Ruckus Rogue Detection type classification on Zone Directors.

Summary

Type of Rogue Access Points detected by Ruckus Zone directors

Question

What is "SSID-spoofing AP detected" and "LAN Rogue AP detected"?

Customer Environment

ZoneDirector controlled access points with rogue detection enabled.

Root Cause

There are several types of rogue AP detection methods.

Troubleshooting Steps


 

Workaround


 

Resolution

Ruckus Access Points scan all channels in the band they operate on with background scanning enabled. 

BGS

There are several types of rogue detection:
 
1.     Basic rogue detection:
  • Ruckus Access Points scan for beacons from other access points. All access points are considered rogues that are not being managed by the Zone Director.
  • These Access Points may be neighbor systems or other Access Points located in the listening area of the Ruckus Access Points not necessarily connected to your network.  
  • While neighbor Access Points are not necessarily a threat, they do broadcast RF signals that may interfere with your system and reduce available bandwidth.  
  • At least three access points need to hear the rogue in order to triangulate the location within 10 meters.
2.     SSID spoofing rogues:
  • Access Points transmitting the same SSID as Zone Director controlled Access Points will be detected as SSID Spoofing Rogues
  • Often these are older Access Points still in operation
  • These may also be “honey pot” or “Man in the Middle” attacks
  • If Wireless Intrusion Prevention Systems (WIPS) is enabled, access points should be considered malicious and automatically blocked.
3.       LAN rogue/Same Network AP:
  • AP’s whose beacons are detected in the air and also transmitting packets on the wired network
  • The Ruckus system compares MAC address on the wired network to MAC address of detected rogue. If the MAC addresses are close enough to indicate they come from the same AP, then these rogues are labeled LAN.  
  • This indicates systems that may be true rogues (malicious Access Points on the network).  If Wireless Intrusion Prevention Systems (WIPS) is enabled, access points should be considered malicious and automatically blocked.
  • Since the method for recognizing this type of “true” rogue is limited, some of the other rogues on the network may actually be connected on your wired network, but use a wired MAC address completely different than the wired MAC, or maybe doing NAT/Gateway to hide their existence.  There is also the possibility of false positives, that is some device on the network with MAC within the same range as an AP, but not necessarily the same device (not as likely as most Access Points control a large range of MAC addresses to provide multiple SSID capability)
?4.       MAC spoofing/BSSID-spoof:
  • Detecting beacon from a rogue AP using the same BSSID/MAC address as a Zone Director controlled AP
  • This is also considered a “man in the middle” or “evil twin” attack
  • If Wireless Intrusion Prevention Systems (WIPS) is enabled, access points should be considered malicious and automatically blocked.
For more information, please reference the Zone Director User Guide.  See the section on Configuring Security and Other Services.
 

Article Number:
000001261

Updated:
August 18, 2020 03:50 AM (over 3 years ago)

Tags:
System Network Management, Troubleshooting, ZoneDirector, ZoneFlex Indoor, ZoneFlex Outdoor, MediaFlex

Votes:
73

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.