Rogue APs detected as in-net but they aren't

  • 2
  • Question
  • Updated 2 years ago
I'm detecting a lot of my neighbors APs as in-net and I know they are not connected to any of our equipment. The macs for there Rogue APs do not show up in any arp or mac tables on our equipment.

How are these "in-net" if they truly aren't?

Thanks
Sarge
Photo of SargeZ06

SargeZ06

  • 3 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 2
Photo of Luke Harris

Luke Harris

  • 265 Posts
  • 18 Reply Likes
I believe the term 'In-Net' refers to both physically connected to your network and also AP's outside your network that are broadcasting SSID's that are detected by AP's within your network (factors such as RSSI come into play here).
Photo of Nathaniel Moore

Nathaniel Moore, Employee

  • 56 Posts
  • 16 Reply Likes
Hi Sarge,

I would raise this with support to investigate. In-Net Rouge APs are detected using the following process:

1. Rogue AP wired interface sends ARP broadcasts.
2. Switch floods out all ports.
3. Aerohive APs learn the wired MAC address of the rogue AP.
4. Wireless MAC address (BSSID) of rogue AP is detected when the Aerohive APs perform scans.
4. Aerohive AP compares the wireless and wired MAC addresses.
5. If MAC addresses are in a range of 64 above or 64 below (hex value), the device is classified as a In-Net Rogue AP.

So, if your platform is detecting In-Net Rouge APs this means either a. the ARP broadcasts are somehow flooding your internal network or b. it's a bug! Either way, I would involve support to look deeper :)

Kind regards,

Nathaniel
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
FWIW, I've seen false positives in the past too but haven't put any effort in to getting to the bottom of it.
Photo of SargeZ06

SargeZ06

  • 3 Posts
  • 0 Reply Likes
Thanks for the input. I'll open a ticket with support.
Photo of Aaron Storey

Aaron Storey

  • 32 Posts
  • 8 Reply Likes
I have seen this as well and realized it was our users jumping from the outside AP's to our AP's and the Aerohive AP's were detecting the MAC addresses outside and then inside quickly so classifying them as In-Net even though they really were not. We are a school environment so it was specifically the students that lived in close proximity to the school. Once I realized it I just marked them as trusted so it would stop the alerts.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Aaron, I certainly feel that this is definitely worthy of a Tier 3 support case to see if this can be improved. Did you open a support case to explore this issue further at the time?
Photo of Aaron Storey

Aaron Storey

  • 32 Posts
  • 8 Reply Likes
No, once I figured out why it was happening I just wanted to stop the notifications.
Photo of SargeZ06

SargeZ06

  • 3 Posts
  • 0 Reply Likes
This is exactly what Aerohive said. They also said there isn't any way to stop it. 

Now I'm going through them and checking mac addresses in router arp tables if they aren't in arp then marking as friendly. 

But I did find 10 that are actually plugged into our network. We have 180+ locations and its hard to babysit all of them. But this will help.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hmm, it should be possible to implement a secondary belt-and-braces liveness check to significantly improve the accuracy of this reporting where one of these events would otherwise be triggered from the cached STA information, if-and-where there wasn't a way to explicitly invalidate the cache entry.
(Edited)
Photo of Arison Mercado

Arison Mercado

  • 113 Posts
  • 8 Reply Likes
This is true, I experienced the same issue last year and when I did some further investigation it truly was students who logged into their WiFi's at home that were in ranged of our schools.