cancel
Showing results for 
Search instead for 
Did you mean: 

airdefense ADSP server - Rogue AP not showing up

airdefense ADSP server - Rogue AP not showing up

froggy
New Contributor III

filters.JPGlicenses.JPGairdefense VM adsp server WIPS v10.5 build 10.5.0-05 hotfixes: a6 

Hello, 

I'm using a Netgear nighthaw wireless router to test airdefense Rogue detection and termination. I get the alarms we configure like unsanctioned bss using sanction bss and sanctioned wpa3 ssid name same as unsanctioned wpa2 bss  and a lot other alarms but i never get the alarm of a rogue AP. I verified the AP has the WIPS license and that air termination system and policy based air-termination system options are checked. 

Also, after my phone connects to my rogue AP I try to do air termination manually but i get an error "unable to terminate device: FCC check failed or device not authorized or device not rogue". 

I'm doing this by clicking on the alarm > 3 dots > and terminate option. I've attached some screenshots. 

I have some filters on the alarm action manager rule i created that's supposed to trigger airtermination. I'm almost certain that the filters are going be wrong but I think I should at least see this AP showing as a BSS and a Rogue AP? 

we have a device action rule that classifies our APs as sanction and we have both of our controllers communicating with airdefense and all our APs are showing up. I can see neighbor BSSs and other stuff. 

I have this netgear AP set as access point connected to my switch and I am able to connect with my phone using the same ssid as our corporate one. 

 

action.pngair termination settings.pngalarm.pngalarms.pngAP not showing up as bss.pngno rogue ap alarm.png 

we are using AP4000 APs with the 3rd radio set as a sensor while the other 2 are being used for client connection. 

 

1 ACCEPTED SOLUTION

ckelly
Extreme Employee

Generally, AirDefense will need to see some traffic from the suspected rogue device (AP or Client)....whether it be wired or wireless, in order to trigger one of the rogue alerts. Just plugging in an AP and not associating any clients to it will normally not be enough.

Additionally, for some of the versions of rogue alarms (there are more than 1 type of rogue alarm, based on the method that AirDefense used to perform the recognition that the suspected device is in fact passing traffic onto your wired network) AirDefense needs to have at least 1 of your legitimate APs already classified as Sanctioned and exist on the same network segment as the suspected rogue AP, so that it can 'learn' certain traffic patterns that it can use to compare to the suspected rogue.

 

So my recommendations:

1) Sanction one of your APs on that same network segment as the Netgear

2) Connect a wireless client to the Sanctioned AP and ensure traffic is being passed back and forth for a short time

3) Connect a wireless client to the Netgear (The Netgear should be classified as Unsanctioned, otherwise it will NEVER generate a rogue alarm) and pass traffic for a short time from the client - browse Internet or something similar.

 

You should see at least one of the rogue alarm types generate for the Netgear at this point, possibly multiple types.

Once you see those alarms generating, you can then begin constructing your Alarm Action Manager rule, as you've shown, to be specific about when that alarm is acted upon. (Your current rule has filters that I highly suspect are not going to match in the way that you desire)

View solution in original post

5 REPLIES 5

froggy
New Contributor III

Thanks for your answer.

 We currently have FA enabled in our main sites (not remote sites) and our APs are placed on a specific vlan and we have configured a device action manager rule to sanctioned our ap4000 APs with the "devicepolled" filter set to true and the action to classify as sanctioned devices. So all the AP should be sanctioned after being imported from our controllers.

A few more questions:

1) Right now my test netgear AP is on a different subnet. So can I place the netgear AP on the same vlan as the AP4000 so it can generate the alarms so I can then build the alarm action manager rule base on the alarms? 

2) After  the alarm is configure (assuming is correctly configured) will the correct alarm and action be triggered if I connect the netgear AP on a different subnet? if not what can i do so this can happen on a different network segment? 

3) how can I classify the netgear AP as an unsanctioned AP? 

2) since we have multiple vlans across our network - how is this going to work in the future if someone does connect a rogue AP on the network since that rogue AP will be on a different network segment? 

 

2) 

2) 

GTM-P2G8KFN