Configuring Rogue AP Detection Using the CLI
These CLI commands configure rogue detection; for a complete explanation of the commands, see the FortiWLC (SD) Command Reference.
Configuring Rogue AP Detection Using the CLI
Adding APs to Scan List
default(15)# configure terminal default(15)(config)# rogue‐ap detection‐ap 1 default(15)(config)# rogue‐ap detection‐ap 3 default(15)(config)# exit
Show Output default(15)# sh rogue‐ap detection‐ap‐list
AP ID
1
3
Rogue Device Detecting APs(2)
Deleting APs from Scan list
default(15)# configure terminal default(15)(config)# no rogue‐ap detection‐ap 1 default(15)(config)# no rogue‐ap detection‐ap 3 default(15)(config)# end
Show Output default(15)# show rogue‐ap detection‐ap‐list
AP ID
Rogue Device Detecting APs(No entries)
Configuring the AP Access and Block Lists with the CLI
The feature uses an Access Control List (ACL) containing a list of allowed BSSIDs and a list of Blocked BSSIDs. By default, all Fortinet ESS BSSIDs in the WLAN are automatically included in the allowed ACL. A BSSID cannot appear in both lists.
To add an access point with a BSSID of 00:0e:cd:cb:cb:cb to the access control list as an authorized access point, type the following:
controller (config)# rogue‐ap acl 00:0e:cd:cb:cb:cb controller (config)#
Configuring Rogue AP Detection Using the CLI
To see a listing of all BSSIDs on the authorized list, type the following:
controller# show rogue-ap acl
Allowed APs
BSSID
00:0c:e6:cd:cd:cd 00:0e:cd:cb:cb:cb
A BSSID cannot be on both the blocked list and the access list for rogue AP detection at the same time. Suppose 00:0c:e6:cd:cd:cd is to be placed on the blocked list. If this BSSID is already on the authorized list, you must remove the BSSID from the authorized list, and then add the BSSID to the blocked list, as follows:
controller (config)# no rogue‐ap acl 00:0c:e6:cd:cd:cd controller (config)# controller (config)# rogue‐ap blocked 00:0c:e6:cd:cd:cd controller (config)# exit controller# show rogue-ap acl
Allowed APs
BSSID
00:0e:cd:cb:cb:cb controller# show rogue-ap blocked
BssId Creation Date Last Reported
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐
00:0c:e6:cd:cd:cd 11/02 01:05:54 11/02 01:06:20
The commands to enable and confirm the rogue AP detection state are as follows:
controller (config)# rogue‐ap detection controller# show rogue-ap globals
Global Settings
Detection : on
Mitigation : none
Rogue AP Aging (seconds) : 60
Number of Candidate APs : 3
Number of Mitigating APs : 5
Scanning time in ms : 100
Operational time in ms : 400
Max mitigation frames sent per channel : 10
Scanning Channels :
1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation : ‐100
Use the CLI command show rogue-ap-list to display all rogue clients and APs in the network.
Rogue Mitigation Example
Rogue AP mitigation for APs in the blocked list is enabled and confirmed as follows:
Configuring Rogue AP Detection Using the CLI
controller# configure terminal controller (config)# rogue‐ap detection controller (config)# rogue-ap mitigation selected controller (config)# exit controller# show rogue-ap globals
Global Settings
Detection : on
Mitigation : selected
Rogue AP Aging (seconds) : 60
Number of Candidate APs : 3
Number of Mitigating APs : 5
Scanning time in ms : 100
Operational time in ms : 400
Max mitigation frames sent per channel : 10
Scanning Channels :
1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation : ‐100
The above explanation is nice, but still I am not sure about our settings.
we have
Controller Model MC1550-VE
Software Version 8.4-1build-1
and our conf related to rouge
===
rogue-ap mitigation all
rogue-ap assigned-aps 3
rogue-ap aging 600
rogue-ap scanning-time 100
rogue-ap operational-time 4000
rogue-ap mitigation-frames 10
rogue-ap scanning-channels 1,6,11,36,64,132
rogue-ap min-rssi -100
alarm “Rogue AP Detected”
rogue-ap detection
rogue-ap acl 00:0c:e6:…. from all our BSSID
===
short explanation: to ensure both security&performance
A. “rogue-ap scanning-channels” are just those which we are really using
B. BSSID from all our APs are included at “rogue-ap acl”
C. which 3 APs listed at “rogue-ap detection-ap” are used for scanning ?
D. what is the best strategy or how to select AP dedicated to rogue scanning in general ?
– based on neighbourhood
– ommit busy AP
– include AP from each model
E. and what do you recommend in our situation ? our coverage is divided into 2 zones
FRONT is covered by AP1020i and AP1020e
BACK is covered by AP822i and AP832e
F. “rogue-ap operational-time” is 4s Does it mean that standard service mode lasts continuously 4s and for scanning is used 100ms and some time for mittigation ?
Is it better to decrease or to increase the “rogue-ap operational-time” ?
What is default value ?
G. finally just one suggestion. BSSID of our active APs might be “offered” automatically
to the Allowed APs via webGUI.
At our version we have to list them at “rogue-ap acl” manually 🙁
awk ‘{print $9}’ `show ess-ap` |sort -u
MANY thanks for your time
Nada