Community discussions

MikroTik App
 
jonashi
newbie
Topic Author
Posts: 45
Joined: Tue Feb 13, 2007 12:19 am
Location: Europe

Rogue AP detection /dealing with

Thu May 01, 2008 8:02 pm

I have found a rogue AP which uses the same SSID and MAC like my AP. Does pretty cool things to me :-( - When I change frequency, it changes frequency on rogue too, when I change MAC address, rogue changes MAC address too, when I stop/disable my wlan interface, rogue AP stop transmit too after 15 second... and that cousing me to disconnect distant clients of AP periodically.
I have pinpointed location of rogue, but thats all I can do with it.
Question is - is there any scripting possibility to discover rogue ap's? like scan and compare scanned ssids with my own...
What are your experiences with this/dealing stories?
 
User avatar
jwcn
Forum Guru
Forum Guru
Posts: 1501
Joined: Sun Aug 27, 2006 6:49 am
Location: Maryland, USA
Contact:

Re: Rogue AP detection /dealing with

Fri May 02, 2008 2:01 am

Cool
 
jcremin
Member
Member
Posts: 360
Joined: Fri May 25, 2007 7:57 am

Re: Rogue AP detection /dealing with

Fri May 02, 2008 7:06 am

Cool
That's a pretty useless reply.

jonashi: I'm not sure, hopefully someone can provide some insight for you.
 
User avatar
jwcn
Forum Guru
Forum Guru
Posts: 1501
Joined: Sun Aug 27, 2006 6:49 am
Location: Maryland, USA
Contact:

Re: Rogue AP detection /dealing with

Fri May 02, 2008 8:03 am

And your reply that you haven't a clue isn't just as useless?
 
User avatar
jwcn
Forum Guru
Forum Guru
Posts: 1501
Joined: Sun Aug 27, 2006 6:49 am
Location: Maryland, USA
Contact:

Re: Rogue AP detection /dealing with

Fri May 02, 2008 8:10 am

Now let me make a more useful reply.

I would suggest stopping the broadcast of your SSID. Hide it.

Then, create a Virtual AP and disable authentication and use a different SSID. Whoever this jerkoff is that is screwing with you should replicate your Virtual AP which you are broadcasting but not using.
 
User avatar
jwcn
Forum Guru
Forum Guru
Posts: 1501
Joined: Sun Aug 27, 2006 6:49 am
Location: Maryland, USA
Contact:

Re: Rogue AP detection /dealing with

Fri May 02, 2008 8:11 am

The other thing you could do is go with 5mhz or 10mhz spacing. Depending on how smart he is that might through yet another curveball in. Combine that with what I suggested before and I doubt he could guess all the variables.
 
jonashi
newbie
Topic Author
Posts: 45
Joined: Tue Feb 13, 2007 12:19 am
Location: Europe

Re: Rogue AP detection /dealing with

Fri May 02, 2008 12:21 pm

Hi guys,
thanks for helping, and your concern, it's appreciated.
I'm afraid there is no variable guessing, thats 100% automation process probably on linux machine, because there is no RouterOS info on radio when I am scanning rogue by MT. Btw rogue signal is pretty strong -50dB, and it is transmitting by somewhere hidden anntena cca 24-29dB directional, I can detect only small strong radio beam. (using MT, and wi-spy spectrum analyzer to pinpoint location).
Frankly speaking I just decided to switch form 2.4 ptmp to 5GHz ptp and cover affected clients with 2.4 sector antenna, but I have suspicion thats not only one rogue AP I'm up to and I'm looking for system precausion to be informed about rogue AP, now I am running more than 100 ap. This rogue was found accidentaly; rogue detection becomes mandatory to me, I guess. But how to do it with Mikrotik?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24614
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Rogue AP detection /dealing with

Fri May 02, 2008 12:43 pm

what about the two suggestions made by jwcn, did you try them?
No answer to your question? How to write posts
 
jonashi
newbie
Topic Author
Posts: 45
Joined: Tue Feb 13, 2007 12:19 am
Location: Europe

Re: Rogue AP detection /dealing with

Sat May 03, 2008 7:27 pm

I haven't tested these jwcn suggestions yet, but I'm gonna to. So far I have changed MAC address and hidden SSID. Rogue replicated my new setup instantly. I'll test all suggestions before reconnect disconecting clients to new AP location - which is inevitable - and report you results.
However - is there any possibility do discover rogue ap by Mikrotik as system precausion?

thank all for contribution and ideas
 
nicopretorius
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Nov 15, 2004 9:49 am

Re: Rogue AP detection /dealing with

Sun Mar 21, 2010 2:17 pm

Various vendors (Cisco, Xirrus, Trapeze, Colubris, etc.) have implemented Rogue AP Detection as part of their solution and unless you get the network provider to allow your "SSID" to be excluded you will not solve this problem. The best is to scan for the other network's SSID to identify them. You can obviously do the same to them if they are not willing to cooporate with some of the products listed above.

Normis, is Rogue AP detection something that Mikrotik is considering to provide as functionality in the future? This can be very usefull.
Regards,

Nico
 
jonashi
newbie
Topic Author
Posts: 45
Joined: Tue Feb 13, 2007 12:19 am
Location: Europe

Re: Rogue AP detection /dealing with

Sun Mar 21, 2010 9:33 pm

I am not willing to cooperate with cisco etc because I am successfuly running hundreds of APs on Mikrotik. However, your suggestion is to do that manualy which is just impossible at least for human resource consumption. Maybe later I will solve that by running scripts to store and compare and e-mail me ssid changes arround. But that wil cause ocasionaly drop in the clients communication during available networks scan.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24614
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Rogue AP detection /dealing with

Mon Mar 22, 2010 10:44 am

This topic is so old, I can't understand why you saised it from the dead. We have this feature long time already. It's called 'management frame protection'.

http://wiki.mikrotik.com/wiki/Manual:In ... protection
No answer to your question? How to write posts
 
nicopretorius
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Nov 15, 2004 9:49 am

Re: Rogue AP detection /dealing with

Mon Mar 22, 2010 3:42 pm

Normis,

Correct me if I'm wrong, but 'management frame protection' does not protect non Mikrotik clients (laptops, smartphones, etc) from being disconnected. It will only ensure that WDS links between Mikrotik's, or Mikrotik devices in "station mode" are not affected. Therefore it will not help you when your hotspot clients are being disassociated from your AP's by rogue AP detection from another provider. The Mikrotik managment frame protection therefore does not provide the same functionality and is not the same thing as Rogue AP detection provided by the vendors I listed above.

I raised the issue because our hotspot clients have recently been affected by another provider running rogue AP detection. The only way we were able to solve this, was to get the provider to add our SSID's to their list of "allowed SSID's". Where else should have I raised the issue?


Jonashi,

I'm not suggesting to manually change your SSID. The other vendor will have an SSID that will identify his network and through this you can find out who it is that is affecting you. You can then get them to add your SSID's to their list of "allowed networks" to solve your problem. The only other way to solve this is to operate in a frequency band where the provider's rogue AP detection cannot operate. I also did not suggest that you change your hardware. I simply stated that it is a function implemented by many other vendors.

I have many thousands of Mikrotik AP's and also do not intend to change them, but it would be helpfull if this function was available in Mikrotik. This way I would then be able to also protect my clients if another provider refuses to cooporate.
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24614
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Rogue AP detection /dealing with

Mon Mar 22, 2010 3:47 pm

I don't understand, why can't the Rogue AP also use the same SSID ? If your competitor wants to ruin your network, he will apply any configuration that you have. It's not clear how this rogue ap detection would work
No answer to your question? How to write posts
 
jonashi
newbie
Topic Author
Posts: 45
Joined: Tue Feb 13, 2007 12:19 am
Location: Europe

Re: Rogue AP detection /dealing with

Mon Mar 22, 2010 4:58 pm

that was I just got yesterday a new mail regarding this topic, so I felt polite to reply. Thanks Normis for making it clean for us.
 
roadracer96
Forum Veteran
Forum Veteran
Posts: 714
Joined: Tue Aug 25, 2009 12:01 am

Re: Rogue AP detection /dealing with

Tue Mar 23, 2010 1:40 am

The point of rogue AP detection is to tell YOUR AP what SSID/BSSIDs are good in your network. If someone spoofs the SSID and BSSID, your AP knows that it isnt valid because IT is the one with that SSID/BSSID combination. If they simply broadcast the same SSID, and have a different SSID, your AP would know that said SSID is bogus because the BSSID doesnt match. In the case of more than one AP in a network, all the APs keep watch over each other and in the case of a SSID/BSSID collision, the AP with that SSID/BSSID combo would know it is fake and report it.

Its a good feature that I would love to see MT have. Would help cover the bases in PCI compliance here in the states regarding wireless networks.
 
nicopretorius
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Mon Nov 15, 2004 9:49 am

Re: Rogue AP detection /dealing with

Tue Mar 23, 2010 7:03 am

Maybe it would have been better to have started a new post to reduce the confusion.
The function of rogue AP detection is not to prevent competitors using your SSID nor will it prevent somebody from ruining your network via interference or other mechanisms.

It functions extactly as per roadracer post and it can help to ensure the integrity of your own network. It is mostly used in corporate networks to ensure that only "authorised WLANs" and client devices are being operated in your WLAN enviroment. Many corporates specify this as a prerequisite for WLAN hardware when they issue tenders.

As per roadracer I also believe this is a function will greatly enhance Mikrotik's functionality.

For more information on the Cisco implementation you can review the following:

http://www.cisco.com/en/US/tech/tk722/t ... 2d8c.shtml

http://www.ciscosystems.org.ph/en/US/do ... csmon.html

https://supportforums.cisco.com/docs/DO ... 0DE5.node0

Who is online

Users browsing this forum: No registered users and 78 guests