Rogues

The Wireless Rogues page displays a list of wireless devices that have been identified as rogues by the Wireless Infrastructure. The Rogues page is intended to help you identify foreign wireless devices that emulate access points devices (rogues) in order to mitigate risk. Using this interface, you can sort displayed devices by Time, SSID, or MAC Address, search for a specific wireless device, exclude devices of which you are already aware and/or known devices in close geographic proximity to your wireless network and are certain to pose no threat to your network, and limit the display to show devices polled during a specific date range.

For each rogue detected, the following information is displayed:

• SSID. The SSID broadcast by the rogue access point. If a rogue has been configured not to broadcast an SSID, the SSID box is blank.
• MAC Address. The MAC address specific to the rogue detected by the network.
• Duration. The amount of time the SSID/MAC Address combination has been seen on the specific access point since the listed poll time.
• First Seen. The date and time the rogue was first seen during the defined date/time interval.
• Last Seen. The date and time the rogue was last seen during the defined date/time interval.
• Percent Seen. The percent of time the rogue was connected in relation to the defined date/time interval.

Note: If Current is selected as the reporting interval, the Rogues page only displays the SSID and MAC Address of rogues currently visible.

The devices displayed on the Rogue page are grouped by the access points on which they are/were connected. An SSID/MAC Address combination may appear under more than one access point indicating it is a roaming device hopping from one access point to another. Clicking the icon to the left of any access point displayed launches a dialog containing detailed AP information. Specific dialog content is identical to detailed device information displayed when you click on an access point icon on the Wireless Map page. For a description, see Map.

To sort rogues:

1. Click Sort By Last Seen.
2. Select a sort method from the list that appears. The sort button changes and displayed devices are reordered based on your selection. The available options are:
   • Sort by last seen
   • Sort by duration
   • Sort by ssid
   • Sort by mac
   • Sort by Percent seen (asc)
   • Sort by Percent seen (desc)

Note: If Current is selected as the reporting interval, the Rogues page can only be sorted by SSID or MAC address.

Rogues can be excluded from the display if they are known devices or if you are certain they pose no threat to your network. When a rogue is excluded from the list, existing data for that rogue is now hidden from both the rogues page and the rogue count performance and dashboard reports. Additionally, any applicable thresholds in Alert Center will no longer report trigger alerts for the rogue and Wireless no longer collects data for that rogue when wireless devices are polled.  If you remove the rogue from the excluded rogues list, there will be a gap in data for that rogue between time of initial rogue exclusion and inclusion back into the rogues page.

To exclude devices:

1. Click the check box to the left of each of the devices you want to exclude from the list.
2. Click Exclude Rogue. Selected devices are removed from the list.

For more information on managing excluded rogues, see Add to Excluded Rogues and Manage Excluded Rogues.

To search for a specific device:

1. Enter an SSID or MAC Address in the search ssid or mac box.
2. Click Enter. The rogues list is filtered to display only devices matching your search criteria.

   or

3. Click the icon to the right of the search ssid or mac box.
4. Enter an SSID and/or a MAC Address in the applicable boxes in the search dialog that appears.
5. If desired, select the Include Blank SSID check box to include devices in the search that have been configured to not broadcast an SSID.
6. Click Search. The rogues list is filtered to display only devices matching your search criteria.

Note: When comparing a rogue's MAC or IP address against the entered search term, the results returned reflect rogue IP or MAC addresses that begin with the search term entered. When comparing a rogue's name or SSID against the entered search term, results returned reflect SSIDs and names containing the search term entered.

In addition to excluding individual devices one at a time from the rogues list, you can also search the database for devices to bulk add to the excluded list in one step from the Wireless Application Settings page using a list of SSIDs and/or MAC addresses you know you want to exclude.

Caution: The Add to Excluded Rogues feature can only be used to search the existing WhatsUp Gold database for previously seen wireless infrastructure devices you want to add to the excluded list. You cannot add SSIDs and/or MAC addresses to be excluded if and when they are detected in the future.

To access the Add to Excluded Rogues List:

1. Click the Application Settings icon in the upper-right corner of the page and select Application Settings. The Application Settings interface appears.
2. Click Wireless under Application Settings.
3. Click Add to Excluded Rogues List. The Add to Excluded Rogues dialog appears.

See Also Managing Devices in Wireless Map Performance Clients Log