User's Manual
Table Of Contents
- Chapter 1: Introduction 1-1
- Chapter 1: Introduction
- Chapter 2: Hardware Installation
- Chapter 3: Network Configuration
- Chapter 4: Initial Configuration
- Chapter 5: System Configuration
- Chapter 6: Command Line Interface
- Using the Command Line Interface
- Entering Commands
- Command Groups
- General Commands
- System Management Commands
- System Logging Commands
- System Clock Commands
- DHCP Relay Commands
- SNMP Commands
- snmp-server community
- snmp-server contact
- snmp-server location
- snmp-server enable server
- snmp-server host
- snmp-server trap
- snmp-server engine-id
- snmp-server user
- snmp-server targets
- snmp-server filter
- snmp-server filter-assignments
- show snmp groups
- show snmp users
- show snmp group-assignments
- show snmp target
- show snmp filter
- show snmp filter-assignments
- show snmp
- Flash/File Commands
- RADIUS Client
- 802.1X Authentication
- MAC Address Authentication
- Filtering Commands
- WDS Bridge Commands
- Spanning Tree Commands
- Ethernet Interface Commands
- Wireless Interface Commands
- interface wireless
- vap
- speed
- multicast-data-rate
- channel
- transmit-power
- radio-mode
- preamble
- antenna control
- antenna id
- antenna location
- beacon-interval
- dtim-period
- fragmentation-length
- rts-threshold
- super-g
- description
- ssid
- closed-system
- max-association
- assoc-timeout-interval
- auth-timeout-value
- shutdown
- show interface wireless
- show station
- Rogue AP Detection Commands
- Wireless Security Commands
- Link Integrity Commands
- IAPP Commands
- VLAN Commands
- WMM Commands
- Appendix A: Troubleshooting
- Appendix B: Cables and Pinouts
- Appendix C: Specifications
- Glossary
- Index
System Configuration
5-56
5
Rogue AP – A “rogue AP” is either an access point that is not authorized to
participate in the wireless network, or an access point that does not have the correct
security configuration. Rogue APs can allow unauthorized access to the network, or
fool client stations into mistakenly associating with them and thereby blocking
access to network resources.
The access point can be configured to periodically scan all radio channels and find
other access points within range. A database of nearby access points is maintained
where any rogue APs can be identified. During a scan, Syslog messages (see
“Enabling System Logging” on page 5-32) are sent for each access point detected.
Rogue access points can be identified by unknown BSSID (MAC address) or SSID
configuration.
• AP Detection – Enables the periodic scanning for other access points.
(Default: Disable)
• AP Scan Interval – Sets the time between each rogue AP scan. (Range: 30 -10080
minutes; Default: 720 minutes)
• AP Scan Duration – Sets the length of time for each rogue AP scan. A long scan
duration time will detect more access points in the area, but causes more disruption
to client access. (Range: 100 -1000 milliseconds; Default: 350 milliseconds)
• Rogue AP Authenticate – Enables or disables RADIUS authentication. Enabling
RADIUS Authentication allows the access point to discover rogue access points.
With RADIUS authentication enabled, the access point checks the MAC address/
Basic Service Set Identifier (BSSID) of each access point that it finds against a
RADIUS server to determine whether the access point is allowed. With RADIUS
authentication disabled, the access point can detect its neighboring access points
only; it cannot identify whether the access points are allowed or are rogues. If you
enable RADIUS authentication, you must configure a RADIUS server for this
access point (see “RADIUS” on page 5-7).
• Scan AP Now – Starts an immediate rogue AP scan on the radio interface.
(Default: Disable)
Note: While the access point scans a channel for rogue APs, wireless clients will not be
able to connect to the access point. Therefore, avoid frequent scanning or scans
of a long duration unless there is a reason to believe that more intensive scanning
is required to find a rogue AP.
CLI Commands for Rogue AP Detection – From the global configuration mode,
enter the interface wireless command to access the 802.11g radio interface. From
the wireless interface mode, use the rogue-ap enable command to enable rogue
AP detection. Set the duration and interval times with the rogue-ap duration and
rogue-ap interval commands. If required, start an immediate scan using the