Detecting Rogue Devices; Classifying Rogue Access Points - Cisco 2100 Series Configuration Manual

Chapter 5 Configuring Security Solutions
access point to intercept network traffic and hijack client sessions. Even more alarming, wireless users
frequently publish unsecure access point locations, increasing the odds of having enterprise security
breached.

Detecting Rogue Devices

The controller continuously monitors all nearby access points and automatically discovers and collects
information on rogue access points and clients. When the controller discovers a rogue access point, it
uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your
network.
You can configure the controller to use RLDP on all access points or only on access points configured
for monitor (listen-only) mode. The latter option facilitates automated rogue access point detection in a
crowded RF space, allowing monitoring without creating unnecessary interference and without affecting
regular data access point functionality. If you configure the controller to use RLDP on all access points,
the controller always chooses the monitor access point for RLDP operation if a monitor access point and
a local (data) access point are both nearby. If RLDP determines that the rogue is on your network, you
can choose to either manually or automatically contain the detected rogue.

Classifying Rogue Access Points

Controller software release 5.0 or later improves the classification and reporting of rogue access points
through the use of rogue states and user-defined classification rules that enable rogues to automatically
move between states. In previous releases, the controller listed all rogue access points on one page sorted
by MAC address or BSSID. Now you can create rules that enable the controller to organize and display
rogue access points as Friendly, Malicious, or Unclassified.
By default, none of the classification rules are enabled. Therefore, all unknown access points are
categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the
unclassified access points are reclassified. Whenever you change a rule, it is applied to all access points
(friendly, malicious, and unclassified) in the Alert state only.
Rule-based rogue classification does not apply to ad-hoc rogues and rogue clients.
Note
The 4400 series controllers, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller
Note
Switch support up to 625 rogues, and the 2100 series controllers and Controller Network Module for
Integrated Services Routers support up to 125 rogues. Each controller limits the number of rogue
containments to three per radio (or six per radio for access points in monitor mode).
OL-17037-01
Cisco Wireless LAN Controller Configuration Guide
Managing Rogue Devices
5-81