Configure Rogue AP Detection

Create a new WIPS policy and select Enable Rogue Access Point Detection (Legacy).

This legacy WIPS configuration enables you to detect unauthorized access points in the area.

Note

Note

Rogue Access Point Detection is supported on 802.11ac or older model Access Points ONLY.
  1. Use Determine if detected rogue APs are connected to your wired (backhaul) network in combination with other WIPS techniques to determine if a detected rogue AP is in the same network as compliant APs.

    An Extreme Networks AP builds a MAC learning table from source MAC addresses in the broadcast traffic it receives from devices in its Layer 2 broadcast domain. When an AP running XOS 5.0r2 or later detects a rogue AP through any of the rogue detection mechanisms in the WIPS policy, it checks the MAC learning table for an entry within a 64-address range above or below the BSSID of the invalid SSID. If there is a match, it is assumes that both MAC addresses belong to the same device. Because one of its addresses is in the MAC learning table, the rogue is considered to be in the same backhaul network as the detecting AP, and In Net displays in the In Network column for that rogue in the list of rogue APs. You can then take appropriate steps to mitigate the rogue.

  2. Select Detect rogue access points based on their MAC OUI to detect rogue access points by MAC OUI.
    1. Choose Select MAC OUIs of wireless devices that are permitted in the WLAN to create a list of MAC OUIs with network access enabled.
    2. Select an OUI from the drop-down list.
      Select the add icon to add a new OUI if you don't want to use the ones in the drop-down list.
    3. Select Add.
  3. Select Detect rogue access points based on hosted SSIDs and encryption type to detect rogue access points for SSID names that other access points advertise, along with the type of encryption they use.

    For example, if you have a network security policy that requires all SSIDs to use Enterprise 802.1x, then any valid SSID using Enterprise 802.1x makes the access point hosting it valid. On the other hand, an access point is categorized as a rogue if it hosts an SSID using WEP or no encryption at all.

  4. Select Detect rogue access points based on hosted SSIDs and encryption type to include SSID checks in the WIPS policy.
  5. Select the add icon.
  6. Select Add.
  7. Select an SSID from the drop-down list.
  8. If the SSID does not appear in the drop-down list, you can enter the name in the field.
  9. Select Check the type of encryption used by this SSID and choose one of the following to restrict access to this WLAN based on the encryption that the client device uses within the chosen SSID:
    • Open: Enable only devices in the chosen SSID using no encryption to access the WLAN.
    • WEP: Enable only devices in the chosen SSID using WEP encryption to access the WLAN.
    • Enterprise 802.1x: Enable only devices in the chosen SSID using a valid WPA encryption to access the WLAN.
    Note

    Note

    You can add up 1024 SSIDs to a WIPS policy. If you enable SSID detection but do not add any SSIDs to the list, the AP will consider all SSIDs to be rogue because no SSID is indicated as being valid.
  10. Detect clients in an ad hoc network (default).
    Note

    Note

    When stations in an ad hoc network or IBSS (independent basic service set), transmit 802.11 beacons and probe responses, the ESS (extended service set) bit is set to 0 and the IBSS bit is set to 1, indicating IBSS capability. When APs detect these types of management frames, they categorize those stations transmitting them as members of an ad hoc network and as rogue.
  11. Select Enable rogue client reporting to report rogue clients.
    Note

    Note

    You can change the duration that elapses before disconnected rogue clients are deleted from the reports.
  12. Configure the following information to control how you want to mitigate rogue APs and their clients:
    • Mitigation Mode Manual: Manually mitigate rogue APs and their clients. In manual mode, you must periodically check for rogue APs and their clients on the heat map pages in your network hierarchy..
      Note

      Note

      Use caution when mitigating a suspected rogue AP. If your WLAN is within range of other neighboring wireless networks, the access point that might initially be considered a rogue AP, along with its clients, might be valid in another WLAN.
    • Mitigation Mode Automatic: APs automatically mitigate rogue APs and their clients, starting and stopping the mitigation process without any administrator involvement.
      Note

      Note

      Use only the automatic mode for rogue APs that are in-network (in the backhaul network of your organization). Otherwise, automatic mitigation can impact the normal operation of valid APs belonging to a nearby business by blocking their wireless clients from connecting to their APs. Reference the appropriate FCC regulations that prohibit Wi-Fi blocking in these cases.
    • Automatically mitigate rogue APs if they are connected to your wired (backhaul) network: This ensures that APs only mitigate rogue APs that are in their backhaul network, not APs in external networks that happen to be within radio range.
    • Detect and mitigate rogue clients every: After you enable rogue detection on an AP, it scans detected rogue APs for clients during the period that you specify. If you manually start mitigation against a rogue, the AP not only continues scanning for clients during this period, it also sends deauthentication frames to the rogue AP and any detected clients during the same period. For example, if you leave this at the default setting of 1 second, the AP checks for rogues and attacks them every second. Each time an AP checks if there are clients associated with a detected rogue, it must switch channels for about 80 milliseconds (unless it happens to be using the same channel as the rogue). To minimize channel switching, choose an AP that is on the same channel as the rogue to perform the mitigation. The Rogue AP list shows which channel the rogue is using. If none of the APs are using the same channel, choose the one with the fewest clients. Finally, if all the APs are busy and on different channels from the rogue, consider reducing the amount of channel switching by increasing the period so that the associated client check occurs less frequently. You can change the duration from 1 to 600 seconds (10 minutes).
    • Repeat mitigation for detected rogue clients: Specifies how many consecutive periods to spend attacking a rogue AP and its clients before allowing client inactivity to cause a ceasefire and commence a countdown to end the mitigation. If you use the default settings for both the length of the mitigation period and the consecutive number of periods, an attack will last for 60 seconds before entering a cease-fire period due to client inactivity. The range is from 0 to 2,592,000 seconds (30 days). A value of 0 means that mitigator APs send deauthentication frames for the entire amount of time that a mitigation effort is in effect (as defined in the next setting).
    • Limit mitigation efforts per rogue AP to: The maximum amount of time that an attack against a rogue AP can last. If the length of client inactivity does not cause the attack to be suspended or if you do not manually stop the attack, the AP will stop it when this time limit elapses. The default duration is 14,400 seconds (4 hours), which means that an AP continues checking for clients of a detected rogue for up to four hours and mitigates them if it finds them. (The mitigation might stop sooner if the period of client inactivity lasts long enough to stop it.) You can change the maximum time limit between 0 and 2,592,000 seconds (30 days). In cases where the response time to detect a rogue AP would be greater than the default duration of four hours, consider increasing the duration to enable more time to locate the AP before ending the mitigation process. A value of 0 means that the client detection and mitigation process will continue indefinitely unless the client inactivity period elapses.
    • Stop mitigation if no client activity is detected in: Set a period of time to stop the mitigation process if the AP no longer detects that clients are associated with the rogue AP. During this time, the AP stops sending DoS attacks but continues checking if any clients form new associations with the targeted AP. If the AP detects any associated clients before this period elapses, it sends a deauthentication flood attack and resets the counter. If there are no more clients associated with the AP after this period, the AP stops the mitigation process even if there is still time remaining in the maximum time limit.
    • Max number of mitigator APs per rogue AP: (Applies to automatic mode only.) For automatic mitigation, hive members choose one AP to be the arbitrator, which is the one to which all the detector APs send reports. The arbitrator AP also determines which detector APs perform mitigation. When they start, they become mitigator APs. Set the number of mitigator APs that the arbitrator AP can automatically assign to attack a rogue AP and its clients. If you set the maximum as 0, all the detector APs can be assigned to perform rogue mitigation.
  13. Select Save.