Been googling a bit, but I'm not finding what the difference is between a "rogue AP" (I get that) and a "malicious rogue AP". Also the logging is odd - I get log events of the rogue AP going away, but no mention of it appearing. Log example:
2017/03/09 14:15:09 | High | A Malicious Rogue[40:5d:82:12:5d:93] detection by AP[1c:b9:c4:35:eb:e0] goes away
That MAC belongs to a Netgear device, so I'm assuming it's some consumer router. It would be helpful if an SSID was logged as well...
A rogue AP is any AP that your AP can hear the beacons from that is not part of your wifi network. Another vendors AP in the next office will show up as a rogue. Not usually a problem unless they are blasting your office too. Malicious AP is an AP that your AP can hear and its either transmitting your SSID (man in the middle attack) usually with an open SSID which clients may prefer and will connect to it instead of your AP. Or another scenario is when an AP that is not part of your wifi system and it is on your network. There are a couple of other types of malicious APs but they dont happen very often.
Is there any way to coax more logging out of the Ruckus? I'd like to know if the malicious rogue AP is using the same SSID or not (as that would certainly explain a lot of problems). Also, any idea on why only the "goes away" state is logged?
Can you clarify a bit more? I get "advertising our SSID" I think - another AP in range with the same SSID. Clearly bad. I don't get the "or DHCP" part. What does that mean? How can my AP detect anything having to do with DHCP on an AP that's not on my network?
Also in this message:
A new Same-Network Rogue[f0:b0:52:37:cf:fc] with SSID[CableWiFi] is first detected by AP[RuckusAP 2@1c:b9:c4:35:eb:e0]
What does "Network" refer to in the context of "same network"? I assume not the same SSID, as the SSID is logged as the ubiquitous "CableWiFi". Does network mean "channel" in this context?