Technical data
184 Meru System Director Configuration Guide © 2012 Meru Networks, Inc.
To prevent clients of unauthorized APs from accessing your network, enable the
options for both scanning for the presence of rogue APs and mitigating the client
traffic originating from them. These features are set globally from either the CLI or
Web UI, with the controller managing the lists of allowable and blocked WLAN BSSIDs
and coordinating the set of APs (the mitigating APs) that perform mitigation when a
rogue AP is detected.
As a result of the channel scan, a list of rogue APs is compiled and sent by the
controller to a number of mitigating APs that are closest to the rogue AP. Mitigating
APs send mitigation (deauth) frames to the rogue AP where clients are associated to
remove those clients from the network. This presence of the rogue AP generates
alarms that are noted on the Web UI monitoring dashboard and via syslog alarm
messages so the administrator is aware of the situation and can then remove the
offending AP or update the configuration list.
Rogue Scanning can be configured so that it is a dedicated function of a radio on a
dual radio AP or a part time function of the same radio that also serves clients. When
rogue AP scanning (detection) is enabled, for any given period, an AP spends part of
the time scanning channels and part of the time performing normal AP WLAN opera-
tions on the home channel. This cycle of scan/operate, which occurs on a designated
AP or an AP interface without assigned stations, ensures there is no network opera-
tion degradation.
For AP300/AP400 and AP1000, each radio is dual band (supports both 2.4GHz and
5.0GHz) and capable of scanning for all channels and all bands when configured as a
dedicated scanning radio. For AP150, each radio is single band and scans only the
band it's designed for. As access points are discovered, their BSSID is compared to an
AP access control list of BSSIDs. An access point might be known, blocked, or nonex-
istent on the access control list. A “known” AP is considered authorized because that
particular BSSID was entered into the list by the system administrator. A “selected”
AP is blocked by the Meru Wireless LAN System as an unauthorized AP. The Meru WLAN
also reports other APs that are not on the access control list; these APs trigger alerts
to the admin console until the AP is designated as known or selected in the access
control list. For example, a third party BSS is detected as a rogue unless it is added
to the access control list.
Meru APs also detect rogue APs by observing traffic either from the access point or
from a wireless station associated to a rogue. This enables the system to discover a
rogue AP when the rogue is out of range, but one or more of the wireless stations
associated to it are within range.
The following topics are covered in this chapter:
Configuring Rogue AP Mitigation with Web UI
Configuring Rogue AP Detection Using the CLI
Modifying Detection and Mitigation CLI Settings
Troubleshooting Rogue Mitigation