AirGuard is EnGenius technology to detect the rogue source, evil twins, DoS attacks, and RF jamming. You can access this screen under Manage > AirGuard


  1. Users should enable AirGuard first (by default: off) to activate AP to detect the rogue source

  2. If Enabled "Contain all Rogue Devices", all rogue SSID devices will be contained automatically and Zero-Wait DFS will not be functional.

  3. Scanning APs list down all APs who can do AirGuard (AirGuard AP), click “Details” will redirect to the AP detail page.

  4. Users can set rules to categorize specific SSID or BSSIDs with a partial match or exact match.

Must know

AirGuard requires at least one AP with dedicated scanning radio in this network. eg, ECW220S, ECW230S

Rogue SSID

  • All SSID match “Rogue rules

  • All SSID match legitimate SSID but are not recognized by Cloud-managed device (It could be rogue AP, it also could be other vendors' legitimate AP)

  • Broadcast MACs are the BSSID (MAC), detected by our AP, broadcasting the rogue SSID. It could be multiple BSSIDs. Click on the line to see detailed information.

  • Seen by: the Rogue SSID might be detected by multiple EnGenius AP

  • Severity: The rogue reason severity could be high and require the user’s attention. The color bar in front of the SSID indicates the severity: Very high: Red; High: Orange…

  • Containment: Contained means the rogue SSID that your EnGenius AP is currently containing. Whenever a client attempts to connect to the rogue SSID, they will be forced off. Uncontained means the Rogue SSID is not currently contained.

  • Move to Whitelist: If the user found the SSID should be legitimate, then he can select it and move to whitelist (move to “Other SSIDs”)

  • Contain: This is the action that if you determine the Rogue SSIDs are threats to your network, you could click contain so the client will be forced off when the client attempts to connect the Rogue SSIDs.

  • Uncontain: This is the action that the Rogue SSIDs were noticed during a scan, but has not been determined to be a threat to your network, so you could click Uncontain.

Evil Twin

  • AP impersonation: SSID = legitimate SSID and BSSID = legitimate BSSID, which means someone is using the legitimate AP’s MAC and SSID trying to steal client information

  • AP spoofing: BSSID = legitimate BSSID, but not legitimate SSID

  • The severity is always “Very High” and requires attention.

Malicious Attack

DoS attack trying to let clients or specific clients not able to connect to the AP

  • De-Auth attack: The rogue client sends a high volume of “De-Auth” traffic, so clients are always de-auth.

  • Dis-association attack: The rogue client sends a high volume of “Dis-association” traffic, so clients are always disassociated.

  • Attacked Party: Either specific client (MAC address) or broadcast (all MAC ff:ff:ff:ff:ff:ff)

RF Jamming

RF Jammer sends RF noise on a certain channel to increase the SNR rate or keep the SSID/channel busy, so the client cannot connect to SSIDs on the channel.

More details:

Other SSID

Last updated