ECM provides the ability to be alerted to the presence of an Access Point that is unrecognized. This article details how to configure this functionality. After configuration the alert displays after running a WiFi site survey when a rogue access point not marked as known is detected broadcasting the same SSID as the device running the site survey. This helps identify potential access point hijacking, evil twin, and man-in-the-middle WiFi attacks.
Configuration Difficulty: Intermediate
- Step 1: Log into your ECM account.
- Step 2: Place a checkmark next to the router.
- Step 3: Select Commands and then WiFi Site Survey.
- Step 4: If you are ready to proceed, click Yes.
- Note: Performing a WiFi Site Survey may temporarily cause some wireless clients to lose their connection or stall their network traffic while the survey is being completed. It is recommended that this operation is performed during off hours.
- Step 5: Next to Devices click Device and select Rogue AP.
- Step 6: Place a check mark next to any SSID’s you control or trust.
- Step 7: Press Mark as Known to trust these SSID’s.
- Note: Trusted/Known SSID’s are displayed with a green Thumbs Up icon. Untrusted/Unknown SSID’s are displayed with a red Thumbs Down icon.
- Step 8: Select Alerts in the navigation menu.
- Step 9: Next to Alerts click Log and select Settings.
- Step 10: Click Add to create a new Alert.
- Step 11: Select the Accounts/Groups to be monitored.
- Step 12: Under Alerts expand the Security section and select Rogue Access Point Detected.
- Step 13: Configure the Users to be alerted and the Interval for when to alert.
- Step 14: Click Save.