Forgot password?
 Register now

Welcome to use this form to feedback your problems with Ruijie Community

The category of your feedback

Your Feedback

Your Email address (optional):

How to configure rouge Reply

GTAC-Daisy

Level 1

How to configure rouge
4956 0 2019-8-20 11:25:15
Original
Overview
Compared with wired network, WLAN is convenient to deploy, flexible to use, cost-efficient and easy to expand, and is thus applied more and more widely. However, due to the openness of WLAN channel, the wireless networks are susceptible to a wide array of threats such as unauthorized APs, ad-hoc networks and different kinds of protocol attacks.
Therefore, security has become an important factor inhibiting the development of WLAN.
WIDS (Wireless Intrusion Detection System) provides early detection of malicious attacks and intrusions and helps the network administrator to proactively discover the hidden defects of network and take necessary countermeasures.   
Currently, WIDS mainly provides the following features:   
·  Rogue device detection, countermeasure
·  IDS attack detection  
·  Frame filtering (black list and white list)  
·  User isolation   
Basic concept of rogue device countermeasure
Rogue device: Unauthorized or malicious device on the network. It can be an illegal AP, illegal bridge or unauthorized Ad-hoc device.   
Rogue AP: An unauthorized or malicious AP on the network, such as an unauthorized AP, misconfigured AP or an attacker operated AP.
Rogue AP Countermeasure is used to attack fake authentication release frame sent by rogue AP address in the list to countermeasure rogue AP.
I. Requirements
Monitor Rogue AP and configure countermeasures.
II. Network Topology
   
III. Configuration Tips
1. Configure device mode
2. Configure countermeasure
IV. Configuration Steps
1. Configure AP as monitor or hybrid mode
       AC(config)# ap-config ap220-e
       AC(ap-config)# device mode monitor    or   AC(ap-config)# device mode hybrid
Note:
Monitore mode:  monitor/attack rogue AP only
Hybrid mode:  monitor/attack rogue AP and forward user date as normal AP (less monitor performance)
2. Configure countermeasure rogue ap static list
Firmware version 11.X
AC (config)#ap-config AP220-I ----->enter ap-config mode
AC(config-ap)#device mode monitor
AC(config-ap)#scan-channels 802.11b channels 1 2 3 4 5 6 7 8 9 10 11 12 13  --->configure the scanning channel of 2.4G
AC(config-ap)#scan-channels 802.11a channels 149 153 157 161 165  --->configure the scanning channel of  5G
AC(config)#wids ----->enter wids mode
AC(config-wids)#countermeasure enable   ----->enable countermeasure
AC(config-wids)#countermeasures channel-match ----->enable channel-based containment
AC(config-wids)#countermeasures mode config ----->choose the countermeasures mode

AC(config-wids)#device attack mac-address 061b.b120.700c  ----->add static list of attack, add rogue AP bssid:061b.b120.700c. you can scan rogue AP with wirelessmon to confirm the bssid.
Appendix:
Base on the circumstance that AP740-I has three RF cards, we can use radio 1 and radio 2 for wifi service, and use radio 3 to countermeasure other rouge aps. The graphic configurations are shown below:
AC (config)#ap-config AP740-I ----->entwe into the specific ap
AC (config-ap)#radio-type 3 802.11b ----->config the third RF card to be 2.4g
AC (config)#ap-config AP740-I ----->enter ap-config mode
AC(config-ap)#device mode monitor radio 3 ----->choose the radio 3 to be the countermeasure role
AC(config-ap)#scan-channels 802.11b channels 1 2 3 4 5 6 7 8 9 10 11 12 13  --->configure the scanning channel of 2.4G
AC(config-ap)#scan-channels 802.11a channels 149 153 157 161 165  --->configure the scanning channel of  5G
AC(config)#wids ----->enter wids mode
AC(config-wids)#countermeasure enable   ----->enable countermeasure
AC(config-wids)#countermeasures channel-match ----->enable channel-based containment
AC(config-wids)#countermeasures mode config ----->choose the countermeasures mode

AC(config-wids)#device attack mac-address 061b.b120.700c  ----->add static list of attack, add rogue AP bssid:061b.b120.700c. you can scan rogue AP with wirelessmon to confirm the bssid.
Countermeasure mode concept
Use this command to configure the device countermeasures mode. Use the no form of this command to restore the default setting.
countermeasures mode { all | adhoc | config | rogue | ssid }
no countermeasures mode { all | adhoc | config | rogue | ssid }
Optional configuration(You can use below commands when countermeasure is inefficient)
1. Unknown STA Detection (unicast countermeasure).
Ruijie#configure terminal
Ruijie(config)#wids
Ruijie(config-wids)#device unknown-sta dynamic-enable ----->enable the unknown STA detection and containment function

Ruijie(config-wids)#device unknown-sta mac-address 1234.1234.1234----->configure the unknown STA list entry
2. Add an entry to the permissible list
Ruijie#configure terminal
Ruijie(config)#wids
Ruijie(config-wids)# device permit mac-address 1234.1234.1236----->configure the permissible MAC list 1234.1234.1236
Ruijie(config-wids)# device permit ssid test----->configure the permissible SSID list test

Ruijie(config-wids)# device permit vendor bssid 1234.1234.1236----->configure the permissible vendor list
3. Configure countermeasure parameters
Ruijie#configure terminal
Ruijie(config)#wids
Ruijie(config-wids)#countermeasures interval 2000-----> configure countermeasures interval 2000ms
Ruijie(config-wids)#countermeasures ap-max 256---> configure the maximum number of contained devices once,ranging from 1 to 256. The default maximum number of countered devices is 30.
Ruijie(config-wids)#countermeasures rssi-min 5   --->configure the minimum containment RSSI,ranging from 0 to 75(This value is not recommended to set too small)
Ruijie(config-wids)#device detected-ap-max 100   --->configure the maximum number of detected APs,ranging from 1 to 4096.

Ruijie(config-wids)#device aging duration 1000  --->configure the aging duration of the detected devices,ranging from 500 to 5000 seconds.
V. Verification
Wireless users can not connect to rogue APs or packets loss.

There are no replies.
Related Posts
Product Model

Share this topic to

Cancel

This site contains user submitted content, comments and opinions and is for informational purposes only. Ruijie may provide or recommend responses as a possible solution based on the information provided; every potential issue may involve several factors not detailed in the conversations captured in an electronic forum and Ruijie can therefore provide no guarantee as to the efficacy of any proposed solutions on the community forums. Ruijie disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Ruijie Community Terms of Use.

More ways to get help: Visit Support Videos, call us via Service Hotline, Facebook or Live Chat.

©2000-2023 Ruijie Networks Co,Ltd