Filter
Top Products
1-50
FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine
OL-8376-01
Chapter 1 FAQs and Troubleshooting
Intrusion Detection System FAQs and Troubleshooting
Detecting Rogue APs
Q.
How does WLSE detect rogue APs?
A.
Here is a brief summary of the rogue AP detection logic:
a. A rogue AP appears and starts sending out beacons and responding to probe-requests.
b. A nearby managed and RM-enabled AP or client detects the beacon (same channel or
off-channel) or probe response (off-channel). The AP or client sends back a beacon report of
the rogue AP in the next scheduled RM report. The scheduled internal RM reporting interval is
90 seconds, so this step can take up to 90 seconds to complete.
c. The WLSE Radio Manager (RM) receives the beacon report, recognizes that this AP is not in
the system (not a managed AP, and not a previously detected radio), and triggers the rogue AP
switch-port tracing logic. The WLSE RM does not issue a rogue AP fault at this time.
d. The WLSE RM waits for 3 measurement intervals (3x90, or 270 seconds) for other surrounding
APs or clients to report the same radio. This delay allows as many APs as possible to detect the
rogue and helps pinpoint the rogue’s location (which is reported in Step e.) When other APs or
clients detect this radio, the reporting AP and the reported RSSI of the rogue AP are stored or
updated in the WLSE RM database. This period of time also allows the switch port tracing logic
to try to locate the switch port to which this rogue AP might connect. This logic happens in
parallel. Depending on the size of the network, the switch port tracing logic may or may not
finish before the end of this interval (270 seconds).
e. The WLSE RM issues a rogue AP fault. These first steps (b - e) can take from 270 to 360
seconds (3x90 to 4x90) to generate a fault against a particular rogue AP. After the fault has been
generated, the fault notifications follow the standard WLSE fault notification process. (You
must set up the e-mail notification to receive it.) The fault details page is updated so that when
you click on the rogue AP’s location, the system will have enough information (if it is available)
to do a location triangulation based on the RSSI from the different reporting APs.
f. The AP or client continues to update the rogue AP’s RSSI, and the Radio Manager continues to
update this information in the WLSE. This allows the WLSE to keep the rogue AP’s location
current and not limited to the position when it was first detected.
Q.
What is the difference between a rogue and a friendly AP?
A.
In WLSE, friendly stations are unknown stations that the administrator has identified as “okay”; all
other are rogues. Unlike a rogue AP, a friendly AP will not trigger a rogue AP fault (that is, a friendly
AP will not be detected as a rogue). To change the category type of a rogue AP to Friendly, select
IDS > Manage Rogues.
Q.
How does the WLSE distinguish between a rogue device and an ad-hoc device?
A.
APs and clients detect beacons in the air and send the beacon information to the WLSE via the WDS.
These beacons are standard 802.11 frames. If the beacon information does not match a managed
radio in the WLSE (by MAC address), the WLSE will identify it as an Unknown Station.
An unknown station is either infrastructure or ad-hoc (IBSS). This determination is made from the
beacon report; the 802.11 frame contains a byte indicating whether or not the beacon is IBSS
(ad-hoc) or not (infrastructure). WLSE relies solely on this flag in the beacon to make this
determination.