Re: Cisco Wireless Rogue Containment

Correct. Although I've seen AP's that can boost their signal strength to
make clients less likely to log on to it within a certain area. Beyond
that all they can do is log the authenticated clients.

Re: Cisco Wireless Rogue Containment

Dane Newman
to:
Keegan.Holley
08/08/09 10:32 PM

Sent by:
nobody_at_groupstudy.com
Cc:
Cisco certification, nobody
Please respond to Dane Newman

Thanks alot for the reply.

But if there is security on the ap such as WPA or WEP the ap cannot send
deauths correct? In this case does it do anything to block the rogue ap?

On Sat, Aug 8, 2009 at 9:40 PM, <Keegan.Holley_at_sungard.com> wrote:

> Haven't touched wireless in a while so forgive me. I think the first
one
> is referring to actually shutting down it's own radio interface and then
> connecting again as a client and waiting for other clients to connect to
the
> rogue. I wouldn't recommend doing this in an urban environment as it's
a
> pretty good way to DOS the local Hyatt and possibly get sued. :) I'm not
> sure about the second example. I honestly never understood this myself.
> For example the wired NIC is going to have a different MAC than the
> wireless one so how is it going to be able to correlate the same client
on
> the wired network? I've never tested containment using a client but I
was
> under the impression that it sends the deauth requests fast enough so
that
> your client never can pass traffic over the bad AP. Maybe your two
rouge
> detectors are deauthing each other? The overall point is to keep
sending
> deauth requests to clients until they authenticate to a non-rogue AP.
>
>
>
> *Cisco Wireless Rogue Containment*
> *Dane Newman * to: Cisco certification 08/08/09 08:01 PM
>
> Sent by: *nobody_at_groupstudy.com*
> *Please respond to Dane Newman*
>
>
>
> ------------------------------
>
>
>
> Hello Experts.
>
> So I have gotten around to play with cisco wireless and I was curious if
> someone could help me understand how exactly the rogue containment
works.
>
> I have found and read through this article
>
>
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml

>
>
> I have read these paragraph
>
> *"RLDP is an active approach, which is used when rogue AP has no
> authentication (Open Authentication) configured. This mode, which is
> disabled by default, instructs an active AP to move to the rogue channel
> and
> connect to the rogue as a client. During this time, the active AP sends
> deauthentication messages to all connected clients and then shuts down
the
> radio interface. Then, it will associate to the rogue AP as a client."*
> I understand if the rogue is an open access point (no security) the
system
> can send deauth packets to clients. How does is exactly shut down the
> radio? What does the last line mean then it will associate to the rogue
ap
> as a client? does this mean if it comes back up it will associate again>
>
> AlsoI have read this below...
>
> *"This approach is used when rogue AP has some form of authentication,
> either WEP or WPA. When a form of authentication is configured on rogue
AP,
> the Lightweight AP cannot associate because it does not know the key
> configured on the rogue AP. The process begins with the controller when
it
> passes on the list of rogue client MAC addresses to an AP that is
> configured
> as a rogue detector. The rogue detector scans all connected and
configured
> subnets for ARP requests, and ARP searches for a matching Layer 2
address.
> If a match is discovered, the controller notifies the network
administrator
> that a rogue is detected on the wired subnet."*
> **
> So when the rogue is secured I understand that it cannot connect
> wirelessly. From what I am reading (please let me know if I am
> understanding it correctly) access points can be put in rogue detectory
> mode
> and trunked with all vlans. It then can only notify you that a rogue is
> connected to the wired network? What if the rogue is not connected to
your
> wired network? Can anything be done to block the rogue then?
>
> I have a 2106 controller and I am playing with it at the moment. I set
it
> up with 2 CAPWAP ap's and then set up a rogue ap in my home not
connected
> to
> the wired network. I ran a constant ping before containing it and it
was
> always below 1-2 MS response time. I then contained it using two AP's
and
> it started going over 500 MS + and dropping packets. Maybe its just my
> imagionation but I would like to know how it's blocking or giving poor
> preformance to the rogue? Is it doing anything or just my imagionation?
>
> Dane
>
>
> Blogs and organic groups at
> http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
> <http://www.ccie.net/><
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml
>

Blogs and organic groups at http://www.ccie.net
Received on Sat Aug 08 2009 - 22:41:17 ART