Wireless Access

1. Rogue Access points Discovered During the Audit Period + Report Configurations/Parameters
2. For a selection of rogue access points detection events, please provide ticket documentation noting that the event has been resolved appropriately by removing the rogue access point.

I don't believe I have the answers for you, but I will make a few comments that might help you understand some of this a little better. First off, there are different types of APs that a can show up. Of course you have your own APs which are running your network. A rogue AP is officially an AP that is plugged into your network, but you do not manage it or support it (somebody else plugged it in). An interfering AP is another other AP the your network hears, and is not plugged into your network; so neighbor APs, or personal phones or hotspots are all interfering. You can't do anything with interfering AP, they have as much right to use the RF and advertise their networks as you have to advertise your networks.

In most countries around the world, it is illegal to generate wireless signals to disconnect somebody from a network or to jam or interfere with RF signals. Therefore, containment methods such as deauthentication or tarpitting are most likely illegal. Wired containment methods are legal since they do not violate RF regulations.

Looking at your items, I'm interpreting them (and I may be wrong) that item 1 is looking for discovery and reporting of information about any rogues that are found. Item 2 appears to be requesting documentation that you located the rogue and physically removed it from the network. At least that is how I am reading those requests.

Thank you for the reply. This is showing on Central. The question is are clients prevented from connecting to this? I would assume so as it has been identified.

This is just identifying that this is a Rogue. Clients cannot be prevented from connecting. The Rogue needs to be manually/physically removed.

Thanks for the help. The rogue ap was a wifi printer at the reception desk.

I noticed. You should go to it and turn off the Wi-Fi adapter on it if it is not being used. If is using up unnecessary RF by advertising its SSID. It can also be a potential security risk.

What's puzzling to me is that I didn't get any alerts when the printer came online. I removed all the filters on the alert so hopefully it will alert me next time. These are the current settings. Previously I had Group, Label, and Site defined....maybe that filtered out the alert?

I'm still trying to figure out why I'm not being alerted when a rogue ap is detected. I turned on the printer that was being detected as a rogue and it turns up as a rogue in Security > Rapids > Rogues but I never get an alert that a rogue has been detected. I do have an alert set up for rogue detection, there is a screenshot of the settings in the previous post. I left all the filters blank in the settings and set to alert on Major or higher and received no alerts. I also tried setting the alert to Warning but still no alerts. What else can I check/change to get an alert on detection?

looking at the documentation:

"Rogue AP Detected—Generates an alert when a rogue Instant AP is detected. This alert is enabled by default and the alert severity is Major."

Will it only alert on a rogue Instant AP and not a non instant ap, such as a printer for instance?