- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rogue Accèss Points
Hi All,
I didn't think about this until now about asking the community. Our client has a location that we get alerts for all the time for rogue access points being detected and contained. When we can get alerts it says the SSID that was broadcasted, however when I check the dashboard there is nothing there about the AP. Few questions:
The rogue aps need to be physically connected to the network by Ethernet?
Can they be connected to any live Ethernet outlet in the building?
Each device has its own Mac, do I don't see how you can impersonate another?
I have read several articles about this, and I'm trying to understand better what to look for. I see the alerts at least several times a month. I hope this all makes sense as I'm trying to get the alerts to stop legitimate or not. Annoying, however the alerts wouldn't be firing if something was triggering, thoughts?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a good article to read.
https://meraki.cisco.com/blog/2017/09/rogue-access-point/
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So we have policies in place that for example if an SSID matches "xxxxx", then contain it. Much of the time, I am seeing like Xfinity or Roku in the SSID. So Rogue is any AP that is not managed by and assigned to us by Meraki? What I'm trying to do, is find out where the device/s is/are being plugged in and find out what they are. There hasn't been any complains about anything malicious, I'm just trying to figure out what is trowing the alerts.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I read the blog/article you posted. So it does mention the BSSID of the broadcast and the BSSID of the physical connection to the network is compared to see if there is a partial match.
So it does have to be a device physically connected (Ethernet) for this to happen? Unless I'm reading it wrong. So I'm wondering if it needs to be physically connected to the main switch on the network or any live port?
This is so confusing. Every BSSID is unique.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, to be classified as a Rogue in Air Marshal we need to see it both from the wireless and wired sides of the network. This doc goes into the details on the criteria for MAC address matching https://documentation.meraki.com/MR/Monitoring_and_Reporting/Air_Marshal#Rogue_SSIDs_2
That same section also mentions the other requirement which is that the detecting AP needs to be connected to a trunk switchport with all VLANs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is partially true, rogue is any access point that is not part of the infrastructure, even if not connected to the network.
For example, if I configure an AP with the same SSID name as your infrastructure, it will be considered malicious, but it does not need to be directly connected to the network.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A Rogue Access Point is defined as any wireless Access Point that are not part of the network. It might be operating on the same or an adjacent frequency, occupying the spectrum, raising the noise level (co-channel or adjacent interference) and may or may not be a security risk (unclassified, friendly or malicious Rogues).
Mostly probably its the nearby external APs(from other vendors or other companies).
Rogue Management in an Unified Wireless Network: https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112045-hand...
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The concept is actually quite simple. Rogue AP and any ap that is not part of your infrastructure, even if it is not directly connected to your network, but that does not mean it is malicious.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you mention the trunk switchport, you referring to the doc you just posted? Making sure I'm looking at the right context. Thanks.
