Rogue AP Mitigation

Rogue AP: Any device that is transmitting/Receiving Wi-Fi and is connected to a company’s wired distribution system without authorization; Or any device that is owned by the company and is transmitting/receiving Wi-Fi without authorization.

PCI DSS 11.1 and 11.1.2 require that you do the following:

11.1 Implement processes to test for the presence of wireless access points (802.11), and detect and identify all authorized and unauthorized wireless access points on a quarterly basis.

11.1.2 Implement incident response procedures in the event unauthorized wireless access points are detected.

Disclaimer: This is my interpretation and process for the PCI DSS 11.1 and 11.1.2. Your results might be different, or you may have a different interpretation.

For a process that you can adopt please review my article PCI DSS 11.1 and 11.1.2 – Rogue AP(s) .

I was tasked on investigating a complaint of devices losing connection on one of the floors of the Heart Unit in a Hospital. I went on site to do a validation, make optimizations, and re-validate. During the validation, I discovered a Rogue AP.

A4_Validation_RSSI_PreOptimization_24GHz copy

If your organization has Cisco Prime, you might see something similar to the following image.

Path = Prime->Maps->Wireless Maps-> Site Maps->Site->Floor

Screen Shot 2017-10-12 at 1.21.42 PM.png

Tip: You have to activate the visualization for the Rogue AP(s)

In the Floor Settings make sure the Rogue AP(s) check box is selected.

Screen Shot 2017-10-13 at 10.10.51 AM.png

You can drill down further into the detail for the Rogue AP in the Prime GUI. I prefer to look at the Wireless Controller CLI to get real time information.

Since we know the wireless mac address is fc:3f:db:25:91:c5 we can use two commands in the CLI to gain further information.




SHOW ROGUE AP DETAILED fc:3f:db:25:91:c5

ShowRogueAPDetailed.pngAs you can see the Rogue AP was impacting AP(s) on the 4th Floor and all the way down to the 2nd Floor. Any wireless device in the 2.4GHz frequency on Channel 6 that can demodulate the Rogue AP(s) transmitted preambles would have to increment their NAV Timers. This would decrease the cells efficiency.

Another nice thing about these commands is that they have the time the device was last heard. This is nice if you deploy on-site techs to turn off the offending device. You can verify that it is turned off.

Unfortunately, the only way to mitigate the Rogue AP in this case is sneaker net. However, we are armed with the device information of HP-Print-C5-Officejet Pro 8620. By the power of Google, I discovered the HP Pro 8620 is a printer that looks like…



Ok…maybe more like this…


I had a very capable on-site tech *cough* Minion *cough* locate and disable the HP Print Direct capability on the printer. The world was saved…PCI DSS 11.1 and 11.1.2 was satisfied. AND I was able to go back to my optimization of the floor’s RF.


2 thoughts on “Rogue AP Mitigation

  1. So I am curious. I work in a 3 hospital environment where Prime reports at least 200 rouges a day. So many are cell phones, what is your strategy for dealing with so many?


    1. Thanks for writing JB. Check out my article titled PCI DSS 11.1 and 11.2 – Rogue AP(s). The FCC allows anyone to use the unlicensed spectrum. If you attempt to prevent someone, then it is or could be a violation of the FCC regulations and subject to a fine. Typically people just leave their phone in WiFi Hotspot mode in which case you wouldn’t be able to legally stop them. You could look at creating a work policy and education process. In certain verticals, there are more strict work policies that are enforced. But for the most part, if the rogue is not attempting a malicious attack there isn’t much you can do. This is, of course, only my opinion and in no way am I offering legal advise. (Disclaimer)


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s