Re: Cisco Wireless Rogue Containment

Haven't touched wireless in a while so forgive me. I think the first one
is referring to actually shutting down it's own radio interface and then
connecting again as a client and waiting for other clients to connect to
the rogue. I wouldn't recommend doing this in an urban environment as
it's a pretty good way to DOS the local Hyatt and possibly get sued. :)
I'm not sure about the second example. I honestly never understood this
myself. For example the wired NIC is going to have a different MAC than
the wireless one so how is it going to be able to correlate the same
client on the wired network? I've never tested containment using a client
but I was under the impression that it sends the deauth requests fast
enough so that your client never can pass traffic over the bad AP. Maybe
your two rouge detectors are deauthing each other? The overall point is
to keep sending deauth requests to clients until they authenticate to a
non-rogue AP.

Cisco Wireless Rogue Containment

Dane Newman
to:
Cisco certification
08/08/09 08:01 PM

Sent by:
nobody_at_groupstudy.com
Please respond to Dane Newman

Hello Experts.

So I have gotten around to play with cisco wireless and I was curious if
someone could help me understand how exactly the rogue containment works.

I have found and read through this article
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml

I have read these paragraph

*"RLDP is an active approach, which is used when rogue AP has no
authentication (Open Authentication) configured. This mode, which is
disabled by default, instructs an active AP to move to the rogue channel
and
connect to the rogue as a client. During this time, the active AP sends
deauthentication messages to all connected clients and then shuts down the
radio interface. Then, it will associate to the rogue AP as a client."*
I understand if the rogue is an open access point (no security) the system
can send deauth packets to clients. How does is exactly shut down the
radio? What does the last line mean then it will associate to the rogue
ap
as a client? does this mean if it comes back up it will associate again>

AlsoI have read this below...

*"This approach is used when rogue AP has some form of authentication,
either WEP or WPA. When a form of authentication is configured on rogue
AP,
the Lightweight AP cannot associate because it does not know the key
configured on the rogue AP. The process begins with the controller when it
passes on the list of rogue client MAC addresses to an AP that is
configured
as a rogue detector. The rogue detector scans all connected and configured
subnets for ARP requests, and ARP searches for a matching Layer 2 address.
If a match is discovered, the controller notifies the network
administrator
that a rogue is detected on the wired subnet."*
**
So when the rogue is secured I understand that it cannot connect
wirelessly. From what I am reading (please let me know if I am
understanding it correctly) access points can be put in rogue detectory
mode
and trunked with all vlans. It then can only notify you that a rogue is
connected to the wired network? What if the rogue is not connected to
your
wired network? Can anything be done to block the rogue then?

I have a 2106 controller and I am playing with it at the moment. I set it
up with 2 CAPWAP ap's and then set up a rogue ap in my home not connected
to
the wired network. I ran a constant ping before containing it and it was
always below 1-2 MS response time. I then contained it using two AP's and
it started going over 500 MS + and dropping packets. Maybe its just my
imagionation but I would like to know how it's blocking or giving poor
preformance to the rogue? Is it doing anything or just my imagionation?

Dane

Blogs and organic groups at http://www.ccie.net
Received on Sat Aug 08 2009 - 21:40:04 ART