Ruckus Rogue Detection type classification on Zone Directors.
Summary
Type of Rogue Access Points detected by Ruckus Zone directorsQuestion
What is "SSID-spoofing AP detected" and "LAN Rogue AP detected"?Customer Environment
ZoneDirector controlled access points with rogue detection enabled.Root Cause
There are several types of rogue AP detection methods.Troubleshooting Steps
Workaround
Resolution
Ruckus Access Points scan all channels in the band they operate on with background scanning enabled.There are several types of rogue detection:
1. Basic rogue detection:
- Ruckus Access Points scan for beacons from other access points. All access points are considered rogues that are not being managed by the Zone Director.
- These Access Points may be neighbor systems or other Access Points located in the listening area of the Ruckus Access Points not necessarily connected to your network.
- While neighbor Access Points are not necessarily a threat, they do broadcast RF signals that may interfere with your system and reduce available bandwidth.
- At least three access points need to hear the rogue in order to triangulate the location within 10 meters.
- Access Points transmitting the same SSID as Zone Director controlled Access Points will be detected as SSID Spoofing Rogues
- Often these are older Access Points still in operation
- These may also be “honey pot” or “Man in the Middle” attacks
- If Wireless Intrusion Prevention Systems (WIPS) is enabled, access points should be considered malicious and automatically blocked.
- AP’s whose beacons are detected in the air and also transmitting packets on the wired network
- The Ruckus system compares MAC address on the wired network to MAC address of detected rogue. If the MAC addresses are close enough to indicate they come from the same AP, then these rogues are labeled LAN.
- This indicates systems that may be true rogues (malicious Access Points on the network). If Wireless Intrusion Prevention Systems (WIPS) is enabled, access points should be considered malicious and automatically blocked.
- Since the method for recognizing this type of “true” rogue is limited, some of the other rogues on the network may actually be connected on your wired network, but use a wired MAC address completely different than the wired MAC, or maybe doing NAT/Gateway to hide their existence. There is also the possibility of false positives, that is some device on the network with MAC within the same range as an AP, but not necessarily the same device (not as likely as most Access Points control a large range of MAC addresses to provide multiple SSID capability)
- Detecting beacon from a rogue AP using the same BSSID/MAC address as a Zone Director controlled AP
- This is also considered a “man in the middle” or “evil twin” attack
- If Wireless Intrusion Prevention Systems (WIPS) is enabled, access points should be considered malicious and automatically blocked.
Article Number:
000001261
Updated:
August 18, 2020 03:50 AM (over 4 years ago)
Tags:
System Network Management, Troubleshooting, ZoneDirector, ZoneFlex Indoor, ZoneFlex Outdoor, MediaFlex
Votes:
73
This article is:
helpful
not helpful