Fortinet black logo

FortiWiFi and FortiAP Configuration Guide

Monitoring rogue APs

Copy Link
Copy Doc ID 6faf47d7-1989-11eb-96b9-00505692583a:501673
Download PDF

Monitoring rogue APs

The access point radio equipment can scan for other available access points, either as a dedicated monitor or in idle periods during AP operation.

To see all the rogue APs detected by your managed FortiAP or FortiWiFi unit, go to Dashboard > WiFi > Rogue APs. The Rogue AP widget shows three charts containing rogue AP statistic information in different categories.

  • The Detected By chart shows the amount of rogue APs detected by each managed FortiAP unit or FortiWiFi local radio.
  • The SSID chart shows the amount of SSID names detected as rogue APs.
  • The Vendor Info chart shows the vender information of the detected rogue APs.

All the rogue APs are listed in a table, where you can mark each one as either Accepted or Rogue access points. You can click the Show Offline or Show Accepted button to toggle views for seeing offline rogue APs and accepted rogue APs.

It is also possible to suppress rogue APs. See Suppressing rogue APs.

On-wire rogue AP detection technique

Other APs that are available in the same area as your own APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access. When rogue AP detection is enabled, the On-wire column in the Rogue APs widget shows a green up-arrow on detected rogues.

Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points that they are communicating through. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.

There are two methods of Rogue AP on-wire detection operating simultaneously: Exact MAC address match and MAC adjacency.

Exact MAC address match

If the same MAC address is seen on the LAN and on the WiFi network, this means that the wireless client is connected to the LAN. If the AP that the client is using is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue. This scheme works for non-NAT rogue APs.

MAC adjacency

If an access point is also a router, it applies NAT to WiFi packets. This can make rogue detection more difficult. However, an AP’s WiFi interface MAC address is usually in the same range as its wired MAC address. So, the MAC adjacency rogue detection method matches LAN and WiFi network MAC addresses that are within a defined numerical distance of each other. By default, the MAC adjacency value is 7. If the AP for these matching MAC addresses is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue.

Limitations

On-wire rogue detection has some limitations. There must be at least one WiFi client connected to the suspect AP and continuously sending traffic. If the suspect AP is a router, its WiFi MAC address must be very similar to its Ethernet port MAC address.

Logging

Information about detected rogue APs is logged and uploaded to your FortiAnalyzer unit, if you have one. By default, rogue APs generate an alert level log, unknown APs generate a warning level log. This log information can help you with PCI-DSS compliance requirements.

Rogue AP scanning as a background activity

Each WiFi radio can perform monitoring of radio channels in its operating band while acting as an AP. It does this by briefly switching from AP to monitoring mode. By default, a scan period starts every 300 seconds. Each second a different channel is monitored for 20ms until all channels have been checked.

During heavy AP traffic, it is possible for Spectrum Analysis background scanning to cause lost packets when the radio switches to monitoring. To reduce the probability of lost packets, you can set the CLI ap-bgscan-idle field to delay the switch to monitoring until the AP has been idle for a specified period. This means that heavy AP traffic may slow background scanning.

The following CLI example configures default background rogue scanning operation except that it sets ap-bgscan-idle to require 100ms of AP inactivity before scanning the next channel.

config wireless-controller wtp-profile

edit ourprofile

config radio-1

set wids-profile ourwidsprofile

set spectrum-analysis enable

end

end

config wireless-controller wids-profile

edit ourwidsprofile

set ap-scan enable

set rogue-scan enable

set ap-bgscan-period 300

set ap-bgscan-intv 1

set ap-bgscan-duration 20

set ap-bgscan-idle 100

end

Configuring rogue scanning

All APs using the same FortiAP Profile share the same rogue scanning settings, unless override is configured.

To enable rogue AP scanning with on-wire detection - GUI
  1. Go to WiFi and Switch Controller > WIDS Profiles.
  2. Select an existing WIDS Profile and edit it, or select Create New.
  3. Select a Sensor mode, you can choose either Foreign Channels Only or Foreign and Home Channels.

    On-wire detection is automatically enabled when you select both a sensor mode and enable rogue AP detection.

  4. Select Enable rogue AP detection.
  5. Optionally, enable Auto Suppress Rogue APs in Foreground Scan.
  6. Click OK.
To enable the rogue AP scanning feature in a custom AP profile - CLI

config wireless-controller wids-profile

edit FAP220B-default

set ap-scan enable

set rogue-scan enable

end

Exempting an AP from rogue scanning

By default, if Rogue AP Detection is enabled, it is enabled on all managed FortiAP units. Optionally, you can exempt an AP from scanning. You should be careful about doing this if your organization must perform scanning to meet PCI-DSS requirements.

To exempt an AP from rogue scanning
  1. Go to WiFi and Switch Controller > WIDS Profiles.
  2. Create a new WIDS profile and disable Rogue AP detection.
  3. Go to WiFi and Switch Controller > FortiAP Profiles and edit the profile you wish to exempt from rogue scanning.
  4. Assign the WIDS profile created in step 2.

MAC adjacency

You can adjust the maximum WiFi to Ethernet MAC difference used when determining whether a suspect AP is a rogue.

To adjust MAC adjacency

For example, to change the adjacency to 8, enter

config wireless-controller global

set rogue-scan-mac-adjacency 8

end

Using the Rogue AP Monitor

To view the list of other wireless access points that are receivable at your location, go to Dashboard > WiFi > Rogue APs.

Column Name

Description

MAC Address

The MAC address of the Wireless interface.

SSID

The wireless service set identifier (SSID) or network name for the wireless interface.

State

Accepted AP — Use this status for APs that are an authorized part of your network or are neighboring APs that are not a security threat. To see accepted APs in the list, select Show Accepted.

Rogue AP — Use this status for unauthorized APs that the On-wire status indicates are attached to your wired networks.

Suppressed Rogue AP — Use this status to suppress unauthorized APs.

Unclassified — This is the initial status of a discovered AP. You can change an AP back to unclassified if you have mistakenly marked it as Rogue or Accepted.

Online Status

Active AP

Inactive AP

Active ad-hoc WiFi device

Inactive ad-hoc WiFi device

Signal Interference

The relative signal strength of the AP. Mouse over the symbol to view the signal-to-noise ratio.

Vendor Info

The name of the vendor.

Detected By

The name or serial number of the AP unit that detected the signal.

Channel

The wireless radio channel that the access point uses.

On-wire

A green up-arrow indicates a suspected rogue, based on the on-wire detection technique. A red down-arrow indicates AP is not a suspected rogue.

Security Type

The type of security currently being used.

First Seen

How long ago this AP was first detected.

Last Seen

How long ago this AP was last detected.

Rate

Data rate in bps.

Changing a rogue AP state

To change the state of a rogue AP, select the AP and hover over the State column until an Edit icon appears. Click the Edit icon and select the state you want, and then click Apply.

Monitoring rogue APs

The access point radio equipment can scan for other available access points, either as a dedicated monitor or in idle periods during AP operation.

To see all the rogue APs detected by your managed FortiAP or FortiWiFi unit, go to Dashboard > WiFi > Rogue APs. The Rogue AP widget shows three charts containing rogue AP statistic information in different categories.

  • The Detected By chart shows the amount of rogue APs detected by each managed FortiAP unit or FortiWiFi local radio.
  • The SSID chart shows the amount of SSID names detected as rogue APs.
  • The Vendor Info chart shows the vender information of the detected rogue APs.

All the rogue APs are listed in a table, where you can mark each one as either Accepted or Rogue access points. You can click the Show Offline or Show Accepted button to toggle views for seeing offline rogue APs and accepted rogue APs.

It is also possible to suppress rogue APs. See Suppressing rogue APs.

On-wire rogue AP detection technique

Other APs that are available in the same area as your own APs are not necessarily rogues. A neighboring AP that has no connection to your network might cause interference, but it is not a security threat. A rogue AP is an unauthorized AP connected to your wired network. This can enable unauthorized access. When rogue AP detection is enabled, the On-wire column in the Rogue APs widget shows a green up-arrow on detected rogues.

Rogue AP monitoring of WiFi client traffic builds a table of WiFi clients and the Access Points that they are communicating through. The FortiGate unit also builds a table of MAC addresses that it sees on the LAN. The FortiGate unit’s on-wire correlation engine constantly compares the MAC addresses seen on the LAN to the MAC addresses seen on the WiFi network.

There are two methods of Rogue AP on-wire detection operating simultaneously: Exact MAC address match and MAC adjacency.

Exact MAC address match

If the same MAC address is seen on the LAN and on the WiFi network, this means that the wireless client is connected to the LAN. If the AP that the client is using is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue. This scheme works for non-NAT rogue APs.

MAC adjacency

If an access point is also a router, it applies NAT to WiFi packets. This can make rogue detection more difficult. However, an AP’s WiFi interface MAC address is usually in the same range as its wired MAC address. So, the MAC adjacency rogue detection method matches LAN and WiFi network MAC addresses that are within a defined numerical distance of each other. By default, the MAC adjacency value is 7. If the AP for these matching MAC addresses is not authorized in the FortiGate unit configuration, that AP is deemed an ‘on-wire’ rogue.

Limitations

On-wire rogue detection has some limitations. There must be at least one WiFi client connected to the suspect AP and continuously sending traffic. If the suspect AP is a router, its WiFi MAC address must be very similar to its Ethernet port MAC address.

Logging

Information about detected rogue APs is logged and uploaded to your FortiAnalyzer unit, if you have one. By default, rogue APs generate an alert level log, unknown APs generate a warning level log. This log information can help you with PCI-DSS compliance requirements.

Rogue AP scanning as a background activity

Each WiFi radio can perform monitoring of radio channels in its operating band while acting as an AP. It does this by briefly switching from AP to monitoring mode. By default, a scan period starts every 300 seconds. Each second a different channel is monitored for 20ms until all channels have been checked.

During heavy AP traffic, it is possible for Spectrum Analysis background scanning to cause lost packets when the radio switches to monitoring. To reduce the probability of lost packets, you can set the CLI ap-bgscan-idle field to delay the switch to monitoring until the AP has been idle for a specified period. This means that heavy AP traffic may slow background scanning.

The following CLI example configures default background rogue scanning operation except that it sets ap-bgscan-idle to require 100ms of AP inactivity before scanning the next channel.

config wireless-controller wtp-profile

edit ourprofile

config radio-1

set wids-profile ourwidsprofile

set spectrum-analysis enable

end

end

config wireless-controller wids-profile

edit ourwidsprofile

set ap-scan enable

set rogue-scan enable

set ap-bgscan-period 300

set ap-bgscan-intv 1

set ap-bgscan-duration 20

set ap-bgscan-idle 100

end

Configuring rogue scanning

All APs using the same FortiAP Profile share the same rogue scanning settings, unless override is configured.

To enable rogue AP scanning with on-wire detection - GUI
  1. Go to WiFi and Switch Controller > WIDS Profiles.
  2. Select an existing WIDS Profile and edit it, or select Create New.
  3. Select a Sensor mode, you can choose either Foreign Channels Only or Foreign and Home Channels.

    On-wire detection is automatically enabled when you select both a sensor mode and enable rogue AP detection.

  4. Select Enable rogue AP detection.
  5. Optionally, enable Auto Suppress Rogue APs in Foreground Scan.
  6. Click OK.
To enable the rogue AP scanning feature in a custom AP profile - CLI

config wireless-controller wids-profile

edit FAP220B-default

set ap-scan enable

set rogue-scan enable

end

Exempting an AP from rogue scanning

By default, if Rogue AP Detection is enabled, it is enabled on all managed FortiAP units. Optionally, you can exempt an AP from scanning. You should be careful about doing this if your organization must perform scanning to meet PCI-DSS requirements.

To exempt an AP from rogue scanning
  1. Go to WiFi and Switch Controller > WIDS Profiles.
  2. Create a new WIDS profile and disable Rogue AP detection.
  3. Go to WiFi and Switch Controller > FortiAP Profiles and edit the profile you wish to exempt from rogue scanning.
  4. Assign the WIDS profile created in step 2.

MAC adjacency

You can adjust the maximum WiFi to Ethernet MAC difference used when determining whether a suspect AP is a rogue.

To adjust MAC adjacency

For example, to change the adjacency to 8, enter

config wireless-controller global

set rogue-scan-mac-adjacency 8

end

Using the Rogue AP Monitor

To view the list of other wireless access points that are receivable at your location, go to Dashboard > WiFi > Rogue APs.

Column Name

Description

MAC Address

The MAC address of the Wireless interface.

SSID

The wireless service set identifier (SSID) or network name for the wireless interface.

State

Accepted AP — Use this status for APs that are an authorized part of your network or are neighboring APs that are not a security threat. To see accepted APs in the list, select Show Accepted.

Rogue AP — Use this status for unauthorized APs that the On-wire status indicates are attached to your wired networks.

Suppressed Rogue AP — Use this status to suppress unauthorized APs.

Unclassified — This is the initial status of a discovered AP. You can change an AP back to unclassified if you have mistakenly marked it as Rogue or Accepted.

Online Status

Active AP

Inactive AP

Active ad-hoc WiFi device

Inactive ad-hoc WiFi device

Signal Interference

The relative signal strength of the AP. Mouse over the symbol to view the signal-to-noise ratio.

Vendor Info

The name of the vendor.

Detected By

The name or serial number of the AP unit that detected the signal.

Channel

The wireless radio channel that the access point uses.

On-wire

A green up-arrow indicates a suspected rogue, based on the on-wire detection technique. A red down-arrow indicates AP is not a suspected rogue.

Security Type

The type of security currently being used.

First Seen

How long ago this AP was first detected.

Last Seen

How long ago this AP was last detected.

Rate

Data rate in bps.

Changing a rogue AP state

To change the state of a rogue AP, select the AP and hover over the State column until an Edit icon appears. Click the Edit icon and select the state you want, and then click Apply.