We are running a network with 260+ APs in hospitality. Nearby are several other hotels and an airport. The ZD shows several new rogue networks every day, which is ok. But my question is:
What happens to the rogue network/SSID when I click on "mark as malicious"? Will the ZD attack this AP and disconnect all clients? If this is the case, can I prevent my network from beeing marked as malicious from other facilites nearby?
AP/ZD detects rouge devices and mark them to Malicious APs in our Ruckus ZD, the genuine AP will
send deauth as broadcast with malicious AP's source mac to all stations who are
associating to the malicious AP.
If the clients are connecting to Nearby SSID i.e Different Controller. The Nearby Network Admin might might Mark as Malicious to our SSID so we need to educate all the users to connect to our main SSID.
If both the SSID are interfering then you need to request the nearby Network Admin to reduce the power level.
I hope this is answered. If yes, then please mark as Answered.
Ruckus will only "attack" (or defend) your network if you check the "Defend my network against malicious rogues" box on the WIPS page. Otherwise, malicious rogues will just generate angry log messages and possibly email/text you if you have alarm notifications turned on.
If you are in the USA though, be aware of the new FCC enforcement advisory regarding wifi blocking. If you're a commercial establishment, it no longer appears legal to block another wifi network. Although this originally stemmed out of a Marriott price-gouging paid wifi case, the wording is so broad that it seems like even this kind of WIPS where if you marked a neighbor's AP as rogue or somehow your AP's mis-recognized their AP's as rogue, you might be in a bit of hot water. This article is pretty good: http://www.networkworld.com/article/2881540/careers/how-not-to-get-slammed-by-the-fcc-for-wi-fi-bloc...
You can't really protect your network from a nearby network operator being reckless and starting to block your network -- wifi is not a war zone :). I'm not sure what would happen in such a case -- I would expect your own ZD would warn you that your network is experiencing a malicious rogue sending deauth packets on your behalf, which would give you cause to investigate.