Rogue APs

When you enable a wireless intrusion prevention system (WIPS) on your network, APs that do not comply with the WIPS are considered rogue and are listed under Manage > Security > Rogue APs. If an AP that does not comply with WIPS appears here, and you are sure that it is a valid device, you can remove it. You might also want to reconfigure the WIPS policy settings.

A graph displays a colored timeline representing data captured for rogue APs within the specified time frame. You can change the time frame using the Time Range controls. For more information, see Set the Time Frame for Captured Data Displays and Reports. Details about the data captured within this time frame are listed in the table below the graph.

View the table as follows:

Above the table are three viewing options with check boxes:
- Rogue: An unauthorized AP that is connected to your wired network.
- Unauthorized: Any unauthorized AP that is detected, but not necessarily connected to your wired network.
- Neighbor: APs that you have manually classified as neighbors and that do not represent a threat.
In the table, select and drag the right edge of any column to change the column width. Some columns can also be sorted. Select the column heading to sort column entries.
The table displays all of the rogue APs that have been detected in your network. You can also choose to show In-net rogues, Unauthorized rogues, or Neighbor rogues that are not a threat.
If a detected rogue AP is determined to be in the same backhaul network as compliant APs, ExtremeCloud IQ displays In-net. If the location of the AP in the network cannot be determined, a dash is displayed. Knowing whether a rogue AP is in the same network can help you decide how swiftly you need to respond to its presence.
By default, the table displays the following information:
- Classification: Whether this AP is considered a true rogue or a neighbor AP.
- Clients: Shows the number of clients associated with this AP.
- Rogue AP BSSID: The BSSID (basic service set identifier, which includes the MAC address) of the rogue AP.
- SSID: The SSID that is being announced by the rogue AP beacons.
- Vendor: The vendor of the rogue AP, Apple, for example.
- Approximate Location: The location of the rogue AP in your network, or the location of the AP that reported the rogue.
- Reporting Device: The authorized device in your network that reported the rogue AP.
- Reason: The reason the AP has been designated as a rogue. APs can check whether the SSID names and types of encryption other access points advertise match those in a checklist. For example, if your network security policy requires all SSIDs to use WPA or WPA2, any SSID using WPA or WPA2 makes the AP hosting it valid. An AP is categorized as rogue if it hosts an SSID using WEP or no encryption at all (open).
- First Time Detected: The first time this AP was detected in your network.
- Last Time Detected: The last time this AP was detected in your network.
- Mitigation: Displays whether mitigation has been taken against this AP.

Classify Rogue APs

You can change the classification for the rogue APs displayed in this table. Select the check box for an AP and then select Classify. Then select one of the following options:

Neighbor: Reclassifies this device as an AP that does not present a threat to your network.
Auto-classify: (For previously manually-classified APs). Use this option to return an AP to the default classification it had when first detected.

Mitigate Rogue APs

You can configure your WIPS policy to mitigate rogue APs manually or automatically. For more information about how to configure mitigation, see WIPS Policy Settings.