Description

This article describes how to troubleshoot FortiAP when Rogue supression does not work or is unable to  classify a Rogue FortiAP.

Scope

FortiGate as wireless controller v7.4 and above.

Solution

The FortiGate WiFi Controller sends de-authentication messages to the rogue FortiAP's users posing as the rogue FortiAP and also sends de-authentication messages to the rogue FortiAP posing as its clients.

This is done using a dedicated monitoring radio configured onto a FortiAP.

Note that not all devices can have a third radio, but most new devices have one (F and G series) and it can be used as a dedicated monitor radio.

However, it is not necessary to suppress or categorize all FortiAPs in the 'config wireless-controller ap-status' configuration section or the Rouge FortiAP GUI widget as this is only intended to prevent users from within the premises from using unauthorized FortiAPs.

For more details visit the following documents:

Suppressing rogue APs

Monitoring rogue APs

It has no other effect on the neighboring customer's network. In fact, it is only necessary to prevent an access point from operating from inside the premises if needed to.

These should be the ones with signal interference of -70 dBm or more. Keep in mind that these could be the neighbors from floors up and down the building. Be courteous and consider any applicable laws or regulations for the region.

Considering FortiOS limits number of rogue FortiAPs, it is possible to configure/classify on the table and use max value table docs:

see 'wireless-controller.ap-status' under the Maximum Values Table for the maximum values of this configuration object, which vary depending on the platform and FortiOS version.

For example, for a FortiGate-1000D, the maximum value is:

wireless-controller.ap-status 4096

If there are GUI or CLI errors when trying to configure/classify a new rogue FortiAP, consider deleting old entries in this table to add new ones.