Description |
This article describes that Rogue suppression is a method to counter de-auth attacks by management frames from Rogue APs. FortiAP has the capability to address client disconnection issues if it is happening due to a Denial-of-Service/Rogue AP attack. For this to work, FortiAP radio needs to be configured in MONITOR mode. It is not necessary to configure all radios to monitor mode. |
Scope | FortiAP. |
Solution |
Background: For suppression, make sure the below conditions are satisfied:
Configuration: For the configuration part, refer to the cookbook at the following location.
show wireless-controller ap-status
Sample example:
config wireless-controller ap-status
cw_diag -c ap-suppress
Sample example: Suppressed FortiAP list:
Note: n the above example, aa:bb:dd:ee:xx:xx is not part of the suppressed FortiAP list as it is possible to see from output of 'cw_diag -c ap-suppress' command from FortiAP sh CLI. So the condition fails and Rogue suppression will NOT work.
FortiAP-431F # stascan
Refer to the article at the KB below for doing OTA using MACBook: How to Sniff Packets & Capture Packet Trace in Mac OS X the Easy Way
Once the PCAP file is available, open it on Wireshark and put a filter to get deauth packet, and check the Source and Destination MAC Address. Verify that the packets match the MAC addresses of the participating devices.
Filters on wireshark. For Filtering Deauthentication Frames, the filter is:
(wlan.fc.type == 0) && (wlan.fc.type_subtype == 0x0c)
OR
(wlan.fc.type eq 0) && (wlan.fc.type_subtype eq 0x0c)
OR
(wlan.fc.type eq 0) && (wlan.fc.type_subtype eq 12)
Related document: Analyzing Deauthentication Packets with Wireshark
Known issue: There are some 11AX clients, that are not being scanned and hence cannnot be suppressed, this is a known issue at this moment. This is because FortiAP radio cannot scan HE wireless clients when the issue appears mostly for clients like legacy 11ac iPad, Mac book pro, iPad 11 pro, Pixel7, and Mac MINI. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.