Rogue Client detected

This alarm is raised whenever Rogue clients are detected  by WiFi Manager in a wireless network.

What are Rogue clients?

Rogue clients are malicious wireless client devices that either try to gain illegitimate access to your WLAN or try to disrupt normal wireless service by launching attacks.  They can also be normal client devices that are not yet authorized by the WLAN administrator.

How does WiFi Manager detect the rogue APs?

WiFi Manager uses both wired side scanning and RF scanning to discover the mobile clients connected the WLAN.  Once a mobile client is discovered it is mapped against a set of criteria (listed below), if any one of the criteria fails then it is categorized as a rogue.

Criterias used to categorize an client as rogue -

Authorized MAC Address : WLAN administrators can import the list of authorized client MAC address into WiFi Manager. If the MAC address of the discovered mobile client is in the list of authorized MAC, then the client is marked as a trusted.  If the MAC address is not in the trusted list then other criterias are checked to determine whether it is rogue or not.

Authorized SSIDs : WLAN administrators can import the list of authorized SSIDs into WiFi Manager. If the discovered client uses an SSID that is not in the authorized list then it is marked as rogue.

Authorized vendor : If an enterprise standardizes on vendor for client adapter, then WLAN administrators can import the list of allowed vendors into WiFi Manager.  If the discovered client is from a vendor not in the allowed list then it is marked as rogue Access point.

Authorised channel: If an enterprise standardizes on channels to be used in the wireless LAN, then the same can be configured in WiFi Manager. Upon discovery of the client, it current channel is compared with the configured list and if it is not in the list, then it is marked as rogue.

Authorised 802.11 mode: If an enterprise standardizes on the 802.11 mode, then the same can be configured in WiFi Manager. Upon discovery of the client the mode in which it is operating is compared with the configured list and if it is not in the list, then it is marked as rogue.

What should the system Administrators do?

When WiFi Manager raises the Alarm that a Rogue client is detected, the administrators should immediately analyze the reason for the alarm and take appropriate steps.  He can take one of the below mentioned steps -

1. If the client is really a rogue client then he has to immediately take steps to block the same form accessing the WLAN.  Most common method of keeping rogue clients away is by configuring their MAC address in the Access Point’s Access Control List (ACL). ACL determines whether to deny or allow a client to connect to the WLAN or not. WLAN administrators can specify the rogue client’s MAC address in the ACL of all authorized Access Points to keep the rogue client off the network for ever.

2.  If the Access point is not a rogue device then the Administrator can use the "Mark As" option in WiFi Manager to change it trusted device.  Further he/she can analyze the reason for the alarm and can do appropriate configuration changes in WiFi Manager.