I have found a rogue AP which uses the same SSID and MAC like my AP. Does pretty cool things to me - When I change frequency, it changes frequency on rogue too, when I change MAC address, rogue changes MAC address too, when I stop/disable my wlan interface, rogue AP stop transmit too after 15 second... and that cousing me to disconnect distant clients of AP periodically.
I have pinpointed location of rogue, but thats all I can do with it.
Question is - is there any scripting possibility to discover rogue ap's? like scan and compare scanned ssids with my own...
What are your experiences with this/dealing stories?

Cool

Cool

That's a pretty useless reply.

jonashi: I'm not sure, hopefully someone can provide some insight for you.

And your reply that you haven't a clue isn't just as useless?

Now let me make a more useful reply.

I would suggest stopping the broadcast of your SSID. Hide it.

Then, create a Virtual AP and disable authentication and use a different SSID. Whoever this jerkoff is that is screwing with you should replicate your Virtual AP which you are broadcasting but not using.

The other thing you could do is go with 5mhz or 10mhz spacing. Depending on how smart he is that might through yet another curveball in. Combine that with what I suggested before and I doubt he could guess all the variables.

Hi guys,
thanks for helping, and your concern, it's appreciated.
I'm afraid there is no variable guessing, thats 100% automation process probably on linux machine, because there is no RouterOS info on radio when I am scanning rogue by MT. Btw rogue signal is pretty strong -50dB, and it is transmitting by somewhere hidden anntena cca 24-29dB directional, I can detect only small strong radio beam. (using MT, and wi-spy spectrum analyzer to pinpoint location).
Frankly speaking I just decided to switch form 2.4 ptmp to 5GHz ptp and cover affected clients with 2.4 sector antenna, but I have suspicion thats not only one rogue AP I'm up to and I'm looking for system precausion to be informed about rogue AP, now I am running more than 100 ap. This rogue was found accidentaly; rogue detection becomes mandatory to me, I guess. But how to do it with Mikrotik?

what about the two suggestions made by jwcn, did you try them?

I haven't tested these jwcn suggestions yet, but I'm gonna to. So far I have changed MAC address and hidden SSID. Rogue replicated my new setup instantly. I'll test all suggestions before reconnect disconecting clients to new AP location - which is inevitable - and report you results.
However - is there any possibility do discover rogue ap by Mikrotik as system precausion?

thank all for contribution and ideas

Various vendors (Cisco, Xirrus, Trapeze, Colubris, etc.) have implemented Rogue AP Detection as part of their solution and unless you get the network provider to allow your "SSID" to be excluded you will not solve this problem. The best is to scan for the other network's SSID to identify them. You can obviously do the same to them if they are not willing to cooporate with some of the products listed above.

Normis, is Rogue AP detection something that Mikrotik is considering to provide as functionality in the future? This can be very usefull.
Regards,

Nico

I am not willing to cooperate with cisco etc because I am successfuly running hundreds of APs on Mikrotik. However, your suggestion is to do that manualy which is just impossible at least for human resource consumption. Maybe later I will solve that by running scripts to store and compare and e-mail me ssid changes arround. But that wil cause ocasionaly drop in the clients communication during available networks scan.

This topic is so old, I can't understand why you saised it from the dead. We have this feature long time already. It's called 'management frame protection'.

http://wiki.mikrotik.com/wiki/Manual:In ... protection

Normis,

Correct me if I'm wrong, but 'management frame protection' does not protect non Mikrotik clients (laptops, smartphones, etc) from being disconnected. It will only ensure that WDS links between Mikrotik's, or Mikrotik devices in "station mode" are not affected. Therefore it will not help you when your hotspot clients are being disassociated from your AP's by rogue AP detection from another provider. The Mikrotik managment frame protection therefore does not provide the same functionality and is not the same thing as Rogue AP detection provided by the vendors I listed above.

I raised the issue because our hotspot clients have recently been affected by another provider running rogue AP detection. The only way we were able to solve this, was to get the provider to add our SSID's to their list of "allowed SSID's". Where else should have I raised the issue?


Jonashi,

I'm not suggesting to manually change your SSID. The other vendor will have an SSID that will identify his network and through this you can find out who it is that is affecting you. You can then get them to add your SSID's to their list of "allowed networks" to solve your problem. The only other way to solve this is to operate in a frequency band where the provider's rogue AP detection cannot operate. I also did not suggest that you change your hardware. I simply stated that it is a function implemented by many other vendors.

I have many thousands of Mikrotik AP's and also do not intend to change them, but it would be helpfull if this function was available in Mikrotik. This way I would then be able to also protect my clients if another provider refuses to cooporate.

I don't understand, why can't the Rogue AP also use the same SSID ? If your competitor wants to ruin your network, he will apply any configuration that you have. It's not clear how this rogue ap detection would work

that was I just got yesterday a new mail regarding this topic, so I felt polite to reply. Thanks Normis for making it clean for us.

The point of rogue AP detection is to tell YOUR AP what SSID/BSSIDs are good in your network. If someone spoofs the SSID and BSSID, your AP knows that it isnt valid because IT is the one with that SSID/BSSID combination. If they simply broadcast the same SSID, and have a different SSID, your AP would know that said SSID is bogus because the BSSID doesnt match. In the case of more than one AP in a network, all the APs keep watch over each other and in the case of a SSID/BSSID collision, the AP with that SSID/BSSID combo would know it is fake and report it.

Its a good feature that I would love to see MT have. Would help cover the bases in PCI compliance here in the states regarding wireless networks.

Maybe it would have been better to have started a new post to reduce the confusion.
The function of rogue AP detection is not to prevent competitors using your SSID nor will it prevent somebody from ruining your network via interference or other mechanisms.

It functions extactly as per roadracer post and it can help to ensure the integrity of your own network. It is mostly used in corporate networks to ensure that only "authorised WLANs" and client devices are being operated in your WLAN enviroment. Many corporates specify this as a prerequisite for WLAN hardware when they issue tenders.

As per roadracer I also believe this is a function will greatly enhance Mikrotik's functionality.

For more information on the Cisco implementation you can review the following:

http://www.cisco.com/en/US/tech/tk722/t ... 2d8c.shtml

http://www.ciscosystems.org.ph/en/US/do ... csmon.html

https://supportforums.cisco.com/docs/DO ... 0DE5.node0