The controller software
enables you to create rules that can organize and display rogue access points
as Friendly, Malicious, or Unclassified.
By default, none of the
classification rules are enabled. Therefore, all unknown access points are
categorized as Unclassified. When you create a rule, configure conditions for
it, and enable the rule, the unclassified access points are reclassified.
Whenever you change a rule, it is applied to all access points (friendly,
malicious, and unclassified) in the Alert state only.
If you move any rogue or ad
hoc rogue manually to unclassified and Alert state, it means that the rogue is
moved to the default state. Rogue rules apply to all the rogues that are
manually moved to unclassified and Alert state.
Note |
Rule-based rogue
classification does not apply to ad hoc rogues and rogue clients.
|
Note |
You can configure up to 64
rogue classification rules per controller.
|
When the controller receives
a rogue report from one of its managed access points, it responds as follows:
-
The controller verifies that
the unknown access point is in the friendly MAC address list. If it is, the
controller classifies the access point as Friendly.
-
If the unknown access point
is not in the friendly MAC address list, the controller starts applying rogue
classification rules.
-
If the rogue is already
classified as Malicious, Alert or Friendly, Internal or External, the
controller does not reclassify it automatically. If the rogue is classified
differently, the controller reclassifies it automatically only if the rogue is
in the Alert state.
-
The controller applies the
first rule based on priority. If the rogue access point matches the criteria
specified by the rule, the controller classifies the rogue according to the
classification type configured for the rule.
-
If the rogue access point
does not match any of the configured rules, the controller classifies the rogue
as Unclassified.
-
The controller repeats the
previous steps for all rogue access points.
-
If RLDP determines that the
rogue access point is on the network, the controller marks the rogue state as
Threat and classifies it as Malicious automatically, even if no rules are
configured. You can then manually contain the rogue (unless you have configured
RLDP to automatically contain the rogue), which would change the rogue state to
Contained. If the rogue access point is not on the network, the controller
marks the rogue state as Alert, and you can manually contain the rogue.
-
If desired, you can manually
move the access point to a different classification type and rogue state.
Table 1. Classification
Mapping
Friendly
|
-
Internal—If the unknown
access point is inside the network and poses no threat to WLAN security, you
would manually configure it as Friendly, Internal. An example is the access
points in your lab network.
-
External—If the unknown
access point is outside the network and poses no threat to WLAN security, you
would manually configure it as Friendly, External. An example is an access
point that belongs to a neighboring coffee shop.
-
Alert—The unknown access
point is moved to Alert if it is not in the neighbor list or in the
user-configured friendly MAC list.
|
Malicious
|
-
Alert—The unknown access
point is moved to Alert if it is not in the neighbor list or in the
user-configured friendly MAC list.
-
Threat—The unknown access
point is found to be on the network and poses a threat to WLAN security.
-
Contained—The unknown access
point is contained.
-
Contained Pending—The unknown
access point is marked Contained, but the action is delayed due to unavailable
resources.
|
Unclassified
|
-
Pending—On first detection,
the unknown access point is put in the Pending state for 3 minutes. During this
time, the managed access points determine if the unknown access point is a
neighbor access point.
-
Alert—The unknown access
point is moved to Alert if it is not in the neighbor list or in the
user-configured friendly MAC list.
-
Contained—The unknown access
point is contained.
-
Contained Pending—The unknown
access point is marked Contained, but the action is delayed due to unavailable
resources.
|
The classification and state
of the rogue access points are configured as follows:
-
From Known to Friendly,
Internal
-
From Acknowledged to
Friendly, External
-
From Contained to Malicious,
Contained
As mentioned previously, the
controller can automatically change the classification type and rogue state of
an unknown access point based on user-defined rules, or you can manually move
the unknown access point to a different classification type and rogue state.
Table 2. Allowable Classification Type
and Rogue State Transitions
Friendly
(Internal, External, Alert)
|
Malicious
(Alert)
|
Friendly
(Internal, External, Alert)
|
Unclassified
(Alert)
|
Friendly (Alert)
|
Friendly
(Internal, External)
|
Malicious
(Alert, Threat)
|
Friendly
(Internal, External)
|
Malicious
(Contained, Contained Pending)
|
Malicious
(Alert)
|
Unclassified
(Alert, Threat)
|
Friendly
(Internal, External)
|
Unclassified
(Contained, Contained Pending)
|
Unclassified
(Alert)
|
Unclassified
(Alert)
|
Malicious
(Alert)
|
If the rogue state is
Contained, you have to uncontain the rogue access point before you can change
the classification type. If you want to move a rogue access point from
Malicious to Unclassified, you must delete the access point and allow the
controller to reclassify it.