Configuring Rogue AP Detection Using the CLI
These CLI commands configure rogue detection; for a complete explanation of the commands, see the FortiWLC (SD) Command Reference.
Configuring Rogue AP Detection Using the CLI
Adding APs to Scan List
default(15)# configure terminal default(15)(config)# rogue‐ap detection‐ap 1 default(15)(config)# rogue‐ap detection‐ap 3 default(15)(config)# exit
Show Output default(15)# sh rogue‐ap detection‐ap‐list
AP ID
1
3
Rogue Device Detecting APs(2)
Deleting APs from Scan list
default(15)# configure terminal default(15)(config)# no rogue‐ap detection‐ap 1 default(15)(config)# no rogue‐ap detection‐ap 3 default(15)(config)# end
Show Output default(15)# show rogue‐ap detection‐ap‐list
AP ID
Rogue Device Detecting APs(No entries)
Configuring the AP Access and Block Lists with the CLI
The feature uses an Access Control List (ACL) containing a list of allowed BSSIDs and a list of Blocked BSSIDs. By default, all Fortinet ESS BSSIDs in the WLAN are automatically included in the allowed ACL. A BSSID cannot appear in both lists.
To add an access point with a BSSID of 00:0e:cd:cb:cb:cb to the access control list as an authorized access point, type the following:
controller (config)# rogue‐ap acl 00:0e:cd:cb:cb:cb controller (config)#
Configuring Rogue AP Detection Using the CLI
To see a listing of all BSSIDs on the authorized list, type the following:
controller# show rogue-ap acl
Allowed APs
BSSID
00:0c:e6:cd:cd:cd 00:0e:cd:cb:cb:cb
A BSSID cannot be on both the blocked list and the access list for rogue AP detection at the same time. Suppose 00:0c:e6:cd:cd:cd is to be placed on the blocked list. If this BSSID is already on the authorized list, you must remove the BSSID from the authorized list, and then add the BSSID to the blocked list, as follows:
controller (config)# no rogue‐ap acl 00:0c:e6:cd:cd:cd controller (config)# controller (config)# rogue‐ap blocked 00:0c:e6:cd:cd:cd controller (config)# exit controller# show rogue-ap acl
Allowed APs
BSSID
00:0e:cd:cb:cb:cb controller# show rogue-ap blocked
BssId Creation Date Last Reported
‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐‐
00:0c:e6:cd:cd:cd 11/02 01:05:54 11/02 01:06:20
The commands to enable and confirm the rogue AP detection state are as follows:
controller (config)# rogue‐ap detection controller# show rogue-ap globals
Global Settings
Detection : on
Mitigation : none
Rogue AP Aging (seconds) : 60
Number of Candidate APs : 3
Number of Mitigating APs : 5
Scanning time in ms : 100
Operational time in ms : 400
Max mitigation frames sent per channel : 10
Scanning Channels :
1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation : ‐100
Use the CLI command show rogue-ap-list to display all rogue clients and APs in the network.
Rogue Mitigation Example
Rogue AP mitigation for APs in the blocked list is enabled and confirmed as follows:
Configuring Rogue AP Detection Using the CLI
controller# configure terminal controller (config)# rogue‐ap detection controller (config)# rogue-ap mitigation selected controller (config)# exit controller# show rogue-ap globals
Global Settings
Detection : on
Mitigation : selected
Rogue AP Aging (seconds) : 60
Number of Candidate APs : 3
Number of Mitigating APs : 5
Scanning time in ms : 100
Operational time in ms : 400
Max mitigation frames sent per channel : 10
Scanning Channels :
1,2,3,4,5,6,7,8,9,10,11,36,40,44,48,52,56,60,64,149,153,157,161,165 RSSI Threshold for Mitigation : ‐100