Some Rogue APs You Just Gotta Live With

As I look in on the management console of my big Cisco WLAN, I see at the moment I have 711 detected rogues on my biggest campus. Detection in this case loosly equals:

  • Being heard by one or more APs that have been configured to take part in rogue detection
  • Breaking our threshold of concern (I have set to RSSI of -78)
  • Being heard within the last few days

Because of where this WLAN sits geographically and the fact that we have thousands of APs (with hundreds participating in rogue detection), our rogue dashboard stays pretty busy. We’re in a city, surrounded by hospitals, businesses, and residential neighborhoods. I asked The Google for graphical help:

Image

This is a quick and dirty view of our main campus area, and doesn’t show several of our local remote sites or our mile-away other large campus. But- you can see we’re surrounded by lots of buildings. And… those buildings have lots of Wi-Fi. Because we’re so close, we can’t help but to mutually interfere with our neighbors. Our high density design keeps our APs usually running very low power, and we try to be good neighbors.

For giggles, here’s a partial list of interfering SSIDs along with channel and signal strength (perceived by our APs) that I really can’t do a thing about. This DOES NOT include the known “regulars” that have already been “acknowledged”- the hospitals, JPMC, local hotels, etc,  Each of the following is absolutely outside of our own buildings:

  • SSID: PA 217A, Channel 6, Strongest AP RSSI: -41 (yes, -41)
  • Guest Network, 11, -43
  • On Route (several instances, all very strong, scattered all over 2.4 GHz and 5 GHz, very transient)
  • Apple, 6, -47
  • Netgear, 1, -49
  • AirDelt, 10, -57 (Asustek)
  • TWCWIFI and TWCWIFI Passpoint. 11, -57 (These are Ruckus)
  • IACNY (multiple), 4, -60
  • <non-broadcast>, 3, -61
  • prettygirlthreadz, 11, -62 (Actiontec)
  • Braka Air, 1, -62
  • Themis Corporate, 2, -62 (Apple)
  • Tits for Password, 1, -63 (Belkin)
  • EnvySalon. 1, -63 (Cisco-Linksys)
  • Dr Cohen, 9, -63 (Cisco)
  • DTD Ground1, 3, -63 (Cisco-Linksys)
  • PsyMiFi, 2, -63 (Novatel)
  • ATT912, 8, -65 (Motorola)
  • DensityAP431, 6, -65 (Tp-Link)
  • <non-broadcast>, 9, -65 (Z-com)
  • MidValleyHospice, 8, -65 (Netgear)
  • CrepeandGelatoEspressoBar, 6, -66 (Actiontec)
  • <non-broadcast>, 10, -65 (Nintendo)
  • 2WIRE260, 4, -67 (2wire)

I’m hoping you get the point. Remember- my current view shows over 700 of these. To the trained wireless eye, there are many stories in this sample of my overall reported rogue list:

- lots of consumer-grade stuff
- lots of default channel 6
- lots of CCI, ACI, and every xCI you can think of afoot
- lots of nearby networks that likely aren’t performing all that well, and certainly not up to their potentials
- most of the noise is in 2.4 GHz (but certainly not all on the full list)
- our own network has a lot to contend with on our geographic edges

Given the wild-west nature of unlicensed wireless, this snapshot is just another day in the life of my WLAN. I can’t do much about the neighbors, but occasionally do help them when one of them reaches out. The conversation usually goes like:

“I hear you’re the campus wireless guy”
What can I do for you.
“I’m your neighbor and my wireless sucks. Any thoughts?”

(this is where we gather a little info, talk about what else they see in their client utility and whether they can access their wireless router’s admin pages)

Change your channel and expect to have to do that now and then. Stay on 1, 6, or 11. Here’s how to tell what’s best (point to free tools). Buy a 5 GHz router.

The problem usually goes away, or at least gets better.

Back to topic: rogue detection is nice, and I’d hate to be without it. And the quest for clean channels is worthy, never-ending, and can be frustrating at times when your WLAN lives in a busy, dynamic, unpredictable RF neighborhood. But I will give Cisco’s RRM a lot of credit, when tuned properly it does a pretty effective job of adjusting to the sort of variability and contention shown above, without being overly disruptive.

Competing signals are a way of life, and many of us WLAN types simply have to make the best of complicated situations.

 

 

9 thoughts on “Some Rogue APs You Just Gotta Live With

  1. Dale Buckey (@WiFiConnections)

    Lee,

    Rogue or not, I think “Tits for Password”, 1, -63 (Belkin), is a clever SSID. Perhaps the owner of the rogue AP can use Social Wi-Fi for login privileges. Then additional analytics can discover more about who his/her users are?

    Always here to help,

    Dale Buckey

    Reply
      1. wirednot Post author

        This one is G-rated compared to some that show up here. I’ve actually winced at some SSIDs. Is amazing how nasty you can be with not many characters…

  2. Pingback: Boot up: Windows 8 in Venn, Windows Phone gets files, fake Earpods, and more | Digital News Daily CA

  3. apcsb

    I wonder how many of these ‘rogues’ are real Rogues (i.e. on your wired network as well, probably, excluding dorm segments), and how many are just neighbours (i.e. don’t care). How do you differentiate between the two? And why not all of your APs participate in Rogue detection?

    Reply
    1. wirednot Post author

      If it seems that it *could* be in our borders, we investigate. Signal strength, SSID, number of detecting APs all help paint the picture. We also have a very well publicized policy and a lot of distributed computing staff that help to enforce that policy. If ALL APs were to help with rogue detection, we find the amount of alerts climbs into the thousands, with the same overwhelming percentage being nothing we can do anything about.

      Reply
      1. apcsb

        Many WLAN vendors provide onboard WIPS with some basic wired/wireless rogue detection and mitigation for free. In you case, probably, you might :-) a bigger WIPS, if the rogues are of real concern.

        Signal strength alone is a bad criteria, I can intentionally lower the Tx power on the rogue to go below threshold. You need to control the wired side as well, and in a smart way.

  4. wirednot Post author

    I do agree that signal strength isn’t the end all. but knowing your environment extremely well goes a long way to help. I think you overestimate the sophistication of many rogue users- they hardly know how to shop for an AP that allows power to be turned down (most don’t have the feature) to get around the rules. They usually buy something cheap and put it in out of ignorance, not to be nefarious (obviously there are real bad guys out there as well). On the wired side, I don’t disagree, but the amount of time, effort, and resource invested in end-to-end rogue detection has to be warranted, and it’s not in all environments. And… more and more rogues come in the form of cellular devices that never hit the wire. It’s complicated, and hardly black and white. Which gets back to my original point!

    Reply
  5. Pingback: Boot up: Windows 8 in Venn, Windows Phone gets files, fake Earpods, and more | EN.SamacharYug.com

Tell me what YOU think.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s