User Guide for CISCO models including: Catalyst 9800 Series Wireless Controller Software, Catalyst 9800 Series, Wireless Controller Software, Controller Software, Software
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Cupertino 17.7.x - Managing Rogue Devices [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco
File Info : application/pdf, 16 Pages, 1.14MB
DocumentDocumentManaging Rogue Devices
· Rogue Detection, on page 1 · Rogue Detection Security Level, on page 13 · Setting Rogue Detection Security-level , on page 14 · Wireless Service Assurance Rogue Events, on page 15
Rogue Detection
Rogue Devices
Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain-text or other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to capture sensitive information, such as usernames and passwords. The hacker can then transmit a series of Clear to Send (CTS) frames. This action mimics an access point, informing a particular client to transmit, and instructing all the other clients to wait, which results in legitimate clients being unable to access network resources. Wireless LAN service providers have a strong interest in banning rogue access points from the air space. Because rogue access points are inexpensive and readily available, employees sometimes plug unauthorized rogue access points into existing LANs and build ad hoc wireless networks without their IT department's knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. There is an increased chance of enterprise security breach when wireless users connect to access points in the enterprise network. The following are some guidelines to manage rogue devices:
· The access points are designed to serve associated clients. These access points spend relatively less time performing off-channel scanning: about 50 milliseconds on each channel. If you want to detect a large number of rogue APs and clients with high sensitivity, a monitor mode access point must be used. Alternatively, you can reduce the scan intervals from 180 seconds to a lesser value, for example, 120 or 60 seconds, ensuring that the radio goes off-channel more frequently, which improves the chances of rogue detection. However, the access point continues to spend about 50 milliseconds on each channel.
· Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect many rogue devices.
Managing Rogue Devices 1
Rogue Devices
Managing Rogue Devices
· Client card implementation might mitigate the effectiveness of containment. This normally happens when a client might quickly reconnect to the network after receiving a "de-association/de-authentication" frame, so it might still be able to pass some traffic. However, the browsing experience of the rogue client would be badly affected when it is contained.
· It is possible to classify and report rogue access points by using rogue states and user-defined classification rules that enable rogues to automatically move between states.
· Each controller limits the number of rogue containments to three and six per radio for access points in the monitor mode.
· When manual containment is performed using configuration, the rogue entry is retained even after the rogue entry expires.
· When a rogue entry expires, the managed access points are instructed to stop any active containment on it.
· When Validate Rogue AP Against AAA is enabled, the controller requests the AAA server for rogue AP classification with the configured interval.
· To validate a Rogue AP against AAA, add the rogue AP MAC to the AAA user-database with relevant delimiter, username, and password being the MAC address with relevant delimiter. The Access-Accept contains the Cisco-AV-pair with one of the following keywords: · rogue-ap-state=state
Note Here, state can be either of the types, namely: alert, contain, internal, external, or threat.
· rogue-ap-class=class
Note Here, class can be either of the types, namely: unclassified, malicious, or friendly.
The following are the allowed combinations of class or state: · unclassified: alert, contain, or threat. · malicious: alert, contain, or threat. · friendly: alert, internal, or external.
The Radius Access-Reject for rogue AP AAA validation is ignored. · When Validate Rogue Clients Against AAA is enabled, the controller requests the AAA server for rogue
client validation only once. As a result, if rogue client validation fails on the first attempt then the rogue client will not be detected as a threat any more. To avoid this, add the valid client entries in the authentication server before enabling Validate Rogue Clients Against AAA.
Restrictions on Rogue Detection · Rogue containment is not supported on DFS channels.
Managing Rogue Devices 2
Managing Rogue Devices
Information About Rogue Containment (Protected Management Frames (PMF) Enabled)
A rogue access point is moved to a contained state either automatically or manually. The controller selects the best available access point for containment and pushes the information to the access point. The access point stores the list of containments per radio. For auto containment, you can configure the controller to use only the monitor mode access point. The containment operation occurs in the following two ways:
· The container access point goes through the list of containments periodically and sends unicast containment frames. For rogue access point containment, the frames are sent only if a rogue client is associated.
· Whenever a contained rogue activity is detected, containment frames are transmitted.
Individual rogue containment involves sending a sequence of unicast disassociation and deauthentication frames.
From 17.7.1 release onwards, Beacon DS Attack and Beacon Wrong Channel signatures were introduced.
Beacon DS Attack--When managed and rogue APs use the same BSSID, the rogue APs are termed as impersonators. An attacker can add the Direct-Sequence parameter set information element with any channel number. If the added channel number is different from the channel number used by the managed AP, the attack is termed as Beacon DS Attack.
Beacon Wrong Channel--When managed and rogue APs use the same BSSID, the rogue APs are termed as AP impersonators. If an AP impersonator uses a channel number that is different from the one used by the managed AP with the same BSSID, the attack is termed as Beacon Wrong Channel. In such a case, the Direct-Sequence Information Element might not even be present in the Beacon frame.
Cisco Prime Infrastructure Interaction and Rogue Detection
Cisco Prime Infrastructure supports rule-based classification and uses the classification rules configured on the controller. The controller sends traps to Cisco Prime Infrastructure after the following events:
· If an unknown access point moves to the Friendly state for the first time, the controller sends a trap to Cisco Prime Infrastructure only if the rogue state is Alert. It does not send a trap if the rogue state is Internal or External.
· If a rogue entry is removed after the timeout expires, the controller sends a trap to Cisco Prime Infrastructure for rogue access points that are categorized as Malicious (Alert, Threat) or Unclassified (Alert). The controller does not remove rogue entries with the following rogue states: Contained, Contained Pending, Internal, and External.
Information About Rogue Containment (Protected Management Frames (PMF) Enabled)
From Cisco IOS XE Amsterdam, 17.3.1 onwards, rogue devices that are enabled with 802.11w Protected Management Frames (PMF) are not contained. Instead, the rogue device is marked as Contained Pending, and a WSA alarm is raised to inform about the Contained Pending event. Because the device containment is not performed, access point (AP) resources are not consumed unnecessarily.
Note This feature is supported only on the Wave 2 APs.
Run the show wireless wps rogue ap detailed command to verify the device containment, when PMF is enabled on a rogue device.
Managing Rogue Devices 3
AP Impersonation Detection
Managing Rogue Devices
AP Impersonation Detection
The various methods to detect AP impersonation are:
· AP impersonation can be detected if a managed AP reports itself as Rogue. This method is always enabled and no configuration is required.
· AP impersonation detection is based on MFP.
· AP impersonation detection based on AP authentication.
Infrastructure MFP protects 802.11 session management functions by adding message integrity check (MIC) information elements, to the management frames sent by APs (and not those sent by clients), which are then validated by other APs in the network. If infrastructure MFP is enabled, the managed APs check if the MIC information elements are present and if MIC information elements are as expected. If either of these conditions is not fulfilled, the managed AP sends rogue AP reports with updated AP authentication failure counter.
The AP Authentication functionality allows you to detect AP impersonation. When you enable this functionality, the controller creates an AP domain secret and shares it with other APs in the same network. This allows the APs to authenticate each other.
An AP Authentication information element is attached to beacon and probe response frames. If the AP Authentication information element has an incorrect Signature field, or the timestamp is off, or if the AP Authentication information element is missing, then the AP that has detected such a condition increments the AP authentication failure count field. An impersonation alarm is raised after the AP authentication failure count field breaches its threshold. The rogue AP is classified as Malicious with state Threat.
Run the show wireless wps rogue ap detail command to see when the impersonation is detected due to authentication errors.
Configuring Rogue Detection (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10
Choose Configuration > Tags & Profiles > AP Join. Click the AP Join Profile Name to edit the AP join profile properties. In the Edit AP Join Profile window, click the Rogue AP tab. Check the Rogue Detection check box to enable rogue detection. In the Rogue Detection Minimum RSSI field, enter the RSSI value. In the Rogue Detection Transient Interval field, enter the interval in seconds. In the Rogue Detection Report Interval field, enter the report interval value in seconds. In the Rogue Detection Client Number Threshold field, enter the threshold for rogue client detection. Check the Auto Containment on FlexConnect Standalone check box to enable auto containment. Click Update & Apply to Device.
Managing Rogue Devices 4
Managing Rogue Devices
Configuring Rogue Detection (CLI)
Configuring Rogue Detection (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
ap profile profile-name rogue detection min-rssi rssi in dBm
Example:
Device(config)# ap profile profile1
Device(config)# rogue detection min-rssi -100
Purpose Enters global configuration mode.
Specify the minimum RSSI value that rogues should have for APs to detect and for rogue entry to be created in the device.
Valid range for the rssi in dBm parameter is 128 dBm to -70 dBm, and the default value is -128 dBm.
Note
This feature is applicable to all the
AP modes. There can be many
rogues with very weak RSSI
values that do not provide any
valuable information in rogue
analysis. Therefore, you can use
this option to filter rogues by
specifying the minimum RSSI
value at which APs should detect
rogues.
Step 3 Step 4 Step 5
ap profile profile-name rogue detection containment {auto-rate | flex-rate}
Example:
Device(config)# ap profile profile1
Device(config)# rogue detection containment flex-rate
Specifies the rogue containment options. The auto-rate option enables auto-rate for containment of rogues. The flex-rate option enables rogue containment of standalone flexconnect APs.
ap profile profile-name rogue detection enable Enables rogue detection on all APs. Example:
Device(config)# ap profile profile1 Device(config)# rogue detection enable
ap profile profile-name rogue detection report-interval time in seconds
Example:
Device(config)# ap profile profile1
Device(config)# rogue detection report-interval 120
Configures rogue report interval for monitor mode Cisco APs.
The valid range for reporting the interval in seconds is 10 seconds to 300 seconds.
Managing Rogue Devices 5
Configuring RSSI Deviation Notification Threshold for Rogue APs (CLI)
Managing Rogue Devices
Configuring RSSI Deviation Notification Threshold for Rogue APs (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
wireless wps rogue ap notify-rssi-deviation
Example:
Device(config)# wireless wps rogue ap notify-rssi-deviation
Configures RSSI deviation notification threshold for Rogue APs.
Step 3
end Example:
Device(config)# end
Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.
Configuring Management Frame Protection (GUI)
Procedure
Step 1 Step 2
Step 3 Step 4
Choose Configuration > Security > Wireless Protection Policies.
In the Rogue Policy tab, under the MFP Configuration section, check the Global MFP State check box and the AP Impersonation Detection check box to enable the global MFP state and the AP impersonation detection, respectively.
In the MFP Key Refresh Interval field, specify the refresh interval in hours.
Click Apply.
Configuring Management Frame Protection (CLI)
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless wps mfp Example:
Device(config)# wireless wps mfp
Purpose Enters global configuration mode.
Configures a management frame protection.
Managing Rogue Devices 6
Managing Rogue Devices
Enabling Access Point Authentication
Step 3 Step 4
Command or Action
wireless wps mfp {ap-impersonation | key-refresh-interval}
Example:
Device(config)# wireless wps mfp ap-impersonation Device(config)# wireless wps mfp key-refresh-interval
end
Example:
Device(config)# end
Purpose Configures ap impersonation detection (or) MFP key refresh interval in hours. key-refresh-interval--Refers to the MFP key refresh interval in hours. The valid range is from 1 to 24. Default value is 24.
Saves the configuration and exits configuration mode and returns to privileged EXEC mode.
Enabling Access Point Authentication
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless wps ap-authentication
Example:
Device(config)# wireless wps ap-authentication
Step 3
wireless wps ap-authentication threshold threshold
Example:
Device(config)# wireless wps ap-authentication threshold 100
Step 4
wlan wlan-name wlan-id SSID-name
Example:
Device(config)# wlan wlan-demo 1 ssid-demo
Step 5
ccx aironet-iesupport
Example:
Device(config-wlan)# ccx aironet-iesupport
Step 6
end Example:
Purpose Enters global configuration mode.
Configures the wireless WPS AP authentication.
Configures AP neighbor authentication and sets the threshold for AP authentication failures.
Configures a WLAN.
Enables support for Aironet Information Elements on this WLAN.
Returns to privileged EXEC mode.
Managing Rogue Devices 7
Verifying Management Frame Protection
Managing Rogue Devices
Command or Action
Device# end
Purpose
Verifying Management Frame Protection
To verify if the Management Frame Protection (MFP) feature is enabled or not, use the following command:
Device# show wireless wps summary
Client Exclusion Policy
Excessive 802.11-association failures : unknown
Excessive 802.11-authentication failures: unknown
Excessive 802.1x-authentication
: unknown
IP-theft
: unknown
Excessive Web authentication failure : unknown
Failed Qos Policy
: unknown
Management Frame Protection
Global Infrastructure MFP state : Enabled
AP Impersonation detection
: Disabled
Key refresh interval
: 15
To view the MFP details, use the following command:
Device# show wireless wps mfp summary
Management Frame Protection
Global Infrastructure MFP state : Enabled
AP Impersonation detection
: Disabled
Key refresh interval
: 15
Verifying Rogue Events
To verify the rogue event history, run the show wireless wps rogue ap detailed command:
Device# show wireless wps rogue ap detailed Rogue Event history
Timestamp
#Times Class/State Event
Ctx
RC
-------------------------- -------- ----------- -------------------- -------------------------
----
05/10/2021 13:56:46.657434 2
Mal/Threat FSM_GOTO
Threat 0x0
05/10/2021 13:56:46.654905 1
Unk/Init EXPIRE_TIMER_START
240s 0x0
05/10/2021 13:56:46.654879 1
Unk/Init AP_IMPERSONATION
DS:1,ch:1,band_id:0
0x0
05/10/2021 13:56:46.654673 1
Unk/Init RECV_REPORT
70db.98fc.2680/0
0x0
05/10/2021 13:56:46.654663 1
Unk/Init INIT_TIMER_START
180s 0x0
05/10/2021 13:56:46.654608 1
Unk/Init CREATE
0x0
Rogue BSSID Last heard Rogue SSID 802.11w PMF required Is Rogue an impersonator Beacon Wrong Channel
: 002c.c8c1.096d : MarvellAP0d : No : Yes : Yes
Managing Rogue Devices 8
Managing Rogue Devices
Verifying Rogue Detection
Beacon DS Attack Is Rogue on Wired Network Classification Manually Contained State First Time Rogue was Reported Last Time Rogue was Reported
Number of clients
: Yes : No : Malicious : No : Threat : 05/10/2021 13:56:46 : 05/10/2021 13:56:46
:0
Verifying Rogue Detection
This section describes the new command for rogue detection. The following command can be used to verify rogue detection on the device.
Table 1: Verifying Adhoc Rogues Information
Command
Purpose
show wireless wps rogue adhoc detailed mac_address Displays the detailed information for an Adhoc rogue.
show wireless wps rogue adhoc summary
Displays a list of all Adhoc rogues.
Table 2: Verifying Rogue AP Information
Command
Purpose
show wireless wps rogue ap clients mac_address Displays the list of all rogue clients associated with a rogue.
show wireless wps rogue ap custom summary Displays the custom rogue AP information.
show wireless wps rogue ap detailed mac_address Displays the detailed information for a rogue AP.
show wireless wps rogue ap friendly summary Displays the friendly rogue AP information.
show wireless wps rogue ap list mac_address
Displays the list of rogue APs detected by a given AP.
show wireless wps rogue ap malicious summary Displays the malicious rogue AP information.
show wireless wps rogue ap summary
Displays a list of all Rogue APs.
show wireless wps rogue ap unclassified summary Displays the unclassified rogue AP information.
Table 3: Verifying Rogue Auto-Containment Information
Command
Purpose
show wireless wps rogue auto-contain Displays the rogue auto-containment information.
Table 4: Verifying Classification Rule Information
Command
Purpose
Managing Rogue Devices 9
Examples: Rogue Detection Configuration
Managing Rogue Devices
show wireless wps rogue rule detailed rule_name Displays the detailed information for a classification rule.
show wireless wps rogue rule summary
Displays the list of all rogue rules.
Table 5: Verifying Rogue Statistics
Command
Purpose
show wireless wps rogue stats Displays the rogue statistics.
Table 6: Verifying Rogue Client Information
Command
Purpose
show wireless wps rogue client detailed mac_address Displays detailed information for a Rogue client.
show wireless wps rogue client summary
Displays a list of all the Rogue clients.
Table 7: Verifying Rogue Ignore List
Command
Purpose
show wireless wps rogue ignore-list Displays the rogue ignore list.
Examples: Rogue Detection Configuration
This example shows how to configure the minimum RSSI that a detected rogue AP needs to be at, to have an entry created in the device:
Device# configure terminal Device(config)# ap profile profile1 Device(config)# rogue detection min-rssi -100 Device(config)# end Device# show wireless wps rogue client summary/show wireless wps rogue ap summary
This example shows how to configure the classification interval:
Device# configure terminal Device(config)# ap profile profile1 Device(config)# rogue detection min-transient-time 500 Device(config)# end Device# show wireless wps rogue client summary/show wireless wps rogue ap summary
Managing Rogue Devices 10
Managing Rogue Devices
Configuring Rogue Policies (GUI)
Configuring Rogue Policies (GUI)
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11
Step 12 Step 13
Step 14 Step 15
Choose Configuration > Security > Wireless Protection Policies. In the Rogue Policies tab, use the Rogue Detection Security Level drop-down to select the security level. In the Expiration timeout for Rogue APs (seconds) field, enter the timeout value. Select the Validate Rogue Clients against AAA check box to validate rogue clients against AAA server. Select the Validate Rogue APs against AAA check box to validate rogue access points against AAA server. In the Rogue Polling Interval (seconds) field, enter the interval to poll the AAA server for rogue information. Select the Detect and Report Adhoc Networks check box to enable detection of rogue adhoc networks. In the Rogue Detection Client Number Threshold field, enter the threshold to generate SNMP trap. In the Auto Contain section, enter the following details. Use the Auto Containment Level drop-down to select the level. Select the Auto Containment only for Monitor Mode APs check box to limit the auto-containment only to monitor mode APs. Select the Rogue on Wire check box to limit the auto-containment only to rogue APs on wire. Select the Using our SSID check box to limit the auto-containment only to rogue APs using one of the SSID configured on the controller. Select the Adhoc Rogue AP check box to limit the auto-containment only to adhoc rogue APs. Click Apply.
Configuring Rogue Policies (CLI)
Procedure Step 1 Step 2
Step 3
Command or Action configure terminal Example:
Device# configure terminal
Example:
Device(config)# wireless wps rogue security-level custom
wireless wps rogue ap timeout number of seconds Example:
Purpose Enters global configuration mode.
Configures the rogue detection security level. You can select critical for highly sensitive deployments, custom for customizable security level, high for medium-scale deployments, and low for small-scale deployments.
Configures the expiration time for rogue entries, in seconds. Valid range for the time in seconds 240 seconds to 3600 seconds.
Managing Rogue Devices 11
Configuring Rogue Policies (CLI)
Managing Rogue Devices
Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 Step 12
Command or Action
Device(config)# wireless wps rogue ap timeout 250
Purpose
Example:
Device(config)# wireless wps rogue client aaa
Configures the use of AAA or local database to detect valid MAC addresses.
Example:
Device(config)# wireless wps rogue client mse
Configures the use of MSE to detect valid MAC addresses.
wireless wps rogue client notify-min-rssi RSSI threshold
Example:
Device(config)# wireless wps rogue client notify-min-rssi -128
Configures the minimum RSSI notification threshold for rogue clients. Valid range for the RSSI threshold in dB is -128 - dB to -70 dB.
wireless wps rogue client notify-min-deviation RSSI threshold
Example:
Device(config)# wireless wps rogue client notify-min-deviation 4
Configures the RSSI deviation notification threshold for rogue clients. Valid range for the RSSI threshold in dB is 0 dB to 10 dB.
wireless wps rogue ap aaa
Example:
Device(config)# wireless wps rogue ap aaa
Configures the use of AAA or local database to classify rogue AP based on rogue AP MAC addresses.
wireless wps rogue ap aaa polling-interval Configures rogue AP AAA validation interval.
AP AAA Interval
The valid range for the AP AAA interval in
Example:
seconds is 60 seconds to 86400 seconds.
Device(config)# wireless wps rogue ap aaa polling-interval 120
wireless wps rogue adhoc Example:
Enables detecting and reporting adhoc rogue (IBSS).
Device(config)# wireless wps rogue adhoc
wireless wps rogue client client-threshold threshold
Example:
Device(config)# wireless wps rogue client client-threshold 100
Configures the rogue client per a rogue AP SNMP trap threshold. The valid range for the threshold is 0 to 256.
wireless wps rogue ap init-timer Example:
Configures the init timer for rogue APs. The default timer value is set to 180 seconds.
Managing Rogue Devices 12
Managing Rogue Devices
Rogue Detection Security Level
Command or Action
Device(config)# wireless wps rogue ap init-timer 180
Purpose Note
When a rogue AP is detected, an init timer is started and the rules are applied when this timer expires. This allows for rogue AP information to stabilize before applying any rules. However, you can change the value of this timer using this command. For instance, the init timer can be set to 0, if the rules need to be applied as soon as a new rogue AP is detected.
Rogue Detection Security Level
The rogue detection security level configuration allows you to set rogue detection parameters. The available security levels are:
· Critical: Basic rogue detection for highly sensitive deployments. · High: Basic rogue detection for medium-scale deployments. · Low: Basic rogue detection for small-scale deployments. · Custom: Default security-level, where all detection parameters are configurable.
Note When in Critical, High or Low, some rogue parameters are fixed and cannot be configured.
The following table shows parameter details for the three predefined levels:
Table 8: Rogue Detection: Predefined Levels
Parameter Cleanup Timer AAA Validate Clients AAA Validate AP Adhoc Reporting Monitor-Mode Report Interval Minimum RSSI Transient Interval
Critical 3600 Disabled Disabled Enabled 10 seconds
-128 dBm 600 seconds
High 1200 Disabled Disabled Enabled 30 seconds
-80 dBm 300 seconds
Low 240 Disabled Disabled Enabled 60 seconds
-80 dBm 120 seconds
Managing Rogue Devices 13
Setting Rogue Detection Security-level
Managing Rogue Devices
Parameter
Critical
Auto Contain
Works only on Monitor Mode APs.
Disabled
Auto Contain Level
1
Auto Contain Same-SSID Disabled
Auto Contain Valid Clients on Rogue AP
Disabled
Auto Contain Adhoc Disabled
Containment Auto-Rate Enabled
Validate Clients with CMX
Enabled
Containment FlexConnect Enabled
High Disabled
1 Disabled Disabled
Disabled Enabled Enabled
Enabled
Low Disabled
1 Disabled Disabled
Disabled Enabled Enabled
Enabled
Setting Rogue Detection Security-level
Follow the procedure given below to set the rogue detection security-level:
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Step 2
wireless wps rogue security-level custom
Example:
Device(config)# wireless wps rogue security-level custom
Step 3
wireless wps rogue security-level low
Example:
Device(config)# wireless wps rogue security-level low
Step 4
wireless wps rogue security-level high
Example:
Device(config)# wireless wps rogue security-level high
Purpose Enters the global configuration mode.
Configures rogue detection security level as custom.
Configures rogue detection security level for basic rogue detection setup for small-scale deployments.
Configures rogue detection security level for rogue detection setup for medium-scale deployments.
Managing Rogue Devices 14
Managing Rogue Devices
Wireless Service Assurance Rogue Events
Step 5
Command or Action
wireless wps rogue security-level critical
Example:
Device(config)# wireless wps rogue security-level critical
Purpose
Configures rogue detection security level for rogue detection setup for highly sensitive deployments.
Wireless Service Assurance Rogue Events
Wireless Service Assurance (WSA) rogue events, supported in Release 16.12.x and later releases, consist of telemetry notifications for a subset of SNMP traps. WSA rogue events replicate the same information that is part of the corresponding SNMP trap.
For all the exported events, the following details are provided to the wireless service assurance (WSA) infrastructure:
· MAC address of the rogue AP
· Details of the managed AP and the radio that detected the rogue AP with strongest RSSI
· Event-specific data such as SSID, channel for potential honeypot event, and MAC address of the impersonating AP for impersonation event
The WSA rogue events feature can scale up to four times the maximum number of supported APs and half of the maximum number of supported clients.
The WSA rogue events feature is supported on Cisco DNA Center and other third-party infrastructure.
Procedure
Step 1
Command or Action configure terminal Example:
Device# configure terminal
Purpose Enters global configuration mode.
Step 2
network-assurance enable Example:
Device# network-assurance enable
Enables wireless service assurance.
Step 3
wireless wps rogue network-assurance enable Enables wireless service assurance for rogue
Example:
Device# wireless wps rogue
devices. This ensures that the WSA rogue events are sent to the event queue.
network-assurance enable
Managing Rogue Devices 15
Monitoring Wireless Service Assurance Rogue Events
Managing Rogue Devices
Monitoring Wireless Service Assurance Rogue Events
Procedure · show wireless wps rogue stats Example:
Device# show wireless wps rogue stats
WSA Events
Total WSA Events Triggered
:9
ROGUE_POTENTIAL_HONEYPOT_DETECTED : 2
ROGUE_POTENTIAL_HONEYPOT_CLEARED : 3
ROGUE_AP_IMPERSONATION_DETECTED
:4
Total WSA Events Enqueued
:6
ROGUE_POTENTIAL_HONEYPOT_DETECTED : 1
ROGUE_POTENTIAL_HONEYPOT_CLEARED : 2
ROGUE_AP_IMPERSONATION_DETECTED
:3
In this example, nine events have been triggered, but only six of them have been enqueued. This is because three events were triggered before the WSA rogue feature was enabled.
· show wireless wps rogue stats internal show wireless wps rogue ap detailed rogue-ap-mac-addr These commands show information related to WSA events into the event history.
Managing Rogue Devices 16
DITA Open Toolkit XEP 4.30.961; modified using iText 2.1.7 by 1T3XT