Rule Based Rogue Classification in Wireless LAN Controllers (WLC) and Wireless Control System (WCS) Document ID: 110263 Contents Introduction Prerequisites Requirements Components Used Conventions Rule Based Rogue Classification Rule Based Rogue Classification Terminologies Rogue Classification Rules Rogue Classification and Rogue States Rogue States Explained How to Configure Rogue Rules in WLC How to Configure Rogue Rules in WCS Related Information Introduction In the Wireless Control System (WCS) 5.0 release, WCS enhanced the Rogue Management functionality for different rogue AP types and provided user−defined rules to automatically classify the rogue APs. WCS applied rogue AP classification rules to the controllers. This document explains the enhanced Rogue Management functionality and the steps necessary to configure this functionality on the Wireless LAN Controller (WLC) and WCS. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: • Knowledge of Lightweight Access Point Protocol (LWAPP) • Knowledge of Wireless LAN Controller Security Solutions Components Used The information in this document is based on these software and hardware versions: • Cisco 4400 Series WLC that runs firmware 5.2 • Cisco Aironet 1130 AG Series Lightweight Access Points (LAPs) • Cisco Wireless Control System version 5.2 The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Conventions Refer to Cisco Technical Tips Conventions for more information on document conventions. Rule Based Rogue Classification In WCS versions prior to release 5.0, WCS displayed too many rogue access points (APs) in the Security Summary page. Even though the rogue states differ, they all appear on one page, sorted by the BSSID/MAC address of the rogue. In the WCS 5.0 release, WCS enhanced Rogue Management functionality and introduced new terminologies (Unclassified, Malicious, and Friendly) for different rogue AP types and provided user−defined rules to automatically classify the rogue APs. WCS applied rogue AP classification rules to the controllers. WCS enhanced the rogue state management function to keep the rogue state as External once the state of rogue has been manually changed to External. WCS also updates the External state for the other controllers when WCS pulls or handles trap message from the other controllers. In order to support this feature, both WLC and WCS should be running 5.0 release. Rule Based Rogue Classification Terminologies With this new functionality, these new rogue AP types are introduced: • Malicious AP: A detected AP that matches user−defined Malicious rules or has been manually moved from Friendly APs. • Friendly AP: Existing known, Acknowledge, and Trust Missing Rogue states are classified as Friendly. In addition, detected APs that match user−defined Friendly rules are classified as Friendly. Friendly APs cannot be contained. • Unclassified AP: A detected AP that did not match the Malicious or Friendly rules. An Unclassified AP can be contained. An Unclassified AP can be manually moved to Friendly by the user. User−defined rules to automatically move Unclassified AP to Friendly or Malicious, for example, on detection, the SSID is empty. On the next rogue report, a SSID is found, and it turns out to be a user−configured SSID. Rogue Classification Rules These are classification rules applicable to each of the rogue AP types: • Malicious Rules ♦ Matches managed SSID ♦ Matches user configured SSID ♦ No encryption on an SSID ♦ Minimum RSSI ♦ Time duration ♦ Number of clients associated • Friendly Rules ♦ Managed SSID ♦ User−configured SSID • Unclassified Rules ♦ Does not match Malicious or Friendly rules The user can choose to match all, any, or some of the rule conditions under each rule: • All means match all of the configured conditions for the rule. • Any means match any of the configured conditions for the rule. • Some means match few of the configured conditions for the rule For example, under Malicious Rules, the user configures Managed SSID and Minimum RSSI. Then, the user has the choice to match all or any of the two conditions, or match just the Minimum RSSI condition. When the controller receives the rogue report, it does this: • Checks if the detected AP is in the user−configured MAC list. If so, classify the AP as a Friendly type. • If the detected AP is not in the list, it starts to apply the rules. • First, it applies Malicious Rules. If Malicious Rules match, it is classified as the Malicious type. If the RLDP/rogue detector determines that this rogue is on network, it marks the rogue state as a Threat. The user can manually contain the AP that changes the rogue state to Contained. If the AP is not on the network, it marks the rogue state as Alert, and the user can contain it manually. • If Malicious Rules do not match, apply Friendly Rules. If Friendly Rules match, then classify it as a Friendly type. • If Friendly Rules do not match, classify this AP as Unclassified. If the RLDP/rogue detector determines that this rogue is on the network, mark the rogue state as a Threat and classify it as a Malicious type. The user can manually contain the AP that changes the rogue state to Contained. If the AP is not on network, mark the rogue state as Alert, and the user can contain it manually. • The user can manually move the AP to a different classification type. Rogue Classification and Rogue States This table shows the different classifications of rogues and the rogue states for each classification. Rule−based Classification Type Malicious AP Unclassified AP Friendly AP Rogue States Alert Threat Contained Contained Pending Removed Alert Contained Contained Pending Removed Internal (Known currently) External (Acknowledge currently) Internal Missing (Trust Missing) Alert Rogue States Explained • Pending On first detection, the detected AP is put in the pending state for 3 minutes. This time is sufficient for managed APs to determine if the detected AP is a neighbor AP. • Alert After the 3−minute time−out, the detected AP is moved to Alert if it is not in the neighbor list or user−configured Friendly MAC list. • Threat The detected AP is found on the network. • Contained The detected AP is contained. • Contained Pending The detected AP is marked contained, but the containment action is delayed because of unavailable resources. • Internal The detected AP is inside the network, and the user manually configures it as Friendly, Internal, for example, the APs in a lab network. • External The detected AP is outside the network, and the user manually configures it as Friendly, External, for example, the APs that belong to a neighboring network. • Trusted Missing If the user−configured Friendly MAC was detected and is not heard for trust−timeout duration, the rogue state of the Friendly AP is marked as Trusted Missing. • Removed If the Malicious or Unclassified AP is not heard from all of the controllers for rogue−timeout duration, the rogue state of the AP is marked as Removed. How to Configure Rogue Rules in WLC In order to configure rogue rules on the Wireless LAN Controller, complete these steps. 1. Rogue rules can be created from the WLC from the Security > Wireless Protection Policies > Rogue Policies > Rogue Rules page. 2. In order to create a new rogue policy, click the Add Rule button. The Rogue Rules window appears. Enter a name for the rule. This example uses Rule1. Choose the type of rule. This is an example of a Malicious rule. Click Add. Rule1 is created. 3. In order to edit this rule, click the rule that was created. The Rogue Rule > Edit page appears. In this page, check the Enable Rule check box to activate the rule. Choose the Match Operation type and other conditions based on the requirement as in this example. 4. This is an example of the Friendly rogue rule policy. 5. The output of the rogue rules can be seen at Monitor > Rogues > Malicious AP. 6. Similarly, the output of the Friendly Rules and Unclassified Rules can be viewed at Monitor > Rogues > Unclassified AP and Monitor > Rogues > Friendly AP pages, respectively. How to Configure Rogue Rules in WCS Rogue Rule List:WCS provides system level rogue rule setting. In order to configure rogue rules on WCS, complete these steps. 1. Choose Configure > Controller Template, and then click Security > Rogue AP Rules to access the Rogue AP Rules list page. 2. Click Add Classification Rule on the right top drop−down menu to add a new classification rule. 3. Click the template name to edit the rogue rule. This rule detail page enables you to edit, update the rogue AP rule, or delete the rule. Rogue AP Rule Setting Parameters:On this page, users can enable any condition when they check the check box to concatenate any or all of these conditions: ♦ No Encryption ♦ Match Managed AP ♦ Match User Configured SSID ♦ Minimum RSSI ♦ Duration ♦ Minimum Number Rogue Client This is an example of a Malicious rule: This is an example of a Friendly rule: 4. The Rogue AP Rules page lists the all the rules created. 5. The next step is to configure a rule group and apply these rules to the controllers. In order to this, use the Rogue AP Rule Groups setting on the WCS. 6. In order to create a new rule group, choose Configure > Controller Template, and then click Security > Rogue AP Rule Groups from the WCS GUI. 7. The Rogue AP Rule Groups > New Template page enables you to add, update the rogue AP rule group, delete the rule, and apply the rule group to the controller. Use the Add/Remove buttons to choose the rogue AP rules for this rule group. Use the Up/Down buttons to specify the order in which the rules are applied. This is an example. Once the rules group is configured, click Save. 8. Once you save the rule group, it can be applied to controllers. In order to apply the rule group to the controller, edit the rule group. Click the rule group name. Click Apply to Controllers. On the next page, choose the controllers to which this rule is applied. This is an example. 9. Once the rules are applied to the controllers, you see a Success message on the WCS. 10. Details about the classified APs can be viewed on the Security Summary page. This is an example. 11. Details about the classified APs, specifically Malicious, Friendly, and Unclassified APs, can be viewed when you click the appropriate classification from the Security Summary page. This is an example for the Malicious APs. Related Information • Rogue Detection under Unified Wireless Networks • Technical Support & Documentation − Cisco Systems Contacts & Feedback | Help | Site Map © 2013 − 2014 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks of Cisco Systems, Inc. Updated: Jul 01, 2009 Document ID: 110263