How to change the number of Mitigation APs and the Rogue AP aging time.
KB ARTICLE TYPE: Configuration
RELATED PRODUCTS: AP
RELATED SOFTWARE VERSIONS: N/A
KEYWORDS: rogue, mitigation, QoS
The default settings that are configured for the rogue AP detection and mitigation features are adequate for most situations. By default, three Mitigating APs are selected by the controller to perform scanning and mitigation. This number can be set to a high of 20 APs or down to 1 AP, depending on the needs of your network. The Rogue AP aging time can also be altered.
CONFIGURATION STEPS:
GUI Steps:
STEP 1: Go to "Configuration" tab >> "Wireless IDS/IPS" >> "Rouge APs".
STEP 2: Under "Global settings" tab turn On Detection.
STEP 3: In the "Mitigation" list, select one of the following:
*No mitigation: No rogue AP mitigation is
performed.
*Block all BSSIDs that are not in the ACL: Enables
rogue AP mitigation of all detected BSSIDs that are not specified as
authorized in the Allowed APs list.
*Block only BSSIDs in
blocked list: Enables rogue AP mitigation only for the BSSIDs that are
listed in the Blocked APs list.
*Block Clients seen on the
wire: Enables rogue mitigation for any rogue station detected on the
wired side of the AP (the corporate network, in many
cases).
STEP 4: Under "Global settings" tab, Set the "Number of Mitigating APs" by entering the number of APs (from 1 to 20) that will perform scanning and mitigation of rogue APs.
STEP 5: Set the "Rouge AP aging" in seconds. Type the amount of time that passes before the rogue AP alarm is cleared if the controller no longer detects the rogue. The value can be from 60 through 86,400 seconds.
STEP 6: Click Ok to apply the settings.
CLI Steps:
MeruController1#configure
terminal
MeruController1(config)#rogue-ap
detection
MeruController1(config)#rogue-ap
mitigation <all | none | selected |
wiredRogue>
MeruController1(config)#rogue-ap
assigned-aps <number_aps from 1 to
20>
MeruController1(config)#rogue-ap
aging <aging-time 60-86400 in
seconds>
MeruController1(config)#exit
To view the Rouge-AP configuration:
MeruController1#show rogue-ap globals
LIMITATIONS IF ANY:
Unless the AP is in dedicated scanning mode, the more time that is spent scanning and mitigating, the less time is spent by the AP in normal WLAN operating services. Some rules determine how service is provided:
1) The controller picks the APs that will scan and mitigate; those that mitigate are dependant on their proximity to the rogue AP and the number of Mitigating APs that have been set.
2) To preserve operational performance, APs will mitigate only the home channel if they have clients that are associated.
3) Settings are administered globally; there is no way to set a particular AP to mitigate.
4) Mitigation is performed only on clients associated to rogue APs; the rogue APs themselves are not mitigated. It is the network administrator’s responsibility to remove the rogue APs from the network.
5) AP mitigation frames are prioritized below QoS frames, but above Best Effort frames.
6) To reduce network traffic, you may configure the scanning channels list that contains only the home channels.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.