![]() With this information in hand, we can safely say that this access point is connected to the same wired infrastructure as the Meraki access points and that it is actively advertising at least one SSID. This comparison is achieved by applying an XOR to the MAC addresses in binary form, as shown below in a rogue access point: If the wired MAC and the broadcast BSSID MAC match on the 3rd and 4th bytes of the MAC address (typically wired and wireless MAC addresses are contiguous), and the rest of the bytes differ by 5 bits or less, then the AP is classified as rogue. This is done by simply listening to the broadcast frames that the access point already receives. ![]() In order to classify an SSID as rogue, we also need to look at the MAC addresses of frames on the wired side of the corporate APs. However, older APs without a dedicated listening radio can also be configured to utilize their access radios at specific times to scan for rogue access points, as shown below:Īir Marshal listens for 802.11 beacon frames sent out by APs that are “visible” to the corporate APs, then all the BSSIDs (advertising MAC address of the SSID) that the access point sees are categorized as either “Rogue SSID” or “Other SSID”. In order to identify a rogue AP, all currently available Meraki access points leverage their dedicated “listening” radio to continuously monitor the RF. So, it’s very clear that rogue access points are something we need to protect our business critical WLAN and networks from! What makes a rogue access point rogue?Ĭisco Meraki defines a rogue access point as an AP that is both “seen” on the LAN and is broadcasting SSIDs that are visible to the APs that make up the corporate wireless infrastructure. This is by no means an extensive list of threat vectors introduced by this potentially innocuous action.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |