Technical Tip: Rogue AP suppression by FortiAP (Best practices/Configuration/ Known Issue)

rm · ‎11-26-2023

Description

This article describes that Rogue suppression is a method to counter de-auth attacks by management frames from Rogue APs. FortiAP has the capability to address client disconnection issues if it is happening due to a Denial-of-Service/Rogue AP attack.

For this to work, FortiAP radio needs to be configured in MONITOR mode. It is not necessary to configure all radios to monitor mode.

Scope

FortiAP.

Solution

Background:

For suppression, make sure the below conditions are satisfied:

FortiAP should be able to detect this rogue FortiAP (BSSID).
FortiGate pushed suppression FortiAP list to FortiAP.
FortiAP detects sta connected to this BSSID.
FortiAP radio is working in monitor mode.
The rogue AP (BSSID) has not enabled Protected Management Frames (PMF).

Configuration:

For the configuration part, refer to the cookbook at the following location.

Enabling rogue AP suppression

Suppressing rogue APs

How to verify if suppressed BSSID has been pushed to the FortiAP:

Login to FortiGate CLI and execute the following command:

show wireless-controller ap-status

Sample example:

config wireless-controller ap-status
    edit 1
        set bssid aa:bb:dd:ee:xx:xx
        set ssid "test"
        set status suppressed
    next
end

Login to FortiAP SSH CLI and execute the following command:

cw_diag -c ap-suppress

Sample example:

Suppressed FortiAP list:

bssid
ee:f2:65:5f:be:75
b2:98:28:08:a4:1b
a6:47:e8:ca:cc:39
c6:31:9d:bf:64:29
96:16:02:98:78:38
f2:43:a9:ad:74:d4

Note:

n the above example, aa:bb:dd:ee:xx:xx is not part of the suppressed FortiAP list as it is possible to see from output of 'cw_diag -c ap-suppress' command from FortiAP sh CLI. So the condition fails and Rogue suppression will NOT work.

Confirm that FortiAP has been able to detect the client under test with suppression BSSID. To verify this, check 'stascan' output in AP CLI as shown in the example below.

FortiAP-431F # stascan

sta mac bssid chan live age suppressed
18:65:90:cb:cc:bb 84:39:8f:1f:12:04 48 11562 1 0

How to check deauth packet in OTA (Over-The-Air) capture when Rogue suppression is happening.

Take OTA capture using MacBook or any other sniffing tool on the same channel the client is trying to connect to Rogue AP.

Refer to the article at the KB below for doing OTA using MACBook:

How to Sniff Packets & Capture Packet Trace in Mac OS X the Easy Way

Once the PCAP file is available, open it on Wireshark and put a filter to get deauth packet, and check the Source and Destination MAC Address. Verify that the packets match the MAC addresses of the participating devices.

Filters on wireshark.

For Filtering Deauthentication Frames, the filter is:

(wlan.fc.type == 0) && (wlan.fc.type_subtype == 0x0c)

OR

(wlan.fc.type eq 0) && (wlan.fc.type_subtype eq 0x0c)

OR

(wlan.fc.type eq 0) && (wlan.fc.type_subtype eq 12)