Let me now show you how to configure the Rogue Management feature on WLC. We’ll take a look at each individual Phase, one by one, starting with Detection.
Detection Configuration
Rogue Detection is enabled by default for all access points joined to the Controller except for OfficeExtend access points (OfficeExtend APs are those deployed at home and they are likely to detect large number of Rogue Devices) :
show ap config general LWAP4 Cisco AP Identifier.............................. 0 Cisco AP Name.................................... LWAP4 … Rogue Detection.................................. Enabled AP TCP MSS Adjust................................ Disabled Venue Name....................................... Not configured Venue Group...................................... Unspecified Venue Type....................................... Unspecified Language Code.................................... Not configured
The enable way to disable this feature is to do it on a per-AP basis (under “Wireless” -> “Access Points” –> “All APs” -> “Advanced” – you would mark the checkbox off to disable the feature for this AP) :
 |
Of course to this to work you want to make sure that the AP Mode is set to either Local, FlexConnect or Monitor (same menu, just change the tab to “General”) :
 |
One more thing you can configure in this Phase are the actual Channels that are being scanned for Rogues (by default it is set to “Country Channels” so Channels 1 through 11). This can be configured under “Wireless” -> “802.11a/n” or “802.11b/g/n” -> “RRM” -> “General” :
 |
The scanning time period through these Channels can be configured in the same window, under Monitor Intervals (60 to 3600 seconds). By default, the listening interval for off-channel noise and Rogues is 180 seconds. This means that each Channel is scanned every 180 seconds.
Classification Configuration
Before we get to the Classification Rules configuration let’s first focus on configuring RLDP and/or Rogue Detector features.
To configure an AP as Rogue Detector simply change its Mode :
 |
Then you also need to modify the switchport config (interface that corresponds to the AP) :
interface F0/22 switchport trunk encapsulation dot1q switchport trunk native vlan X switchport mode trunk switchport trunk allowed vlan … spanning−tree portfast trunk
To configure RLDP go under “Security” -> “Wireless Protection Policies” -> “Rogue Policies” -> “General”. There is a couple options we can set here :
 |
First thing note that RLDP is off by default. You can enable it either for All APs (Local or FlexConnect Mode) or only APs running in the Monitor Mode. Next is the Expiration Timeout – a Rogue device will be removed after this time if its state was either “Alert” or “Threat”. Then “Validate Rogue Clients Against AAA” can be used to ask ACS/ISE/Local DB if the Rogue client is a valid client or not. Next is Ad-Hoc Networks – they will be detected by default. Finally one more useful setting here is the Minimum RSSI value – if a Rogue is far away you may not want to let the WLC know about it.
So far, so good. Now before I show you how to add Classification Rules, let’s go ahead and see what Rouges have been detected in our network (“Monitor” -> “Rogues” -> “Unclassified APs”) :
 |
Looking at this table let’s assume that Rogue with SSID GB_Guest (00:17:c5:86:23:e8) is a Friendly AP and we want to manually add it to the Friendly MAC List before we create any Classification Rules. To do this, click on the blue box on the very right for this entry and remove this AP. Then navigate under “Wireless Protection Policies” -> “Rogue Policies” –> “Friendly Rogue” and add an entry for this MAC :
 |
OK, great. So at this point we can be sure this AP is always gonna be treated as Friendly no matter what our Classification Rules say. Now to create our Rules, go under “Security” -> “Wireless Protection Policies” -> “Rogue Policies” –> “Rogue Rules” :
 |
And we will create two rules here – one to classify APs as Malicious and one as Friendly. Malicious APs are gonna be those that have at least 1 client associated OR which RSSI is at least -70dBm :
 |
 |
Note that “match any” was selected for the Match Operation to meet our needs.
Now one more rule, this time for Friends. Let’s say that any AP that advertises SSID “HQData1-Pod1” should be treated as a Friendly :
 |
How can you verify if the rules are working? Go under “Monitor” -> “Rogues”) and look at Malicious/Friendly Rogues.
In our case there is a lot of Malicious APs due to our RSSI condition and just two Friendly APs (one added manually and the other matched by the HQData1-Pod1 SSID) :
 |
 |
To check out the details, click on one of the MACs, for instance on the first “Voice-Pod1” SSID AP :
 |
This one matched our Rule because its RSSI is lower than 70 (meaning it is more far away than what we want to match – the closer RSSI to zero, the closer is the Rogue).
There is also one more option I did not talk about previously that is visible under “Monitor” -> “Rogues” – it is the Rogue AP Ignore List. This one will be automatically populated by WCS (if you use one) to tell WLC about Autonomous APs that were added manually to the WCS maps – these APs will be ignored by the Controller during Rogue Management processing.
Containment Configuration
All right, the last thing I want to show you here is how to contain an AP. So as discussed in the previous post we can do it either manually or using the Auto-Containment feature. First the manual stuff – just go under an AP details and select “Update Status” – change it to “Contain” and select the max number of APs you want to use to perform this operation :
 |
Then for the Auto-Containment it can be configured from the “Security” -> “Wireless Protection Policies” -> “Rogue Policies” -> “General”, same as RLDP. Here we say that the only APs we want to automatically contain are those which are detected on our wired network :
 |
(Cisco Controller) >show rogue ap summary Rogue on wire Auto-Contain....................... Enabled Rogue using our SSID Auto-Contain................ Disabled Valid client on rogue AP Auto-Contain............ Disabled Rogue AP timeout................................. 1200 Rogue Detection Report Interval.................. 10 Rogue Detection Min Rssi......................... -128 Rogue Detection Transient Interval............... 0 MAC Address Classification # APs # Clients Last Heard ----------------- ------------------ ----- --------- ----------------------- 00:13:7f:8c:3b:80 Malicious 1 9 Thu Aug 29 20:07:03 2013 00:17:c5:86:23:e8 Friendly 0 0 Not Heard 00:3a:9a:b1:e5:50 Malicious 1 0 Thu Aug 29 20:07:03 2013 00:3a:9a:b1:e5:51 Malicious 1 0 Thu Aug 29 20:04:03 2013 00:3a:9a:da:fd:f0 Unclassified 1 0 Thu Aug 29 19:58:03 2013 1c:e6:c7:84:3c:10 Malicious 1 0 Thu Aug 29 20:04:03 2013 1c:e6:c7:84:3c:11 Malicious 1 0 Thu Aug 29 20:07:03 2013 1c:e6:c7:84:3c:12 Malicious 1 0 Thu Aug 29 20:07:03 2013 20:3a:07:97:a7:b0 Unclassified 1 0 Thu Aug 29 20:04:03 2013 34:a8:4e:c5:84:80 Malicious 1 0 Thu Aug 29 20:01:03 2013 34:a8:4e:c5:84:81 Malicious 1 0 Thu Aug 29 20:04:03 2013 54:78:1a:73:78:c0 Malicious 1 0 Thu Aug 29 20:04:03 2013 54:78:1a:73:78:c1 Malicious 1 0 Thu Aug 29 20:07:03 2013 54:78:1a:73:78:c2 Malicious 1 0 Thu Aug 29 20:04:03 2013 58:6d:8f:52:1b:10 Unclassified 1 0 Thu Aug 29 20:07:03 2013 b0:77:ac:37:db:00 Unclassified 1 0 Thu Aug 29 19:49:03 2013 (Cisco Controller) >show rogue ap malicious summary Number of APs.................................... 11 MAC Address State # APs # Clients Last Heard ----------------- ------------------ ----- --------- ----------------------- 00:13:7f:8c:3b:80 Alert 1 10 Thu Aug 29 20:10:03 2013 00:3a:9a:b1:e5:50 Alert 1 0 Thu Aug 29 20:10:03 2013 00:3a:9a:b1:e5:51 Alert 1 0 Thu Aug 29 20:04:03 2013 1c:e6:c7:84:3c:10 Alert 1 0 Thu Aug 29 20:10:03 2013 1c:e6:c7:84:3c:11 Alert 1 0 Thu Aug 29 20:07:03 2013 1c:e6:c7:84:3c:12 Contained 1 0 Thu Aug 29 20:07:03 2013 34:a8:4e:c5:84:80 Alert 1 0 Thu Aug 29 20:10:03 2013 34:a8:4e:c5:84:81 Alert 1 0 Thu Aug 29 20:04:03 2013 54:78:1a:73:78:c0 Alert 1 0 Thu Aug 29 20:04:03 2013 54:78:1a:73:78:c1 Alert 1 0 Thu Aug 29 20:07:03 2013 54:78:1a:73:78:c2 Alert 1 0 Thu Aug 29 20:04:03 2013
–
Piotr Kaluzny
CCIE #25665 (Security), CCSP, CCNP
Sr. Technical Instructor - IPexpert, Inc.
URL: http://www.IPexpert.com