Rogue APs

View, filter, sort, and classify rogue AP objects. (ExtremeCloud IQ only.)

View Rogue APs

When you enable an ExtremeCloud IQ WIPS (wireless intrusion prevention system) configuration on APs, APs that do not comply with the WIPS configuration are considered rogue APs and are listed here. Keep rogue APs in this list as a reminder to investigate them. If a configured AP does not comply with a WIPS configuration and appears on this list, but you are sure that it is a valid device, you can remove it. (In this case, you might also want to reconfigure the WIPS policy settings.)

  • The Rogue APs table has variable-width columns to display longer entries. Select and drag the right edge of any column left or right to change the column width. Some columns are also sortable; select the column heading to sort column entries.

The Rogue AP table displays all of the rogue APs that have been detected in your network. You can choose to show in-net rogues, unauthorized rogues, or neighbor rogues that are not a threat.

You can view real-time data or historical data for rogue APs. The timeline options at the top of the page allow you to select a time range (for example a specific day or week, and time), and then use the slider bars on the timeline to narrow the window. Historical data is retained for one week.

In-network rogues: If a detected rogue AP is determined to be in the same backhaul network as compliant APs, ExtremeCloud IQ displays "In-net" in this column. If its location on the network cannot be determined, a dash appears here. Knowing whether a rogue AP is in the same network can help you decide how swift your response to its presence needs to be.

At the top of the table are three check box categories:

Rogue: An unauthorized AP that is connected to your wired network.

Unauthorized: Any unauthorized AP that is detected, but not necessarily connected to the wired network.

Neighbor: APs that you have manually classified as a neighbor and that does not represent a threat.

If none of these check boxes are selected, the table displays all rogues. Select a check box to limit the types of rogue APs that are displayed.

The table contains the following information:

Classification: Whether this AP is considered a true rogue or a neighbor AP.

Clients: Shows the number of clients associated with this AP.

Rogue AP BSSID: The BSSID (basic service set identifier, which includes the MAC address) of the rogue access point.

SSID: The SSID that is being announced by the rogue access point beacons.

Vendor: The vendor of the rogue access point, Apple, for example.

Approximate Location: The location of the rogue in your network, or the location of the AP that reported the rogue.

Reporting Device: The authorized device in your network that reported the rogue.

Reason: The reason the AP has been designated as a rogue. APs can check if the SSID names that other access points advertise—along with the type of encryption they use—match those in a checklist. For example, if your network security policy requires all SSIDs to use WPA or WPA2, then any SSID using WPA or WPA2 makes the access point hosting it valid. On the other hand, an access point is categorized as rogue if it hosts an SSID using WEP or no encryption at all (that is, "open"). For more information about creating a WIPS policy, see "WIPS".

First Time Detected: The first time this AP was detected in your network.

Last Time Detected: The last time this rogue was detected in your network.

Filter the Rogue AP Display

You can filter the display by location or by network SSID. To do this, select . Select the check boxes for the items you want to include in your filter, and then select Save. In the dialog box, enter a name for the filter, and then select Save again. When you save a filter, it appears in the top section of the left navigation bar for future use.

Classify Rogue APs

You can change the classification for the rogue APs displayed in this table. Select the check box for an AP and then select Classify at the top of the table. From the drop-down list, select one of the following options:

Neighbor: This option reclassifies this device as an AP that does not present a threat to your network.

Auto-classify: (For previously manually-classified APs) Use this option to return a device to the default classification it had when first detected.