How to locate rogue AP?

[Cooky]

I'm seeing some rogue AP's & print servers on our wireless network that I suspect causing some problems.

Does anyone know how I can pin point their exact locations? Would be nice if it gives louder beeps when I'm closer to their locations.

Right now I could only find their approx locations by the radios that are seeing the MAC addresses but it's not good enough.

 

[spyordie007]

There are several tools that are very good at giving you a location on floor plans, but (so far as I know) none of them are cheap or free. We use AirMagnet and Ekahau.

If you're just looking to hunt them down one device at a time you can use the signal strength and play the old getting-hotter getting-colder game, but it's definetly not a very refined process.

If you're looking for something more comprehensive I'd suggest looking in to having a professional come in and do a site survey targeting the rogue APs. A network consultant with the right tools could quickly and easily find them and give you a report of where they are in your environment. This is a service that we provide, though our nearest office to you is near Boston.

Erik

 

[Cooky]

Thanks for the reply.
Which Airmagnet product do you use?

We'd pay for a consultant, except the survey he does would only be valid for the rogue devices while he's present.
I'm looking for a permanent solution that we can use from time to time.

I had Netstumbler on my laptop, and was able to isolate it to an area where I didn't see any wireless device.
Probably just something that leaked from the floor above us.

 

[spidey07]

If you're going the netstumbler route then get a directional antenna. There are systems out there that locate the rogue for you but they are pricey (Cisco's solution, ekahau, spectrum analyzer).

 

[jlazzaro]

i've used the Fluke OptView 3 with wireless option in the past. as spidey stated, they arent cheap...total was close to $30k. they do have other products specifically designed for wireless (fluke spectrum analyzer)

it was definately an interesting endeavour...driving in circles with a device that beeps similar to the radar used on alien

 

[her209]

Shut down all computers and check the switches to see which ports are still "on".

 

[Cooky]

What's Cisco's solution to locate rouge AP's?

I like the joke about shutting down all the computers...

 

[spidey07]

Their lightweight/controller based wireless uses RSSI information from mulitple access points to triangulate the rogue's position.

 

[spyordie007]

Their lightweight/controller based wireless uses RSSI information from mulitple access points to triangulate the rogue's position.

You forgot to mention one of the best features, rogue containment (mitigation). Where your Cisco APs run a DOS against the rogue APs rendering them essentially useless.

Shut down all computers and check the switches to see which ports are still "on".

Actually that wouldn't work well, since many computers still power the NIC even when they are shut down (so the link light doesnt turn off).

Erik

 

[Cooky]

We're already using the LWAPP controller & AP's to triangulate the rouge.
We just need to find out exactly it is before we can legally contain it.

 

[spidey07]

The fluke spectrum analyzer is only $4000. It's a necessary tool for wireless networks.

 

[spyordie007]

Originally posted by: Cooky
We're already using the LWAPP controller & AP's to triangulate the rouge.
We just need to find out exactly it is before we can legally contain it.

Do you have a rogue detector setup? If there is an unencrypted rogue connected to your wired LAN the system can detect it for you.

So I have to ask, if you are already able to get their location data what is it that you are looking for? Up until now I thought you were just trying to find out where they were physically located...

:thumbsup: on the fluke