Rogue AP Detection
4-28 Advanced Configuration
• RADIUSAuthenticationenablestheaccesspointtodiscoverrogueaccesspoints.Enabling
RADIUSAuthenticationcausestheaccesspointtochecktheMACaddress/BasicServiceSet
Identifier(BSSID)ofeachaccesspointthatitfindsagainstaRADIUSservertodetermine
whethertheaccesspointisallowed.WithRADIUSauthenticationdisabled,
theaccesspoint
canidentifyitsneighboringaccesspointsonly;itcannotidentifywhetherthe accesspointsare
allowedorarerogues.IfyouenableRADIUSauthentication,youmustconfigureaRADIUS
serverforthisaccesspoint.
• APScanIntervalspecifiesthewait‐timebetweenscans.Range:30to10080
minutes.Default:
720minutesbetweenscans.
• APScanDurationsetsthelengthoftimeforeachrogueAPscan.Alongscandurationtime
willdetectmoreaccesspointsinthearea,butcausesmoredisruptiontoclientaccess.Range:
100‐1000milliseconds.Default:350milliseconds.
• ScanNowbuttonstarts
animmediaterogueAPscanforthespecifiedradiointerface.
• ScanAllbuttonscansforall802.11aand802.11b/ginterfaces.
Using the CLI to Configure Rogue AP Detection
Usetherogue‐apcommand todetectneighboringaccesspointsandaccesspoints thatarenot
authorizedtoparticipateonthenetwork.Usetheinterface‐acommandtosetaccesspoint
detectionparametersfor802.11ainterfaces.Usetheinterface‐gcommandtosetaccesspoint
detectionparametersfor802.11b/ginterfaces.Set
uptherogueAPfeaturebyspecifyingthescan
duration;interduration(amountoftimetomakefrequencychannelsactivetoclients);andthe
intervalbetweenscans.TouserogueAPdetection,enableradiusauthenticationusingtheradius
command.ToinitiateaRogueAPscanforallinterfaces,usethescan
command.Usetheshow
rogue‐apcommandfromtheExecutivemodetoviewinterface‐aandinterface‐gsettingsandto
viewscanresultsforbothinterfaces.
Example
RoamAbout 4102#configure
Enter configuration commands, one per line. End with CTRL/Z
RoamAbout 4102(config)#rogue-ap radius enable
RoamAbout 4102(config)#rogue-ap interface-g enable
configure either syslog or trap or both to receive the rogue APs detected.
RoamAbout 4102(config)#rogue-ap interface-g duration 200
RoamAbout 4102(config)#rogue-ap interface-g interval 120
RoamAbout 4102(config)#rogue-ap interface-g interduration 2000
RoamAbout 4102(config)#rogue-ap interface-g scan
RoamAbout 4102(config)#exit
RoamAbout 4102#show rogue-ap
802.11a : Rogue AP Setting
========================================================================
Rogue AP Detection : Disabled
Rogue AP Authentication : Enabled
Rogue AP Scan Interval : 720 minutes
Rogue AP Scan Duration : 350 milliseconds
Rogue AP Scan InterDuration: 3000 milliseconds
Note: When the access point scans a channel for neighbor AP’s, wireless clients will not be able to
connect to the access point. Frequent scanning, or scans, of a long duration will degrade the
access points performance. Therefore, avoid frequent scanning, or scans, of long duration unless
there is a reason to believe that more intensive scanning is required to find a rogue AP.
Comments to this Manuals