Aerohive AP detected as in-net Rouge AP

  • 4
  • Question
  • Updated 5 years ago
  • Answered
Daily we receive several alerts from the HiveManager claiming that one of the aerohive APs, managed by that same HiveManager and included in the same hive as all the others, is being detected as an in-net rouge AP. I get several alerts for each SSID it broadcasts.
why does this happen? Clearly it should recognize the BSSIDs.

The 'detected' AP is an AP141
AP330 and AP141 do the detecting.
Photo of Jornt Weyts

Jornt Weyts

  • 26 Posts
  • 3 Reply Likes

Posted 5 years ago

  • 4
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
hi Jornt, our WIPS policy is very flexible and we don't automatically exempt any access points so you have complete visibility into what is happening on your network. You can easily modify the policy to ensure your Aerohive MAC OUIs are exempt. Remember when you create the policy, you are specifying what is *good*, so you want the Aerohive OUI to be on the right.
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Your WIPS policy probably only has the old MAC OUI (001977) in the list of "good" devices. I had to manually add the other Aerohive MAC OUI's to the good list to keep the APs from classifying themselves as rogue APs.

Photo of Scott M.

Scott M., Sr. Support Engineer

  • 104 Posts
  • 8 Reply Likes
Hello Jornt,

Thanks for the excellent question.

If the advice above does not resolve your issue, I recommend you enter a support case. If your organization is located in the United States, you can enter a support case directly to Aerohive via the Support Portal. If outside the United States, please contact your VAR or VAD for support. If they need assistance we can then work through the VAR or VAD to help you resolve this issue.
Photo of Emilio Maldonado

Emilio Maldonado

  • 37 Posts
  • 11 Reply Likes
Jornt, sounds like you could benefit from having an option "All Aerohive Devices", encompassing any new and future Aerohive-specific OUI's. That way you wouldn't have to come back to include the latest and greatest. Any reason why you wouldn't use a potential option like that?
Of course the ability to select specific OUI's would still be there.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
It seems to me that WIPS Rogue AP detection based on OUI (entire manufacturer ranges of BSSIDs) is intrinsically, by nature, rather flawed and would usually always the wrong thing to do; I am having difficulty seeing how it could be a useful security/intrusion feature.

Firstly, as we all know, it is trivial to spoof a BSSID within an existing range - they are unauthenticated identifiers.

Secondly, I am curious how such a scheme would scale/work as Aerohive (hopefully!) becomes more popular, gets wider deployment and where you get overlaps between discrete Hives.

(To my mind, use of such a 'detection' scheme should, at most, be used as a hint for an overview/alerting, but nothing more.)

A question then: Why not instead implicitly trust those BSSIDs for HiveAPs that are a member of a Hive or per Network Policy. For any third party APs that a customer has, trust on a per-BSSID basis unless the user really, really wants to configure otherwise.
Photo of Jornt Weyts

Jornt Weyts

  • 26 Posts
  • 3 Reply Likes
Thank you all for your input.

The BSSIDs that are being classified as rouge-APs come from 2 AP141s, both in the Aerohive-4018B1 range. The MAC OUI for this range was already added to the 'good' devices list of our WIPS policy, so I've opened a ticket with my reseller concerning this problem.

I'll report back if we find the reason/solution for this behavior.
Photo of Scott M.

Scott M., Sr. Support Engineer

  • 104 Posts
  • 8 Reply Likes
That's perfect Jornt... Thank you.
Photo of Jornt Weyts

Jornt Weyts

  • 26 Posts
  • 3 Reply Likes
We managed to find the source of the false positives.

Aerohive support suggested to deselect the option "Enable short preamble check (Only applies to the 2.4 GHz radio)"

Aerohive Support:
"you may wish to uncheck the short preamble check. Normally, our AP's use a long preamble, hence the option. But, if they need to service a client that can't do this, they will switch to a short preamble, and this can also cause them to appear detected as a rogue."

It turned out that we were still using some old bar-code scanners in a small part of the factory, This also explains why we would get the false positives from a limited amount of APs