Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Rogues, Honeypots, and Neighbor APs

SUMMARY Get familiar with essential terms: rogue, neighbor, and honeypot so that you can manage them appropriately when they're detected by Juniper Mist™.

Rogue, neighbor, and honeypot APs are unauthorized devices operating on or near your network, often with the goal of fooling users into connecting to the "false" access point in order to steal data or monitor communications. These kinds of anomalous devices can be hard to detect, and they can pose a significant security threat to both the unwitting user, and the organization whose network is being compromised.

To protect against this kind of threat, Juniper APs include a dedicated scanning radio to detect and remove risky APs and their clients from your network and your facilities. The dedicated scanning radios operate on both the 2.4-GHz and 5-GHz bands. They provide data for real-time performance adjustments on the AP, as well as streaming telemetry to the Mist portal, for site-wide optimizations on the basis of artificial intelligence and machine learning.

To see any threats, select Site > Wireless | Security in the Mist portal to open the Security page. A list of all the anomalous APs detected appears. You can drill down on any item to find the physical location, Ethernet connection, and even rogue clients connected to the AP. You can also terminate rogue AP and prevent unwanted clients from rejoining the network. See Classify and Ban Designated Wireless Clients.

Figure 1: AP Threat Detection and Classification AP Threat Detection and Classification

Unique security threats arise in the wireless environment:

  • Rogue APs are any wireless APs installed on your wired network without authorization. Typically, this AP is connected to the LAN through an Ethernet cable. The intent of rogues can be malicious, such as to gain illicit access to the network, or benign, such as an employee setting up their own Wi-Fi hotspot to cover a perceived deadspot. Rogue clients are users who've connected to the rogue AP.

  • Malicious Neighbor APs are not connected to your network, but they lurk in the vicinity and may have both the strongest signal and no authorization requirements. As a result, clients may connect to the neighbor AP, assuming it's yours and thus that it's secure. Neighbor APs can also be a way for users in your facility to get around security restrictions on your network, such as streaming music or accessing blocked sites, or to avoid paying for services. Nonmalicious neighbor APs are SSIDs from another organization. In other words, legitimate SSIDs belonging to one organization will also be listed as neighbors for another organization.

  • Honeypots, also known as Evil Twins, are unauthorized APs that advertise your SSID, typically with the goal of capturing client login credentials. Here, a bad actor may copy or approximate your Wi-Fi hotspot, spoof your organization's login screen, and then collect the username and password of unsuspecting users as they try to login to "your" network. The bad actor can then use the credentials to log in to your actual network and wreak whatever havoc they have in mind. Non-malicious Honeypots are SSIDs from another organization that are broadcasting the same WLAN.


    You can exempt "friendly" SSIDs and BSSIDs from repeated misclassification. Do so in the Mist portal by adding the MAC address of the AP in the Approved SSIDs field on the Organization > Admin | Site Configuration page (under Security Configuration). Be sure to delimit multiple MACs with a comma, no space.