How to prevent a roque AP hijacking my Clients

  • 1
  • Question
  • Updated 4 years ago
  • Answered

We are recently starting with aerohive WiFi-deployments and one of our customers had a question about preventing rogue AP's in their wireless domain.
The customer has some event halls where people connect to the Aerohive AP's to show videos, demonstrations, etc. However they recently discovered that they had a rogue AP with the same SSID and Encryption settings, hijacking clients closest to that rogue AP. Making a man in middle kind of attack. Does Aerohive has some functionality to prevent this?

With kind regards,
Bart Hunik
Photo of Bart Hunik

Bart Hunik

  • 7 Posts
  • 1 Reply Like

Posted 4 years ago

  • 1
Photo of Hannes Canisius

Hannes Canisius

  • 9 Posts
  • 0 Reply Likes
Hi Bart, 

you can use the mitigation function in HiveManager.
Monitor->Access Points -> Rouge APs 
You could also set up a WIPS policy and define when the Aerohive APs should start mitigating an Rouge AP automatically.

Kind regards,
Photo of Christian E.W.

Christian E.W.

  • 2 Posts
  • 0 Reply Likes
Hi Hannes,

is it possible to force auto-mitigation-mode only for Rouge-APs with my own SSID?

Kind regards,
Photo of Andrew MacTaggart

Andrew MacTaggart, Champ

  • 483 Posts
  • 86 Reply Likes

APs scan the radio spectrum and then check the scan results against one or more specified characteristics of a valid access point. If an access point is discovered that does not comply with the specified criteria, it is categorized as a rogue access point. The criteria identifying a valid access point can be one or more of the following:

  • The MAC OUI of the access point
  • The SSID names that the access point advertises
  • Whether the SSIDs use encryption and, if so, what type of encryption
  • If the SSID advertises support for short preambles in its beacons and probe responses
  • Whether an SSID supports WMM (Wi-Fi Multimedia) classification for QoS (Quality of Service)
  • Whether an access point transmits beacons at the expected interval
  • Whether beacons and probe responses advertise IBSS (independent basic service set) capabilities, which are used to establish an ad hoc network

To include SSID checks in the WIPS policy, enter the following:

  1. Select Enable SSID detection.
  2. From the SSID drop-down list, select a previously defined SSID, and then click Apply. If you do not see an SSID that you want to use, click the New icon, and define it.
  3. To enable the checking of the encryption type used in the SSID, select Encryption Check, and then choose the type of encryption that you want to categorize as valid: WPA/WPA2, WEP, or Open.
  4. To add more SSIDs to the list, keep repeating the previous two steps. You can add up 1024 SSIDs to one WIPS policy. If you enable SSID detection but do not add any SSIDs to the list, then the AP will consider all SSIDs to be rogue because no SSID is indicated as being valid.

To remove an SSID from the checklist, select its check box, and then click Remove.

Question:What is your AP not doing when it is busy mitigating rouges?

Answer:not serving clients

consider dedicated devices for WIPS

The only way to prevent man in the middle attacks is a mutual authentication solution.

802.11w is worth looking at, but be warned that the client would have to support it and currently some Aerohive APs may not support it due to hardware limitations or waiting for code releases.

Someone can correct me if I am wrong

Enable 802.11w (Protected Management Frames):Select to enable the use of MICs (Message Integrity Checks) to prevent the interception, alteration, and retransmission of 802.11 management frames. When you select this check box, select whether you want the use of 802.11w to be mandatory (required for all management frames) or optional (used if both devices can parse 802.11w protected management frames). To learn more about protected management frames, see "Protected Management Frames".

Enable the broadcast/multicast integrity protocol: Select to use 802.11w protection on broadcast or multicast management frames such as beacons and probe requests.

Also my understanding is that WIPS will have to change at some point because 802.11w rogue devices can ignore the WIPS deauthentication frames.

Photo of Christian E.W.

Christian E.W.

  • 2 Posts
  • 0 Reply Likes
Hi Andrew,

for my case this SSID-Check doesn't match, because a Rouge-AP with same encryption setting will not be regognized from WIPS.
So i've to say that we have Neighbour-APs which i don't want to mitigate. Only Rouge-APs who publish my Company-SSID to hijack Clients are a problem.
Alternative to this i'm also happier if i get an alert or report for such Rouge-APs.

Best regards,