Black list a Rogue AP

Jem · February 27, 2019, 1:05pm

Hi, I am doing some tests with Rogue APs to be "suppressed" by sending deauths. It worked once. Then I trusted the rogue and finally deleted the line in the white list. I start over and again I see it as Rogue AP (ap1221test SSID) but I cannot put it in black list anymore. Is this a known issue? It never automatically goes into black list either. Thanks, regards

Dan · February 28, 2019, 5:19pm

Hi Jem, how many Stellar APs do you have?

Jem · March 1, 2019, 2:38pm

one ap 1221 and one IAP93

Dan · March 4, 2019, 10:40am

So were you able to actually suppress associations to rogue AP/SSID? I tried this, and with just one stellar AP it did not really work: scanning interval of single WIPS AP was not enough to detect authentications reliably.

Jem · March 5, 2019, 12:58pm

Even with all enabled it did nothing automatically. I had initially "ap1221test" on 1221 and "iap93test" on IAP93. Situation was that IAP was reporting the Stellar as rogue (ok!) but Stellar was reporting IAP as "interfering AP" (not ok!). Then I added a second ssid "ap1221test" also on IAP93: soon I got indication of the "rogue AP" on the 1221 this time...well...ok better late than never. Then I had to select blacklist for the IAP BSSID somewhere (no screenshot sorry). And the two clients on both 2.4 and 5 GHz passed immediately to the 1221 BSSID. Good. The bad news is that I cannot do it again. I'd probably have to scratch the config on the 1221...but it does not make much sense. Rebooting does not help. IF I reboot 1221 both users go on IAP93 and stay there forever. When 1221 comes up he sees the IAP93 as interfering as per the screenshot and nothing more happens. Thanks

Jem · March 7, 2019, 1:47pm

Had switched off for two days. This morning I upgraded IAP93 from 6.4.0.x to latest 6.4.2.6, works even worst. See attachment, I checked mac address of client and it never left IAP93. Also, I cannot put it in blacklist. For me the feature is not working. On IAP93 all IDS is disabled. Any ideas? Thanks, regards

Dan · March 13, 2019, 11:03am

I tried this in Enterprise mode, and it did not work as well. IMHO, containment cannot really work, unless you have multiple APs doing background scanning (and in RF proximity of rogue clients), or, better still, dedicated scanning APs (Active Monitor).
In order to be able to send death, the AP needs to see/catch authentication message. If you have only one AP doing backgroaund scanning, probability of this is very low. This is also the reason you don't see rogue clients reliably.
As you increase the number of APs in cluster, probability of detecting auth request is rising (although unless we implement a deterministic approach to scanning interval distribution between APs it will be sub-optimal). Ultimately, dedicated scanners can provide best containment results.