Cisco Cisco 5508 Wireless Controller Referencia técnica

If probe response or beacons from a rogue device are heard by either local mode, FlexConnect mode, or 
monitor mode APs, then this information is communicated via CAPWAP to the Wireless LAN controller 
(WLC) for processing. Rogue device can be identified regardless of its SSID is broadcast or not. In order 
to prevent false positives, a number of methods are used to ensure that other managed Cisco-based APs 
are not identified as a rogue device. These methods include mobility group updates, RF neighbor 
packets, and white listing autonomous APs via Cisco Prime Infrastructure (PI).

While the controller’s database of rogue devices contains only the current set of detected rogues, the 
Cisco PI also includes an event history and logs rogues that are no longer seen.

A CAPWAP AP goes off-channel for 50ms in order to listen for rogue clients, monitor for noise, and 
channel interference. Any detected rogue clients or APs are sent to the controller, which gathers the 
following information:

The rogue AP's MAC address

Name of the AP detected rogue

The rogue connected client(s) MAC address

Whether the frames are protected with WPA or WEP

The preamble

The Signal-to-Noise Ratio (SNR)

The Receiver Signal Strength Indicator (RSSI)

Channel of Rogue detection

Radio in which rogue is detected

Rogue SSID (if the rogue SSID is broadcasted)