NPM should be able to tell you which AP's are yours, and which are rogue. Start by making sure all your AP's are in NPM, then build heat maps showing their coverage, and then build a report to show AP's present that aren't yours.
You won't have the right info until you get some good filtering in place, because every smartphone that has its internal hot spot enable will show up as a rogue or unknown AP in your WLAN.
You'll need to filter out known APs that have physical connections into your switches, and then find all AP's that are "unknown" AND that have physical connections into your switches. Those are the bad guys.
Also, no private AP's should be able to connect directly to your WLAN, as if your corporate AP's were in repeater mode. But if you have a public Guest SSID, that pretty much eliminates that filtering ability, since any AP or Smartphone with local hotspot enabled will connect to it.
You might be able to do more filtering and identify neighborhood homes or neighboring businesses with AP's whose WLAN overlaps with yours. A good heat map will show those "rogues" and you may be able to visit the business owners and discuss how you can be good WLAN neighbors with each other. Maybe you can agree on how you'll shut off all 2.4 Ghz services and leave them for your neighbor (aren't I sweet?). Or maybe you both want to use 5 Ghz services, and you can agree on who will use which radio channels. Then you each set up the overlapping AP's to only use your agreed-on channels.
It'll be hard to get this same kind of efficiency with private/personal/neighborhood/home AP's, though. And it'll be impossible to get that cooperation from everyone with a smart phone that has its WiFi hotspot feature enabled. Unless you wanted to be aggressive and target every unauthorized hotspot with floods of de-authentication packets. And that's not going to go over well with many people.
Rogue AP Detection:
What is a Rogue AP? Most people refer to ii as a wireless device hosting some sort of wireless network within your airspace. While this can cause interference and potential user issues it isn't really a security issue unless it is trying to mascaraed as one of your access points OR ...
My definition of a rogue AP: A wireless device hosting a wireless network that is SIMULTANEOUSLY connected to your internal network thus allowing connected wireless users to access your internal network resources.
I kept trying to figure this out. How do I tell if there is a wireless device that is setting up an SSID, allowing users to connect wireless, and is directly connected to the internal network. I found the trick. It was hard, but I got to thinking MAC addresses.
Each wireless network interface has a unique MAC address. Wireless APs have a wireless radio MAC and also has a cabled network interface MAC. Think of your laptop. You have (2) NICs. One wireless and one Ethernet. They both have MAC addresses. If you look at the MAC addresses on your laptop they are probably very different from each other. the components in your laptop are made from different manufactures and lot runs. So your wireless adapter MAC is vastly different from your ethernet adapter MAC. BUT manufacturers of APs generally have their MAC address of the wireless radio very similar to the Ethernet adapter MAC. For Example: Radio = 1111.1111.11AC Ethernet = 1111.1111.AD
Once you install UDT, your Orion server will start tracking wireless information. It also creates several new tables on your Orion SQL server. So i got to fiddling around and (working with my friendly neighborhood SQL admin) was able to setup a script to compare MAC addresses from Wireless devices, and MAC addresses of devices on the internal network. We wrote a query to look for MAC addresses in both tables that were very similar (first 10 characters of the MAC are identical) My SQL dude setup a job to run this script weekly and email me a report. What we got was the following:
UDT_MACAddress SSID Wireless_Mac 00227541329A HDMD 00227541329A 300D438B50AE bubs 300D438B50AC 5820B15F8D19 HP-Print-19-Officejet Pro 8620 5820B15F8D27 5820B15F8D19 HP-Print-19-Officejet Pro 8620 5820B15F8D27 5820B15F8D19 HP-Print-19-Officejet Pro 8620 5820B15F8D19 5820B15F8D19 HP-Print-19-Officejet Pro 8620 5820B15F8D19 E0469A33FCC1 Parainfluenza2 E0469A33FCC2 E0469A33FCC1 Parainfluenza2 E0469A33FCC2 E0469A33FCC3 Parainfluenza1 E0469A33FCC2 E0469A33FCC3 Parainfluenza1 E0469A33FCC2 E8B4C8A9CE71 Samsung Galaxy Grand Prime 1282 E8B4C8A9CE71 E8B4C8A9CE71 Samsung Galaxy Grand Prime 1282 E8B4C8A9CE6D FC15B4AA71D5 HP-Print-D5-Officejet Pro 8600 FC15B4AA71D5 FC15B4AA71D5 HP-Print-D5-Officejet Pro 8600 FC15B4AA71D5
What I found out is if the MAC on the left column is the same as on the right, then this is a device only wireless, and we are cool, no worries. If you see the Parainfluenza SSID, the left and right don't match but are very very close. Meaning these 2 MACs are from the same device. Therefore this is a wireless AP hosting an SSID and is also connected to the internal network. (This example is actually an exempted AP that we manage). Also, Mr. BUBS is a rogue AP. Tracked it down to a Dr.'s office and yanked it off the network
The Samsung Galaxy looks close, but the MACs are too far off to be from the same device. But it is suspiciously close. The maker of the wireless adapter in the galaxy phone also made another device connected internally. Needs further investigation.
There are a couple of printers listed. One is wireless only and is OK, but the other is putting out an SSID and is connected to the internal network. Turns out the printer plugs into our network with a cable, but also puts out a little wireless network. Turned that off, but it stayed on. Found out we had to do a firmware update to get it to actually turn off the wireless capabilities. User was upset, because she wanted to print stuff from her phone. I said, "Ok, but if you want to print from your phone, let me just shutdown this little network jack in the wall, but you won't be able to print from your PC anymore. Your choice. "
How do you find out if a MAC is connected to the internal network. Go to UDT home page and put in the search bar. It will pop up and show you the switch and port it is plugged into, or it will show nothing.
Works great !!!
If you want specifics let me know.
UDT_MACAddress CurrentChannel SignalStrength SSID FirstUpdate LastUpdate Wireless_Mac 00227541329A 1 HDMD 29:11.4 49:12.1 00227541329A 300D438B50AE 11 bubs 29:04.8 49:05.0 300D438B50AC 5820B15F8D19 6 HP-Print-19-Officejet Pro 8620 19:39.5 50:21.5 5820B15F8D27 5820B15F8D19 6 HP-Print-19-Officejet Pro 8620 37:48.4 48:40.3 5820B15F8D27 5820B15F8D19 6 HP-Print-19-Officejet Pro 8620 19:39.5 50:21.5 5820B15F8D19 5820B15F8D19 6 HP-Print-19-Officejet Pro 8620 37:48.4 48:40.3 5820B15F8D19 E0469A33FCC1 2 Parainfluenza2 49:09.4 49:12.1 E0469A33FCC2 E0469A33FCC1 2 Parainfluenza2 49:03.8 49:05.0 E0469A33FCC2 E0469A33FCC3 44 Parainfluenza1 28:54.4 49:05.0 E0469A33FCC2 E0469A33FCC3 44 Parainfluenza1 29:08.8 49:12.1 E0469A33FCC2 E8B4C8A9CE71 1 Samsung Galaxy Grand Prime 1282 38:23.1 48:22.9 E8B4C8A9CE71 E8B4C8A9CE71 1 Samsung Galaxy Grand Prime 1282 38:23.1 48:22.9 E8B4C8A9CE6D FC15B4AA71D5 11 HP-Print-D5-Officejet Pro 8600 48:17.1 48:40.3 FC15B4AA71D5 FC15B4AA71D5 11 HP-Print-D5-Officejet Pro 8600 10:19.1 50:21.5 FC15B4AA71D5
Can you share the SQL please?