Understanding Rogue Clients
A rogue client is a client that does not belong to your company, but is operating on the network anyway. Rogue clients might be trying to steal information, could be trying to disrupt normal wireless service by launching attacks, or might be simply trying to use your wireless access.
This topic includes the following:
What Defines a Rogue Client?
A client is automatically classified as a rogue if it is listed in the rogue list, where it has been added by an administrator - see Creating and Managing RF Detection Profiles. In addition, the MSS OS automatically classifies a client as a rogue for the following reasons:
Ad-hoc clients such as laptops, PDA's, and printers attempting to connect directly, without using an access point, are rogues by default. You can change this by Creating and Managing RF Detection Profiles.
Any client that connects to a rogue access point is considered a rogue client because it is bypassing the authorized security procedures put in place by the IT department. .
The client has violated a network policy.
Additional indications that a client might be a rogue include:
The client sends multiple frames with prolonged duration. The duration value in the frame indicates the duration in milliseconds for which the channel is reserved, so long duration values can disrupt legitimate users. .
The client is not connected to an access point—this is called an unassociated client—but is sending packets anyway. The packets are probably forged packets that the client is injecting into the wireless network.
The client is probing for ’any’ SSID. When access points are not configured properly, they can allow clients to connect with ‘any’ SSID. A client tries to connect using ‘any’ SSID it would most probably be a rogue client.
The client is repeatedly sending association requests to an access point. This could be indication of a flood attack. The threshold for triggering a flood message is 100 frames of the same type from the same MAC address, within a one-second period. If MSS detects more than 100 of the same type of wireless frame within one second, it generates a log message. The message indicates the frame type, the MAC address of the sender, the listener (MP and radio), channel number, and RSSI. To see the log,
How Are Rogue Clients Detected?
Access points have the ability to identify clients, including rogue clients. This information is passed to the controller and to Network Director. In Network Director, rogue clients generate a fault. From the CLI, use the command show rfdetect clients to see all clients. From RingMaster, click Alarms > Query > select options including the word rogue > OK.
What Can I do To Prevent Rogue Client Damage?
The sooner you detect a rogue client or suspicious activity, the easier it is to stop the intrusion.
A client belonging to your network mobility domain cannot be classified as a rogue, but you can add them to the blocklist—see Creating and Managing RF Detection Profiles.
How Do I Prevent a Benign Client From Being Classified as a Rogue?
Clients belonging to your mobility domain are never classified as rogues.
Presence of other clients on a permitted SSID list or OUI list does not guarantee that the device will not be classified as a rogue for other reasons. The only sure way to be sure a non-mobility domain client is not classified as a rogue is to add the device or vendor to the neighbor list.
Neighbors are devices known to be part of a neighboring network and non-threatening. Vendors can also be added to the neighbor list. For directions, see Creating and Managing RF Detection Profiles.
How Do I Make Sure An SSID Won’t Be Classified as Rogue?
MSS maintains a permitted SSID list, which is a list od SSIDs allowed in the mobility domain. If a detected SSID is not on the list, MSS generates a message.
How Can I Make Sure a Device is Classified as Rogue?
If you know the MAC address of a client, you can add it to the rogue list—for directions, see Creating and Managing RF Detection Profiles.