5 Replies Latest reply on Feb 9, 2016 9:34 AM by skwallace

    Rogue APs Seen on LAN


      Hello there. I have been searching for nearly a year to figure out how to do this and no one seems to have solved it yet. We have a Cisco AP controller that is feeding NPM "Rogue APs" This is great except that a "Rogue AP" just means any SSID within earshot of our APs. You might argue that it's important to know that. With 350 retail locations, it's too much for us to worry about. What I DO WANT TO KNOW is whether any of these APs within ear shot have a MAC address that appears on our network. I have UDT, so I know all of the MAC addresses on my network. How do easily feed the Rogue AP MACs into UDT to get a report of those seen on our LAN? Right now, I am manually manipulating the database and getting fairly limited results. I export the 5000 rogue AP MACs seen every 90 days, remove duplicates using excel, format the table to match the UDT WATCHLIST database table and have our SQL DBA import it so I can run a watchlist report. Now, I have to do this about 1000 MAC addresses at a time, because UDT doesn't seem to be able to handle any more than that. It's terribly time consuming to get to the 1 or 2 ACTUAL Rogue APs on my network.


      Any Ideas?

        • Re: Rogue APs Seen on LAN

          Did anybody answer your question?  I am looking to do the same thing.


          I realized the best thing to do would be to prevent rather than report on this, but it is not my call to make.

          • Re: Rogue APs Seen on LAN
            John Handberg

            Just out of curiosity, is the controller interface telling you there are rogues on the wired network?  I have never actually seen that number be other than 0 on our campus.  This does assume you have something in place to detect rogue APs on the wire like an AP in Rogue Detector mode.

            For reporting and security purposes, this would be one of the better statistics to have in a separate report in NPM, but I am not sure how Orion is gathering rogue information and if Orion is gathering the specific data for rogues on the wire.  (meaning I have not looked to see what data they are pulling)

            • Re: Rogue APs Seen on LAN

              Hello all,


                    this has been an issue with my company for a while we haven't been able to completely resolve it however we have been able to discover rogues on the wired network if you configure any AP in rogue detector mode and trunk the vlans from the switch stack it is on through it then it will be able to discover that traffic but only on the switch/stack.  this means you would need to have a rogue detector per stack unless you trunk one accross to other stacks


              now if you have a network that routes all of you traffic through your core then you may only need the one but regardless you will need to have the vlans routing through it


              please let me know if this wwas helpful or if you have any ideas on how i could improve my situation