Configuring Rogue AP Detection & Mitigation
KB ARTICLE TYPE: Configuration
RELATED PRODUCTS: Controller, AP
RELATED SOFTWARE VERSIONS: N/A
KEYWORDS: Controller, AP, BSSID
Rogue APs are unauthorized wireless access points. Valid network users should not be allowed to connect to the rogue APs because rogues pose a security risk to the corporate network. To prevent clients of unauthorized APs from accessing your network, enable the options for both scanning for the presence of rogue APs and mitigating the client traffic originating from them. These features are set globally, with the controller managing the lists of allowable and blocked WLAN BSSIDs and coordinating the set of APs (the Mitigating APs) that perform mitigation when a rogue AP is detected. When rogue AP scanning (detection) is enabled, for any given period, the AP spends part of the time scanning channels (determined by the Scanning time in ms setting), and part of the time performing normal AP WLAN operations on the home channel (determined by the Operational time in ms setting). This cycle of scan/operate repeats so quickly that both tasks are performed without noticeable network operation degradation. Rogue AP mitigation prevents stations from associating with the rogue AP. You can block all traffic for any clients in the range of Meru access points from attempting to access the network through rogue APs.
CONFIGURATION STEPS:
GUI Steps:
STEP 1: Go to "Configuration" tab >> "Wireless IDS/IPS" >> "Rouge APs".
STEP 2 : Under "Global settings" tab turn On Detection.
STEP 3 : In the "Mitigation" list, select one of the following:
*No mitigation: No rogue AP mitigation is performed.
*Block
all BSSIDs that are not in the ACL: Enables rogue AP mitigation of all
detected BSSIDs that are not specified as authorized in the Allowed APs
list.
*Block only BSSIDs in blocked list: Enables rogue AP mitigation only for the BSSIDs that are listed in the Blocked APs list.
*Block
Clients seen on the wire: Enables rogue mitigation for any rogue
station detected on the wired side of the AP (the corporate network, in
many cases).
STEP 4 : Set the "Rouge AP aging" in seconds. Type
the amount of time that passes before the rogue AP alarm is cleared if
the controller no longer detects the rogue. The value can be from 60
through 86,400 seconds.
STEP 5 : Set the "Number of Mitigating
APs" by entering the number of APs (from 1 to 20) that will perform
scanning and mitigation of rogue APs.
STEP 6 : Set the "Scanning
time in ms" by entering the amount of time Mitigating APs will scan the
scanning channels for rogue APs. This can be from 100 to 500
milliseconds.
STEP 7 : In the "Operational time in ms" field,
enter the amount of time Mitigating APs will spend in operational mode
on the home channel. This can be from 100 to 5000 milliseconds.
STEP
8 : Set the "Max mitigation frames sent per channel", by entering the
maximum number of mitigation frames that will be sent to the detected
rogue AP. This can be from 1 to 50 deauth frames.
STEP 9 : Set
the "Scanning Channels" by entering the list of channels that will be
scanned for rogue APs. Use a comma separated list from 0 to 256
characters. The complete set of default channels are
1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161, 165.
STEP
10 : In the "RSSI Threshold for Mitigation" field, enter the minimum
threshold level over which stations are mitigated. The range of valid
values is from to -100 to 0.
STEP 11 : Click Ok to apply the settings.
CLI Steps:
To enabled Rogue Detection and Rogue Mitigation:
MeruController1# configure terminal
MeruController1(config)# rogue-ap detection
MeruController1(config)# rogue-ap mitigation <all | none | selected | wiredRogue>
MeruController1(config)# rogue-ap aging <aging-time 60-86400 in seconds>
MeruController1(config)# rogue-ap assigned-aps <number_aps from 1 to 20>
MeruController1(config)# rogue-ap scanning-time <scanning-time from 100 to 500 milliseconds>
MeruController1(config)# rogue-ap operational-time <operational-time from 100 to 500 milliseconds>
MeruController1(config)# rogue-ap mitigation-frames <number_frames 1 to 50 deauth frames, default is 10>
MeruController1(config)# rogue-ap scanning-channel <channel-list from 0 to 256 characters>
MeruController1(config)# rogue-ap min-rssi <level from -100 to 0, RSSI level is -100 by default.>
MeruController1(config)#exit
To view the Rouge-AP configuration and list of all rogue APs:
To confirm the rogue AP detection state:
MeruController1#show rogue-ap globals
MeruController1#show rogue-ap-list
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.