premises, etc. So these AP you can categorized as “Friendly External“. Another category of friendly APs are “internal” which mean those are belong to your organization, but not managed by your WLCs. You can categorized them as “Friendly Internal”
Let’s create a Rogue Rule to classify certain APs which advertize known SSIDs (belong to another organization in your premises) as Friendly External. You can do this via GUI in “Security > Wireless Protection Policies > Rogue Rules” section. You have to give a Rule Name & Rule Type as “Friendly” with State as ” External”.
Once you create the rule, you can add conditions. In this example we will use SSID as condition & use “match any” as match operation. If you configure as “match all”, all conditions to be met in order to classify as Friendly External. In this example we will configure “SuniTAFE-STUDENTS”, “SuniTAFE-STAFF”, “SuniTAFE-Guest” avertising SSID as Friendly External.
Here are complete list of conditions which can be used for Rogue Classification.
1. SSID—Requires that the rogue access point have a specific user-configured SSID. If you choose this option, enter the SSID in the User Configured SSID text box, and click Add SSID.
2. RSSI—Requires that the rogue access point have a minimum received signal strength indication (RSSI) value. For example, if the rogue access point has an RSSI that is greater than the configured value, then the access point could be classified as malicious. If you choose this option, enter the minimum RSSI value in the Minimum RSSI text box. The valid range is -95 to -50 dBm (inclusive), and the default value is 0 dBm.
3. Duration—Requires that the rogue access point be detected for a minimum period of time. If you choose this option, enter a value for the minimum detection period in the Time Duration text box. The valid range is 0 to 3600 seconds (inclusive), and the default value is 0 seconds.
4. Client Count—Requires that a minimum number of clients be associated to the rogue access point. For example, if the number of clients associated to the rogue access point is greater than or equal to the configured value, then the access point could be classified as malicious. If you choose this option, enter the minimum number of clients to be associated to the rogue access point in the Minimum Number of Rogue Clients text box. The valid range is 1 to 10 (inclusive), and the default value is 0.
5. No Encryption—Requires that the rogue access point’s advertised WLAN does not have encryption enabled. If a rogue access point has encryption disabled, it is likely that more clients will try to associate to it. No further configuration is required for this option.
6. Managed SSID—Requires that the rogue access point’s managed SSID (the SSID configured for the WLAN) be known to the controller. No further configuration is required for this option.
Note The SSID and Managed SSID conditions cannot be used with the Match All operation because these two SSID lists are mutually exclusive. If you define a rule with Match All and have these two conditions configured, the rogue access points are never classified as friendly or malicious because one of the conditions can never be met.
Now if you check “Monitor > Rogues > Friendly APs” you would see all APs advertising these SSID classified as “Friendly External” as per your Rogue Rule.
You can configure up to 64 rogue classification rules per controller using the controller GUI or CLI. If you look at controller configuration you will see the following CLI commands related to the rogue classification.
config rogue rule add ap priority 1 classify friendly notify all state external SuniTAFE config rogue rule match any SuniTAFE config rogue rule condition ap set ssid SuniTAFE-GUEST SuniTAFE config rogue rule condition ap set ssid SuniTAFE-STAFF SuniTAFE config rogue rule condition ap set ssid SuniTAFE-STUDENTS SuniTAFE config rogue rule enable SuniTAFE
In the above shown Rogue classification in one of my production WLC which is on WLC 7.4.100.6 software code.
We will see how to configure this on WLC 7.0.116.0 which is the version in the CCIEW v2.0 lab exam. Here how you can create a Rogue Rule under Security Section.
As you can see, you cannot set STATE in to one of “Internal, External or Alert” on the global setting in this version. You can change it to either “Internal” or “External” by clicking each individual AP. By default it is set to “Internal”
Now if you go to “Monitor > Rogue > Friendly AP” you would see something like this.
You can configure this feature via CLI as well. Here is the steps to do that via CLI.
(WLC2) >config rogue ? adhoc Configures adhoc rogue (IBSS). ap Configures rogue access points. auto-contain Configures rogue auto-containment parameters. client Configures rogue clients. detection Configures APs to detect rogue devices and configure reporting interval for monitor-mode APs rule Configures rogue classification rules. (WLC2) >config rogue rule ? add Adds a rule with Match Any criteria. Maximum of 64 rules are allowed. classify Classifies a rule. condition Configures a condition. delete Deletes a rule. disable Disables a rule. enable Enables a rule. match Configures matching criteria for a rule. priority Configures rule priority. (WLC2) >config rogue rule add ? ap Configures rules for APs. (WLC2) >config rogue rule add ap ? priority Configures priority for a rule. (WLC2) >config rogue rule add ap priority 1 ? classify Classifies a rule. (WLC2) >config rogue rule add ap priority 1 classify friendly ? <rule-name> Rogue classification rule name. (WLC2) >config rogue rule add ap priority 1 classify friendly ROGUE-1 Rule 'ROGUE-1' created successfully. Use 'config rogue rule enable ROGUE-1' to activate the rule. (WLC2) >config rogue rule match any ROGUE-1 Rule is already set to this match operation. (WLC2) >config rogue rule condition ? ap Configures condition for the APs. (WLC2) >config rogue rule condition ap ? set Configures a condition for the rule. delete Deletes a condition from the rule. (WLC2) >config rogue rule condition ap set ? client-count Requires a minimum number of clients to be associated with the rogue AP. duration Requires that the rogue has been detected for a minimum period of time. managed-ssid Requires the SSID to be known to the controller. no-encryption Requires that the advertised WLAN does not have encryption enabled. rssi Requires a minimum RSSI value. ssid Requires a specific SSID. (WLC2) >config rogue rule condition ap set ssid ? <ssid> Enter SSID name. (WLC2) >config rogue rule condition ap set ssid mrn-cciew ? <rule-name> Rogue classification rule name. (WLC2) >config rogue rule condition ap set ssid mrn-cciew ROGUE-1 (WLC2) >config rogue rule enable ROGUE-1
You can verify using following CLI commands.
(WLC2) >show rogue rule summary Priority Rule Name State Type Match Hit Count -------- ----------------------- -------- ------------- ----- --------- 1 ROGUE-1 Enabled Friendly Any 1 Priority......................................... 1 Rule Name........................................ ROGUE-1 State............................................ Enabled Type............................................. Friendly Match Operation.................................. Any Hit Count........................................ 1 Total Conditions................................. 1 Condition 1 type......................................... Ssid SSID Count................................... 1 SSID 1....................................... mrn-cciew (WLC2) >show rogue ap summary Rogue on wire Auto-Contain....................... Disabled Rogue using our SSID Auto-Contain................ Disabled Valid client on rogue AP Auto-Contain............ Disabled Rogue AP timeout................................. 1200 Monitor Mode Report Interval..................... 10 MAC Address Classification # APs # Clients Last Heard ----------------- ------------------ ----- --------- ----------------------- 00:26:99:34:20:60 Friendly 1 0 Sat Jun 1 22:48:27 2013 00:26:99:34:20:6e Unclassified 1 0 Sat Jun 1 22:42:29 2013 00:26:99:34:20:6f Friendly 1 0 Sat Jun 1 22:48:27 2013 9c:c7:a6:29:e1:99 Friendly 1 0 Sat Jun 1 22:48:27 2013 (WLC2) >show rogue ap detailed 9c:c7:a6:29:e1:99 Rogue BSSID...................................... 9c:c7:a6:29:e1:99 Is Rogue on Wired Network........................ No Classification................................... Friendly Manual Contained................................. No State............................................ External First Time Rogue was Reported.................... Sat Jun 1 22:29:57 2013 Last Time Rogue was Reported..................... Sat Jun 1 22:48:27 2013 Reported By AP 1 MAC Address.............................. a0:cf:5b:9e:e8:20 Name..................................... LAP2 Radio Type............................... 802.11n5G SSID..................................... mrn-cciew Channel.................................. (44,48) RSSI..................................... -25 dBm SNR...................................... 71 dB Encryption............................... Enabled ShortPreamble............................ Not Supported WPA Support.............................. Enabled Last reported by this AP................. Sat Jun 1 22:48:27 2013 (WLC2) >show rogue ap detailed 00:26:99:34:20:60 Rogue BSSID...................................... 00:26:99:34:20:60 Is Rogue on Wired Network........................ No Classification................................... Friendly Manual Contained................................. No Rule Name........................................ ROGUE-1 State............................................ Alert First Time Rogue was Reported.................... Sat Jun 1 22:39:30 2013 Last Time Rogue was Reported..................... Sat Jun 1 22:54:25 2013 Reported By AP 1 MAC Address.............................. a0:cf:5b:9e:e8:20 Name..................................... LAP2 Radio Type............................... 802.11a SSID..................................... mrn-cciew Channel.................................. 36 RSSI..................................... -79 dBm SNR...................................... 18 dB Encryption............................... Enabled ShortPreamble............................ Not Supported WPA Support.............................. Enabled Last reported by this AP................. Sat Jun 1 22:54:25 2013
You can change a Rogue AP’s state as below.
(WLC2) >config rogue ap classify ? friendly Configures rogue access point classification to friendly. malicious Configures rogue access point classification to malicious. unclassified Configures rogue access point classification to unclassified. (WLC2) >config rogue ap classify friendly ? state Configures rogue access points rogue state. (WLC2) >config rogue ap classify friendly state ? external Acknowledge presence of an access point. internal Trust a foreign access point. (WLC2) >config rogue ap classify friendly state internal ? <MAC addr> Enter the MAC address of the rogue AP (e.g. 01:01:01:01:01:01). (WLC2) >config rogue ap classify friendly state internal 00:26:99:34:20:60 (WLC2) >config rogue ap classify friendly state internal 9c:c7:a6:29:e1:99
Now let’s say you have few other SSIDs to add to list as “Friendly AP” so you can do it like this. In my example I would configure “LTUWireless2” & “eduroam” SSID advertising AP as friendly as well.
(WLC2) >config rogue rule condition ap set ssid LTUWireless2 ROGUE-1 (WLC2) >config rogue rule condition ap set ssid eduroam ROGUE-1 (WLC2) >show rogue rule detailed ROGUE-1 Priority......................................... 1 Rule Name........................................ ROGUE-1 State............................................ Disabled Type............................................. Friendly Match Operation.................................. Any Hit Count........................................ 1 Total Conditions................................. 1 Condition 1 type......................................... Ssid SSID Count................................... 3 SSID 1....................................... LTUWireless2 SSID 2....................................... eduroam SSID 3....................................... mrn-cciew
Now we will add another condition only these SSID beacon hear above -90dBm only we will classify as Friendly Rogue. In this case you have to have 3 rules each with match condition all (both SSID & RSSI). Will delele the existing condition & write the new 3 rules as below.
(WLC2) > config rogue rule condition ap delete all ROGUE-1 config rogue rule add ap priority 1 classify friendly ROGUE-1 config rogue rule match all ROGUE-1 config rogue rule condition ap set ssid mrn-cciew ROGUE-1 config rogue rule condition ap set rssi -90 ROGUE-1 config rogue rule enable ROGUE-1 config rogue rule add ap priority 2 classify friendly ROGUE-2 config rogue rule match all ROGUE-2 config rogue rule condition ap set ssid LTUWireless2 ROGUE-2 config rogue rule condition ap set rssi -90 ROGUE-2 config rogue rule enable ROGUE-2 config rogue rule add ap priority 3 classify friendly ROGUE-3 config rogue rule match all ROGUE-3 config rogue rule condition ap set ssid eduroam ROGUE-3 config rogue rule condition ap set rssi -90 ROGUE-3 config rogue rule enable ROGUE-3 (WLC2) >show rogue rule summary Priority Rule Name State Type Match Hit Count -------- ----------------------- -------- ------------- ----- --------- 1 ROGUE-1 Enabled Friendly All 1 2 ROGUE-2 Enabled Friendly All 0 3 ROGUE-3 Enabled Friendly All 1 (WLC2) >show rogue rule detailed ROGUE-1 Priority......................................... 1 Rule Name........................................ ROGUE-1 State............................................ Enabled Type............................................. Friendly Match Operation.................................. All Hit Count........................................ 1 Total Conditions................................. 2 Condition 1 type......................................... Rssi value (dBm).................................. -90 Condition 2 type......................................... Ssid SSID Count................................... 1 SSID 1....................................... mrn-cciew (WLC2) >show rogue rule detailed ROGUE-2 Priority......................................... 2 Rule Name........................................ ROGUE-2 State............................................ Enabled Type............................................. Friendly Match Operation.................................. All Hit Count........................................ 0 Total Conditions................................. 2 Condition 1 type......................................... Rssi value (dBm).................................. -90 Condition 2 type......................................... Ssid SSID Count................................... 1 SSID 1....................................... LTUWireless2 (WLC2) >show rogue rule detailed ROGUE-3 Priority......................................... 3 Rule Name........................................ ROGUE-3 State............................................ Enabled Type............................................. Friendly Match Operation.................................. All Hit Count........................................ 1 Total Conditions................................. 2 Condition 1 type......................................... Rssi value (dBm).................................. -90 Condition 2 type......................................... Ssid SSID Count................................... 1 SSID 1....................................... eduroam
In a future post we will look at how to manage these Rogue AP (Containing)
mrn-cciew 
I have been using WCS Controller.Template.Rogue AP rules. WCS might be faster way of pushing rules to multiple WLC’s. Not sure if exam cares since it ends up in WLC anyway.
Yes, that’s true as long as configs are push to controllers & WCS/ WLCs are in sync.
What does Notify means. What does Golobal and locan spefies under Notify dropdown.
Hello, I’m very interested in see how we can manage Friendly External SSID’s when they are not the same.
I’ve got several providers of Internet outside of my campus and I would like to automatically set them as Friendly External. Althought the SSID varies, like:
ZON-232452
ZON-231231
ZON-434234
Vodafone-123123
Vodafone-123121
Vodafone-434312
Vodafone-123122
MEO-231413
MEO-879789
MEO-567523
MEO-345343
As far as I now till the the version 7.6.120 this is impossible to manage automatically.
You can use wildcard SSID names (eg ZON*, Vodafone*, MEO*) from 7.5.x onwards
HTH
Rasika
Release Notes for Cisco Wireless LAN Controllers and Lightweight Access Points for Release 7.5.102.0
“In the earlier releases, you could create rogue policy rules based on SSID, but the SSID had to be an exact match. In this release, you can create rogue policy rules based on wildcard SSID, where the rule is enforced by any SSID that contains the wildcard SSID string. You can configure up to 25 wildcard rule per rogue rule.”
http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn75.html
thank you very much Rasika
i need to learn about how rogue detection occurs . Packet level view of the same . Where could i find it?
hey there Rasika. I followed your recommendation usign wildcard (ZON*, Vodafone*, MEO*) but it doesn’t work. I got no hits on those rules! 😦
The rogue SSID wildcard didn’t work with me neither. I’m using 8.0.120
Hi Omar,
Did you see this
https://supportforums.cisco.com/discussion/12434541/wildcard-or-regex-rogue-ap-rules
Let me know if no luck
HTH
Rasika
Thanks for your response. I will check it and inform you if worked
Hi Rasika, it’s working now, but I’m not using Wildcards..
Using “User configured substring-ssid” works very well.
In my case I’ve just used the sub string “ZON” and all the ZON’s were automatically classified correctly.
Hi Rasika
We have problem with rogue detection on wired ,our target is to detect any rogue on wired and control it by shutdown the port by prime but we could not to see even the rogue ap on prime and some time could not from controller
PI version 3 .0
Controller 8510 ,, ios 8.0.120
And we have in each floor five Aps including one with ( monitor , wips ) mode
Also we have MSE
can you help me because i did not find some thing in cisco docs
Do you have any working examples of detecting a rogue access point that is connected to you network? I’m tasked with configuring a 5520 WLC running 8.2.110 to actually alert me when there is a rogue ap connected to our network. I have a 1242AG in autonomous mode advertising one of my SSID’s connected to a trunk port on the switch. In the same switch I have configured an AP in rogue detection mode.
Hello,
I just want to know, How rogue AP is detected by SSIS or AP.?
Can you please elaborate this feature i have find out so much in google and nothing i get in beneficial.
Regards
Shekhar Rawat
Hi Shekhar,
Have you seen this document, hope it clarifies some of your doubts
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/70987-rogue-detect.html
HTH
Rasika
how to category rouge ap based on auto containment only for Monitor mode APs ?