ROGUE OVERVIEW

A rogue is essentially any device that is sharing the same spectrum but is not in our
control. It is dangerous in the following scenarios:
when setup to use the same SSID as the corporate network.
when detected on wired network.
Ad-hoc rogue.
setup by outsiders with malicious intent.
The rogue device includes rogue Access Points (APs), wireless router, rogue clients and
rogue ad-hoc network.
Rogue detection allows the network administrator to monitor and eliminate this security
concern. The Cisco Unified Network Architecture provides rogue identification and
containment solution without need for expensive & hard to justify overlay network tools.
Rogue detection is not bound to any regulation & no legal adherences is required for its
operations but rogue containment has legal issues that can put the provider at
disadvantage if left to operate automatically.
 ATTACKS LAUNCHED THROUGH ROGUE APs:
ARP poisoning, DHCP attacks, STP attacks, DOS attacks etc.,
Mapping the network for targeted attacks.
Scanning hosts on the network for targeted attacks.
Man-In-Middle attack & data sniffing on wired network.

There are 3 phases of Rogue device management :

Detection: RRM (Radio Resource Management) scanning is used to detect the
presence of the Rogue devices.
Classification: RLDP(Rogue Location Discovery Protocol), Rogue detectors and
Switch Port Tracing(SPT) & Rogue classification rules on the Controller are used to
identify if the rogue devices are connected to the wired network.
Mitigation: Switch port shutting, Rogue location & containment are used to track
down the physical location and nullify the threat of rogue devices.
How AP detects Rogue devices
All the Controllers are configured with a RF Group name.
When a Light Weight AP registers with the controller , it embeds an
authentication Information Element (IE) that is specific to the RF Group
configured on the controller in all its beacons / probe response frames.
So when this Light Weight Access point hears beacons / probe response frames
from an AP wither without this IE or with wrong IE, then it reports the AP as
rogue to the controller.
It records the BSSID in a rogue table and other details of the rogue AP and sends
the table to the controller.
The AP needs to cease service, listen to noise and perform rogue detection for
the above. The network administrator configures the channels to scan, and
configures the time period in which all stations are scanned. The AP listens for 50
ms for rogue client beacons, then returns to the configured channel in order to
service clients again. This active scanning, combined with neighbor messages,
identifies which APs are rogues and which APs are valid and part of the network
ROGUE DETECTION
RRM SCANNING MODES: There a two modes of scanning available:
Off channel scanning
Monitor mode Scanning
Off-Channel Scanning
This is performed in Local mode and H-REAP(in connected mode)Aps, It utilizes a time-slicing technique which allows the Client servicing
and channel scanning using the same radio.
The AP goes off channel for a period of 50ms on each channel every 16 seconds, by default, AP spends a small percentage of its time not
serving the clients. Also there is a 10ms channel change interval that will occur. In the default scan interval of 180seconds, each 2.4Ghz
FCC channel is scanned at least once.
Both the list of channels and scan interval can be adjusted in the RRM configuration. This limits the performance impact to a maximum of
1.5% and intelligence is built into the algorithm to suspend scanning when high priority QoS frames, such as voice, need to be delivered.
The graphic depiction below is the off-channel scanning algorithm for a local mode AP in 2.4Ghz frequency band. A similar operation is
performed in parallel on the 5Ghz radio. Each red square represents the time spent on the APs home channel, blue squares represent time
spent on the adjacent channels for scanning purpose.
 ROGUE DETECTION (contd.,)
Monitor Mode Scanning
This is performed by Monitor mode and Adaptive WIPS monitor mode APs which utilizes 100% of the radios time for scanning all
channels in each respective frequency band.
The AP goes off channel for a period of 1.1s on each channel, by default. If the users turn on WIPS optimized monitor mode, AP changes
the time period for each channel from 1.1 s to 250ms. (CLI command : config ap monitor-mode wips-optimized ) This will allow monitor
AP to sweep channel quickly and the time to cycle entire channel scan becomes much faster for rogue detection and containment.
Monitor mode APs are also far superior at detecting rogue clients as they have a more comprehensive view of the activity occurring in
each channel.
The graphic depiction below is the off-channel scanning algorithm for a monitor mode AP in the 2.4Ghz band. A similar operation is
performed in parallel on the 5Ghz radio also.
 Rogue identification:
If probe response or beacons from a rogue device are heard by either local mode, Flex Connect mode, or monitor mode APs, then this
information is communicated via CAPWAP to the Wireless LAN controller (WLC) for processing.
Rogue device can be identified regardless of its SSID is broadcast or not. In order to prevent false positives, a number of methods are
used to ensure that other managed Cisco-based APs are not identified as a rogue device.
These methods include mobility group updates, RF neighbor packets, and white listing autonomous APs via Cisco Prime Infrastructure
(PI).
Rogue Details: A CAPWAP AP goes off-channel for 50ms in order to listen for rogue clients, monitor for noise and channel interference.
Any detected rogue clients or APs are sent to the controller, which gathers the following information:
The rogue AP's MAC address
Name of the AP detected rogue
The rogue connected client(s) MAC address
Whether the frames are protected with WPA or WEP
The preamble
The Signal-to-Noise Ratio (SNR)
The Receiver Signal Strength Indicator (RSSI)
Channel of Rogue detection
Radio in which rogue is detected
Rogue SSID (if the rogue SSID is broadcasted)
Rogue IP address
First and last time the rogue is reported
Channel width
ROGUE CLASSIFICATION
All rogues that are detected by the Cisco UWN are considered as unclassified by default. Rogues can be classified on a number of criteria including
RSSI,SSID, duration, security type, on/off network, and number of clients as depicted:

Rogue detector AP
Passive Approach:
An AP can operate as rogue detector, which allows it to be placed on trunk port so it can hear all wired side connected VLANs.
The Rogue detector AP listens to the ARP packets in order to determine the Layer2 address of the identified rogue clients or APs sent by the
controller.
If the MAC address of rogue client or AP is also heard over the wired network, then the rogue is determined to be on the wired network.
When the Rogue is detected on the wired network, the alarm severity for that rogue AP is raised to Critical. But this method is not successful in
identifying rogue client behind a device using NAT.
Rogue detector AP can detect up to 500 rogues and 500 rogue clients. If the rogue detector is placed on trunk with too many rogue devices, then
the limit will exceed causing scalability issues. To overcome the scalability issue we need to keep the Rogue detector AP in the Distribution or
Access Layer of the network.
 RLDP (Rogue Location Discovery Protocol)
Active Operation:
RLDP active approach is used when the rogue AP has no authentication configured. It instructs an active AP to move to the rogue channel
and connect to the rogue as client.
During this time the active AP sends the de-authentication messages to all the other clients & then shuts down the radio interface and it
will associate to the rogue AP as a client.
The AP then tries to obtain an IP address from the Rogue AP using DHCP. When the IP address is obtained the AP then sends an UDP packet
on port 6352 that contains the local AP and the rogue connection information to the controller through the rogue AP.
If the controller receives this (RLDP) packet, the alarm is set to notify the network administrator that the rogue AP was discovered on the
wired network.
Caveats of RLDP:
RLDP works only with the open rogue APs broadcasting their SSID with authentication and encryption disabled.
RLPD requires the managed AP acting as client is able to obtain the IP address via DHCP from the rogue network.
Manual RLDP can be used to attempt and RLDP trace on a rogue multiple number of times.
During the RLDP process, the AP is unable to serve its clients. This impacts the performance and connectivity of the Local mode APs. Hence
RLDP can be selectively enabled only on the monitor mode APs only.
RLDP does not attempt to connect to the Rogue AP operating at the 5Ghz DFS channel.

Switch Port Tracing

This technique is initiated by the PI (Cisco Prime Infrastructure) and it utilizes both CDP and SNMP information to track the Rogue device to
the specific port in the network, For this switch port tracing to run all the switches in the network must be added to PI with SNMP
credentials.
If RO credentials are there we can only identify the port the Rogue device is connected, but with RW the PI can also shutdown the port thus
containing the threat.
The PI finds the closest AP which detects the Rogue AP over the air and retrieves its CDP neighbor detail.
PI uses the SNMP to examine the CAM table within the neighboring switch looking for the positive match to identify the Rogue location.
If the match is not found closest switch , the PI continues to search the neighboring switches up to two hops away by default.
The depiction in the next page shows the working of the SPT technique.
 The depiction shows the working of the SPT technique and the comparison of the various Wired side tracing techniques is summarized
below:

Rogue Classification Rules

Policy based rogue classification rule allows the WLC to custom
defined rogue-list, with custom severity level from 1 to 100.
These rules are configured on the WCS or WLC but are performed
on the controller when new rogues are discovered.
The Administrator can add a rogue as Friendly, Malicious and
Custom and can have containment option as below:
ROGUE MITIGATION
Rogue Containment
Containment is the method used to temporarily interrupt the service on the rogue device using over the air packets until the rogue device
can be removed from the physical location.
It works by spoofing the De-Authentication packets with the spoofed source address of the rogue AP so that any clients that are
associated are removed.

Containment initiated on a rogue AP with no clients will only use De-Auth frames sent to the broadcast address.
Containment initiated on a rogue AP with clients will use De-Auth frames sent to broadcast address and unicast frames to the client
address as depicted below.

Containment packets are sent at the power level of the managed AP and the lowest enabled data rate. Min of 2 packets every 100ms.
 CONFIGURATION OF ROGUE DETECTION
GUI: Rogue detection is enabled by default on the controllers. To obtain the details of the Rogue go to MONITOR -> ROGUES

Friendly APs Aps which are marked as friendly by administrator

Malicious APs Aps which are identified as malicious using RLDP or Rogue detector AP
Unclassified APs By default rogue APs will be shown as unclassified list in controller
Rogue Clients Clients connected to Rogue APs.
Adhoc Rogues Adhoc rogue clients
Rogue AP ignore list Aps listed through WCS
Note: If WLC and autonomous AP is managed by the same WCS, WLC will be automatically listing this autonomous AP in Rogue AP ignore list.
CLI: Rogue detection is enabled by default on the controllers. To obtain the details of the Rogue on the CLI enter show rogue ap summary
 GUI: To get the particular detail on a Rogue entry click on the entry

CLI: To obtain the details of the Rogue entry on the CLI enter show rogue ap detailed <Mac_Address>
GUI: Configure channel scanning for Rogue detection. For a local/Hreap mode/Monitor mode AP there is an option under RRM configuration
which allows the user to choose which channel is scanned for rogues. Depending on the config, the AP scans all channel/country channel/DCA
channel for rogues To configure go to Wireless > 802.11a/802.11b > RRM > General.

CLI: To configure channel scanning on the CLI enter config advanced 802.11a monitor channel-list <channel-list>
GUI: Configure Rogue detector AP, go to Wireless > All APs. Choose the AP name and change the AP mode.

CLI: To configure Rogue detector AP on the CLI enter config ap mode rogue <AP_name> & make switch port to trunk connected to AP
GUI: Configure Rogue containment, go to Monitor > Rogues > Unclassified. Update status to contain and choose the max no of APs to
contain.

CLI: To configure Rogue containment on the CLI enter config rogue client contain <MAC_address> <no of Aps to contain>