Rogue Devices
Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain-text or other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to capture sensitive information, such as usernames and passwords. The hacker can then transmit a series of Clear to Send (CTS) frames. This action mimics an access point, informing a particular client to transmit, and instructing all the other clients to wait, which results in legitimate clients being unable to access network resources. Wireless LAN service providers have a strong interest in banning rogue access points from the air space.
Because rogue access points are inexpensive and readily available, employees sometimes plug unauthorized rogue access points into existing LANs and build ad hoc wireless networks without their IT department's knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. There is an increased chance of enterprise security breach when wireless users connect to access points in the enterprise network.
The following are some guidelines to manage rogue devices:
-
The access points are designed to serve associated clients. These access points spend relatively less time performing off-channel scanning: about 50 milliseconds on each channel. If you want to detect a large number of rogue APs and clients with high sensitivity, a monitor mode access point must be used. Alternatively, you can reduce the scan intervals from 180 seconds to a lesser value, for example, 120 or 60 seconds, ensuring that the radio goes off-channel more frequently, which improves the chances of rogue detection. However, the access point continues to spend about 50 milliseconds on each channel.
-
Rogue detection is disabled by default for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect many rogue devices.
-
Client card implementation might mitigate the effectiveness of containment. This normally happens when a client might quickly reconnect to the network after receiving a "de-association/de-authentication" frame, so it might still be able to pass some traffic. However, the browsing experience of the rogue client would be badly affected when it is contained.
-
It is possible to classify and report rogue access points by using rogue states and user-defined classification rules that enable rogues to automatically move between states.
-
Each controller limits the number of rogue containments to three and six per radio for access points in the monitor mode.
-
When manual containment is performed using configuration, the rogue entry is retained even after the rogue entry expires.
-
When a rogue entry expires, the managed access points are instructed to stop any active containment on it.
-
When Validate Rogue AP Against AAA is enabled, the controller requests the AAA server for rogue AP classification with the configured interval.
-
To validate a Rogue AP against AAA, add the rogue AP MAC to the AAA user-database with relevant delimiter, username, and password being the MAC address with relevant delimiter. The Access-Accept contains the Cisco-AV-pair with one of the following keywords:
-
rogue-ap-state =state
Note
Here, state can be either of the types, namely: alert, contain, internal, external, or threat.
-
rogue-ap-class =class
Note
Here, class can be either of the types, namely: unclassified, malicious, or friendly.
The following are the allowed combinations of class or state:
-
unclassified: alert, contain, or threat.
-
malicious: alert, contain, or threat.
-
friendly: alert, internal, or external.
If Access-Accept has no AV-Pair rogue-ap-class or an invalid value of rogue-ap-class , such a rogue client state is set to either of the following:
-
Contained, if the config is set to autocontain clients or untrusted AP.
-
Threat
The Radius Access-Reject for rogue AP AAA validation is ignored.
-
-
When Validate Rogue Clients Against AAA is enabled, the controller requests the AAA server for rogue client validation only once. As a result, if rogue client validation fails on the first attempt then the rogue client will not be detected as a threat any more. To avoid this, add the valid client entries in the authentication server before enabling Validate Rogue Clients Against AAA.
Restrictions on Rogue Detection
-
Rogue containment is not supported on DFS channels.
A rogue access point is moved to a contained state either automatically or manually. The controller selects the best available access point for containment and pushes the information to the access point. The access point stores the list of containments per radio. For auto containment, you can configure the controller to use only the monitor mode access point. The containment operation occurs in the following two ways:
-
The container access point goes through the list of containments periodically and sends unicast containment frames. For rogue access point containment, the frames are sent only if a rogue client is associated.
-
Whenever a contained rogue activity is detected, containment frames are transmitted.
Individual rogue containment involves sending a sequence of unicast disassociation and deauthentication frames.
From 17.7.1 release onwards, Beacon DS Attack and Beacon Wrong Channel signatures were introduced.
Beacon DS Attack—When managed and rogue APs use the same BSSID, the rogue APs are termed as impersonators. An attacker can add the Direct-Sequence parameter set information element with any channel number. If the added channel number is different from the channel number used by the managed AP, the attack is termed as Beacon DS Attack.
Beacon Wrong Channel—When managed and rogue APs use the same BSSID, the rogue APs are termed as AP impersonators. If an AP impersonator uses a channel number that is different from the one used by the managed AP with the same BSSID, the attack is termed as Beacon Wrong Channel. In such a case, the Direct-Sequence Information Element might not even be present in the Beacon frame.
Cisco Prime Infrastructure Interaction and Rogue Detection
Cisco Prime Infrastructure supports rule-based classification and uses the classification rules configured on the controller. The controller sends traps to Cisco Prime Infrastructure after the following events:
-
If an unknown access point moves to the Friendly state for the first time, the controller sends a trap to Cisco Prime Infrastructure only if the rogue state is Alert. It does not send a trap if the rogue state is Internal or External.
-
If a rogue entry is removed after the timeout expires, the controller sends a trap to Cisco Prime Infrastructure for rogue access points that are categorized as Malicious (Alert, Threat) or Unclassified (Alert). The controller does not remove rogue entries with the following rogue states: Contained, Contained Pending, Internal, and External.
Information About Rogue Containment (Protected Management Frames (PMF) Enabled)
From Cisco IOS XE Amsterdam, 17.3.1 onwards, rogue devices that are enabled with 802.11w Protected Management Frames (PMF) are not contained. Instead, the rogue device is marked as Contained Pending, and a WSA alarm is raised to inform about the Contained Pending event. Because the device containment is not performed, access point (AP) resources are not consumed unnecessarily.
Note |
This feature is supported only on the Wave 2 APs. |
Run the show wireless wps rogue ap detailed command to verify the device containment, when PMF is enabled on a rogue device.
AP Impersonation Detection
The various methods to detect AP impersonation are:
-
AP impersonation can be detected if a managed AP reports itself as Rogue. This method is always enabled and no configuration is required.
-
AP impersonation detection is based on MFP.
-
AP impersonation detection based on AP authentication.
Infrastructure MFP protects 802.11 session management functions by adding message integrity check (MIC) information elements, to the management frames sent by APs (and not those sent by clients), which are then validated by other APs in the network. If infrastructure MFP is enabled, the managed APs check if the MIC information elements are present and if MIC information elements are as expected. If either of these conditions is not fulfilled, the managed AP sends rogue AP reports with updated AP authentication failure counter.
The AP Authentication functionality allows you to detect AP impersonation. When you enable this functionality, the controller creates an AP domain secret and shares it with other APs in the same network. This allows the APs to authenticate each other.
An AP Authentication information element is attached to beacon and probe response frames. If the AP Authentication information element has an incorrect Signature field, or the timestamp is off, or if the AP Authentication information element is missing, then the AP that has detected such a condition increments the AP authentication failure count field. An impersonation alarm is raised after the AP authentication failure count field breaches its threshold. The rogue AP is classified as Malicious with state Threat.
Run the show wireless wps rogue ap detail command to see when the impersonation is detected due to authentication errors.
Note |
Ensure that the ccx aironet-iesupport command is run in all the WLAN procedures, else the BSSID will be detected as a rogue. For AP impersonation detection, Network Time Protocol (NTP) must be enabled instead of CAPWAP based time, under the AP profile. |