Tutorial by: NightShade1
Hello Everyone
To configure a L3 Rogue ap detection you need to know a few things before.
1-You can detect this with APS but the aps need to be in the same vlans, controller approach is just much better.
2-This just apply for a particular site, i mean if you want to rogue detect a remote site which you dont have a controller you can do it with an AP(but this is not covered in this tutorial
3-You will need to add the IPS/IDS license for Enforcement.
Enforcement can take different shapes, including containing rogue APs by performing denial-of-service (DoS) attacks wirelessly, ARP cache poisoning on the wire, shielding valid clients from connecting to rogue APs, and blacklisting cients so that they are
unable to attach to the WLAN
Lets begin!
To this to work what you need to do is:
1-Trunk all the vlans you want to monitor to the Controller and on the controller trunk them back to the switch
Now how do you know which VLANS you should trunk?
Well thats an easy question to answer... All the vlans that the end users has access to connect rogue APS. I mean you wont trunk vlans like Server vlans, or things like that which a end user on your company you know has no access.
So
Trunk all those vlans in which they got access.
Note: Remember, you need to create all these vlans on the controller even if you are not using it in them. LEt say you need to inspect vlan 10,11,12,13,14,15. Then this means you need to:
1-create those vlans on the controller
2-trunk them to the switch
3-Trunk them from the switch to the controller back.
Note:Normally i plug the controller to the clients Switch Core so i got access to all the vlans without doing too much in their network.
Good. Now after you did this you need to go to the CLI
POST 6.1.3.2
(Office_Controller) (config) #ids wms-general-profile
(Office_Controller) (IDS WMS General Profile) #learn-system-wired-macs
The command for PRE 6.1.3.2 you do it on the config i mean:
(Office_Controller) (config) #wms general learn-system-wired-macs enable
To check its on you issue the command
#show wms general
You will see something like this
General Attributes
------------------
Key Value
--- -----
poll-interval 60000
poll-retries 3
ap-ageout-interval 30
adhoc-ap-ageout-interval 5
sta-ageout-interval 30
learn-ap disable
persistent-neighbor enable
persistent-valid-sta disable
propagate-wired-macs enable
learn-system-wired-macs enable
stat-update enable
You will see learn-system-wired-mac enable
Now you need to wait for a while and you should start looking those rogues APS appering on your dashboard on security tab
Now remenber in the IPS /IDS configuration you have to put to contain automatically rogue APS
As a personal configuration i always put rogue ap containment on but i uncheck the suspected rogue ap containment... The Rogue APS is something that the controller is 100% sure its on your network! but a suspected rogue AP it could be a neighbor AP?
This is done on the AP group-->IDS-->IDS Unathorized Device
If you dont want to contain anything and you just want to know if you got Rogue APS, just uncheck rogue containment and also suspected rogue ap containment...
Note: As general rule here please DONT USE DEFAULT PROFILE to configure IDS/IPS Profiles in general, create new ones please. Sometimes you can do a misconfig and you can return to default withot any config easily and then look where you were mistaken. When i was starting to configure this, it was a great help for me, and i still doing it, i never toch default config for this. I always create a new one.
Cheers
Carlos
Hello Everyone
To configure a L3 Rogue ap detection you need to know a few things before.
1-You can detect this with APS but the aps need to be in the same vlans, controller approach is just much better.
2-This just apply for a particular site, i mean if you want to rogue detect a remote site which you dont have a controller you can do it with an AP(but this is not covered in this tutorial
3-You will need to add the IPS/IDS license for Enforcement.
Enforcement can take different shapes, including containing rogue APs by performing denial-of-service (DoS) attacks wirelessly, ARP cache poisoning on the wire, shielding valid clients from connecting to rogue APs, and blacklisting cients so that they are
unable to attach to the WLAN
Lets begin!
To this to work what you need to do is:
1-Trunk all the vlans you want to monitor to the Controller and on the controller trunk them back to the switch
Now how do you know which VLANS you should trunk?
Well thats an easy question to answer... All the vlans that the end users has access to connect rogue APS. I mean you wont trunk vlans like Server vlans, or things like that which a end user on your company you know has no access.
So
Trunk all those vlans in which they got access.
Note: Remember, you need to create all these vlans on the controller even if you are not using it in them. LEt say you need to inspect vlan 10,11,12,13,14,15. Then this means you need to:
1-create those vlans on the controller
2-trunk them to the switch
3-Trunk them from the switch to the controller back.
Note:Normally i plug the controller to the clients Switch Core so i got access to all the vlans without doing too much in their network.
Good. Now after you did this you need to go to the CLI
POST 6.1.3.2
(Office_Controller) (config) #ids wms-general-profile
(Office_Controller) (IDS WMS General Profile) #learn-system-wired-macs
The command for PRE 6.1.3.2 you do it on the config i mean:
(Office_Controller) (config) #wms general learn-system-wired-macs enable
To check its on you issue the command
#show wms general
You will see something like this
General Attributes
------------------
Key Value
--- -----
poll-interval 60000
poll-retries 3
ap-ageout-interval 30
adhoc-ap-ageout-interval 5
sta-ageout-interval 30
learn-ap disable
persistent-neighbor enable
persistent-valid-sta disable
propagate-wired-macs enable
learn-system-wired-macs enable
stat-update enable
You will see learn-system-wired-mac enable
Now you need to wait for a while and you should start looking those rogues APS appering on your dashboard on security tab
Now remenber in the IPS /IDS configuration you have to put to contain automatically rogue APS
As a personal configuration i always put rogue ap containment on but i uncheck the suspected rogue ap containment... The Rogue APS is something that the controller is 100% sure its on your network! but a suspected rogue AP it could be a neighbor AP?
This is done on the AP group-->IDS-->IDS Unathorized Device
If you dont want to contain anything and you just want to know if you got Rogue APS, just uncheck rogue containment and also suspected rogue ap containment...
Note: As general rule here please DONT USE DEFAULT PROFILE to configure IDS/IPS Profiles in general, create new ones please. Sometimes you can do a misconfig and you can return to default withot any config easily and then look where you were mistaken. When i was starting to configure this, it was a great help for me, and i still doing it, i never toch default config for this. I always create a new one.
Cheers
Carlos