Table of Contents
Advertisement
6
System Configuration
Rogue AP – A "rogue AP" is either an access point that is not authorized to
participate in the wireless network, or an access point that does not have the correct
security configuration. Rogue APs can allow unauthorized access to the network, or
fool client stations into mistakenly associating with them and thereby blocking
access to network resources.
The access point can be configured to periodically scan all radio channels and find
other access points within range. A database of nearby access points is maintained
where any rogue APs can be identified. During a scan, Syslog messages (see
"Enabling System Logging" on page 6-32) are sent for each access point detected.
Rogue access points can be identified by unknown BSSID (MAC address) or SSID
configuration.
• AP Detection – Enables the periodic scanning for other access points.
(Default: Disable)
• AP Scan Interval – Sets the time between each rogue AP scan. (Range: 30 -10080
minutes; Default: 720 minutes)
• AP Scan Duration – Sets the length of time for each rogue AP scan. A long scan
duration time will detect more access points in the area, but causes more disruption
to client access. (Range: 100 -1000 milliseconds; Default: 350 milliseconds)
• Rogue AP Authenticate – Enables or disables RADIUS authentication. Enabling
RADIUS Authentication allows the access point to discover rogue access points.
With RADIUS authentication enabled, the access point checks the MAC address/
Basic Service Set Identifier (BSSID) of each access point that it finds against a
RADIUS server to determine whether the access point is allowed. With RADIUS
authentication disabled, the access point can detect its neighboring access points
only; it cannot identify whether the access points are allowed or are rogues. If you
enable RADIUS authentication, you must configure a RADIUS server for this
access point (see "RADIUS" on page 6-7).
• Scan AP Now – Starts an immediate rogue AP scan on the radio interface.
(Default: Disable)
Note: While the access point scans a channel for rogue APs, wireless clients will not be
able to connect to the access point. Therefore, avoid frequent scanning or scans
of a long duration unless there is a reason to believe that more intensive scanning
is required to find a rogue AP.
CLI Commands for Rogue AP Detection – From the global configuration mode,
enter the interface wireless command to access the 802.11g radio interface. From
the wireless interface mode, use the rogue-ap enable command to enable rogue
AP detection. Set the duration and interval times with the rogue-ap duration and
rogue-ap interval commands. If required, start an immediate scan using the
6-56
Advertisement
Table of Contents
