FortiWLC – Configuring Rogue AP Detection Using the CLI

Configuring Rogue AP Detection Using the CLI

These CLI commands configure rogue detection; for a complete explanation of the commands, see the FortiWLC (SD) Command Reference.

Configuring Rogue AP Detection Using the CLI

Adding APs to Scan List

default(15)# configure terminal default(15)(config)# rogue‐ap detection‐ap 1 default(15)(config)# rogue‐ap detection‐ap 3 default(15)(config)# exit

Show Output default(15)# sh rogue‐ap detection‐ap‐list

AP ID

1    

3    

        Rogue Device Detecting APs(2)

Deleting APs from Scan list

default(15)# configure terminal           default(15)(config)# no rogue‐ap detection‐ap 1 default(15)(config)# no rogue‐ap detection‐ap 3 default(15)(config)# end

Show Output default(15)# show rogue‐ap detection‐ap‐list

AP ID

        Rogue Device Detecting APs(No entries)

Configuring the AP Access and Block Lists with the CLI

The feature uses an Access Control List (ACL) containing a list of allowed BSSIDs and a list of Blocked BSSIDs. By default, all Fortinet ESS BSSIDs in the WLAN are automatically included in the allowed ACL. A BSSID cannot appear in both lists.

To add an access point with a BSSID of 00:0e:cd:cb:cb:cb to the access control list as an authorized access point, type the following:

controller (config)# rogue‐ap acl 00:0e:cd:cb:cb:cb controller (config)#

Configuring Rogue AP Detection Using the CLI

To see a listing of all BSSIDs on the authorized list, type the following:

controller# show rogue-ap acl

Allowed APs

BSSID

00:0c:e6:cd:cd:cd 00:0e:cd:cb:cb:cb

A BSSID cannot be on both the blocked list and the access list for rogue AP detection at the same time. Suppose 00:0c:e6:cd:cd:cd is to be placed on the blocked list. If this BSSID is already on the authorized list, you must remove the BSSID from the authorized list, and then add the BSSID to the blocked list, as follows:

controller (config)# no rogue‐ap acl 00:0c:e6:cd:cd:cd controller (config)# controller (config)# rogue‐ap blocked 00:0c:e6:cd:cd:cd                                 controller (config)# exit controller# show rogue-ap acl

Allowed APs

BSSID

00:0e:cd:cb:cb:cb controller# show rogue-ap blocked

BssId               Creation Date   Last Reported

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐

00:0c:e6:cd:cd:cd   11/02 01:05:54   11/02 01:06:20

The commands to enable and confirm the rogue AP detection state are as follows:

controller (config)# rogue‐ap detection controller# show rogue-ap globals

Global Settings

Detection                              : on

Mitigation                             : none

Rogue AP Aging (seconds)               : 60

Number of Candidate APs                : 3

Number of Mitigating APs               : 5

Scanning time in ms                    : 100

Operational time in ms                 : 400

Max mitigation frames sent per channel : 10

Scanning Channels                      :

1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation          : ‐100

Use the CLI command show rogue-ap-list to display all rogue clients and APs in the network.

Rogue Mitigation Example

Rogue AP mitigation for APs in the blocked list is enabled and confirmed as follows:

Configuring Rogue AP Detection Using the CLI

 

controller# configure terminal controller (config)# rogue‐ap detection controller (config)# rogue-ap mitigation selected controller (config)# exit controller# show rogue-ap globals

Global Settings

Detection                              : on

Mitigation                             : selected

Rogue AP Aging (seconds)               : 60

Number of Candidate APs                : 3

Number of Mitigating APs               : 5

Scanning time in ms                    : 100

Operational time in ms                 : 400

Max mitigation frames sent per channel : 10

Scanning Channels                      :

1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation          : ‐100


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.