Viewing Ignored Rogue Devices; Using Rapids Workflow To Process Rogue Devices; Score Override - Dell PowerConnect W-Airwave User Manual

You can use the global filtering options on the RAPIDS > Setup page to filter rogue devices according to

signal strength, ad-hoc status, and discovered by remote APs.
VisualRF uses the heard signal information to calculate the physical location of the device.

If the device is seen on the wire, RAPIDS reports the switch and port for easy isolation.

If you find that the rogue belongs to a neighboring business, for example, you can override the classification to

a neighbor and acknowledge the device. Otherwise, it is strongly recommended that you extract the device
from your building and delete the rogue device from your system. If you delete a rogue, you will be notified
the next time it is discovered.
Most columns in the Discovery Events list table on this page can be filtered using the funnel icon (

To update a rogue device:
1. Select the Identify OS for Suspected Rogues option if an IP address is available to obtain operating system
information using an nmap scan. Note that if you are running wireline security software on your network, it
may identify your AMP as a threat, which you can ignore.
2. Select the Ignore button if the rogue device is to be ignored. Ignored devices will not trigger alerts if they are
rediscovered or reclassified.
3. Select the Delete button if the rogue device is to be removed from AirWave processing.

Viewing Ignored Rogue Devices

The RAPIDS > List page allows you to view ignored rogues—devices that have been removed from the rogue
count displayed by AirWave. Such devices do not trigger alerts and do not display on lists of rogue devices. To
display ignored rogue devices, select View Ignored Rogues at the bottom left of the page.
Once a classification that has rogue devices is chosen from the drop-down menu, a detailed table displays all
known information.

Using RAPIDS Workflow to Process Rogue Devices

One suggested workflow for using RAPIDS is as follows:
Start from the RAPIDS > List page. Sort the devices on this page based on classification type. Begin with

Rogue APs, working your way through the devices listed.
Select Modify Devices, then select all devices that have an IP address and select Identify OS. AirWave

performs a port scan on the device and attempts to determine the operating system (see
RAPIDS" on
You should investigate devices running an embedded Linux OS installation. The OS scan can help identify
false positives and isolate some devices that should receive the most attention.
Find the port and switch at which the device is located and shut down the port or follow wiring to the device.

To manage the rogue, remove it from the network and acknowledge the rogue record. If you want to allow it

on the network, classify the device as valid and update with notes that describe it.
NOTE: Not all rogue discovery methods will have all information required for resolution. For example, the switch/router
information, port, or IP address are found only through switch or router polling. Furthermore, RSSI, signal, channel, SSID, WEP, or
network type information only appear through wireless scanning. Such information can vary according to the device type that
performs the scan.

Score Override

On RAPIDS > Score Override page you can change the OUI scores that are given to MAC addresses detected
during scans of bridge forwarding tables on routers or switches.
and describe RAPIDS Score Override. Perform these steps to create a score override.
180 | Using RAPIDS and Rogue Classification
page 169)
Figure 125, Figure 126, and
Dell PowerConnect W-AirWave 7.4 | User Guide
).
"Setting Up
Table 103 illustrate