Help
Wireless Controller
Dedicated Wi-Fi control and management for high density and mobility
nsamuel
Staff
Staff

Created on ‎01-14-2016 02:05 AM

Article Id 197806

Meru Technical Note - How to change the number of Mitigation APs and the Rogue AP aging time

Description

How to change the number of Mitigation APs and the Rogue AP aging time.


Scope

KB ARTICLE TYPE: Configuration

RELATED PRODUCTS: AP

RELATED SOFTWARE VERSIONS: N/A

KEYWORDS: rogue, mitigation, QoS


Solution

The default settings that are configured for the rogue AP detection and mitigation features are adequate for most situations. By default, three Mitigating APs are selected by the controller to perform scanning and mitigation. This number can be set to a high of 20 APs or down to 1 AP, depending on the needs of your network. The Rogue AP aging time can also be altered.

CONFIGURATION STEPS:

GUI Steps:

STEP 1: Go to "Configuration" tab >> "Wireless IDS/IPS" >> "Rouge APs".

STEP 2: Under "Global settings" tab turn On Detection.

STEP 3: In the "Mitigation" list, select one of the following:

*No mitigation: No rogue AP mitigation is performed.
*Block all BSSIDs that are not in the ACL: Enables rogue AP mitigation of all detected BSSIDs that are not specified as authorized in the Allowed APs list.
*Block only BSSIDs in blocked list: Enables rogue AP mitigation only for the BSSIDs that are listed in the Blocked APs list.
*Block Clients seen on the wire: Enables rogue mitigation for any rogue station detected on the wired side of the AP (the corporate network, in many cases).

STEP 4: Under "Global settings" tab, Set the "Number of Mitigating APs" by entering the number of APs (from 1 to 20) that will perform scanning and mitigation of rogue APs.

STEP 5: Set the "Rouge AP aging" in seconds. Type the amount of time that passes before the rogue AP alarm is cleared if the controller no longer detects the rogue. The value can be from 60 through 86,400 seconds.

STEP 6: Click Ok to apply the settings.

CLI Steps:

MeruController1#configure terminal
MeruController1(config)#rogue-ap detection
MeruController1(config)#rogue-ap mitigation <all | none | selected | wiredRogue>
MeruController1(config)#rogue-ap assigned-aps <number_aps from 1 to 20>
MeruController1(config)#rogue-ap aging <aging-time 60-86400 in seconds>
MeruController1(config)#exit

To view the Rouge-AP configuration:

MeruController1#show rogue-ap globals

LIMITATIONS IF ANY:

Unless the AP is in dedicated scanning mode, the more time that is spent scanning and mitigating, the less time is spent by the AP in normal WLAN operating services. Some rules determine how service is provided:

1) The controller picks the APs that will scan and mitigate; those that mitigate are dependant on their proximity to the rogue AP and the number of Mitigating APs that have been set.

2) To preserve operational performance, APs will mitigate only the home channel if they have clients that are associated.

3) Settings are administered globally; there is no way to set a particular AP to mitigate.

4) Mitigation is performed only on clients associated to rogue APs; the rogue APs themselves are not mitigated. It is the network administrator’s responsibility to remove the rogue APs from the network.

5) AP mitigation frames are prioritized below QoS frames, but above Best Effort frames.

6) To reduce network traffic, you may configure the scanning channels list that contains only the home channels.


463
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.