AirGuard

AirGuard is EnGenius technology to detect the rogue source, evil twins, DoS attacks, and RF jamming. You can access this screen under Manage > Access Points > AirGuard

Rules

Users should enable AirGuard first (by default: off) to activate AP to detect the rogue source
If Enabled "Contain all Rogue Devices", all rogue SSID devices will be contained automatically and Zero-Wait DFS will not be functional.
Scanning APs list down all APs who can do AirGuard (AirGuard AP), click “Details” will redirect to the AP detail page.
Users can set rules to categorize specific SSID or BSSIDs with a partial match or exact match.

Must know

AirGuard requires at least one AP with dedicated scanning radio in this network. eg, ECW220S, ECW230S

Rogue SSID

All SSID match “Rogue rules”
All SSID match legitimate SSID but are not recognized by Cloud-managed device (It could be rogue AP, it also could be other vendors' legitimate AP)
Broadcast MACs are the BSSID (MAC), detected by our AP, broadcasting the rogue SSID. It could be multiple BSSIDs. Click on the line to see detailed information.
Seen by: the Rogue SSID might be detected by multiple EnGenius AP
Severity: The rogue reason severity could be high and require the user’s attention. The color bar in front of the SSID indicates the severity: Very high: Red; High: Orange…
Containment: Contained means the rogue SSID that your EnGenius AP is currently containing. Whenever a client attempts to connect to the rogue SSID, they will be forced off. Uncontained means the Rogue SSID is not currently contained.
Move to Whitelist: If the user found the SSID should be legitimate, then he can select it and move to whitelist (move to “Other SSIDs”)
Contain: This is the action that if you determine the Rogue SSIDs are threats to your network, you could click contain so the client will be forced off when the client attempts to connect the Rogue SSIDs.
Uncontain: This is the action that the Rogue SSIDs were noticed during a scan, but has not been determined to be a threat to your network, so you could click Uncontain.
More details: https://docs.engenius.ai/whitepapers/airguard/rules-and-classifications#rogue-ssids

Evil Twin

AP impersonation: SSID = legitimate SSID and BSSID = legitimate BSSID, which means someone is using the legitimate AP’s MAC and SSID trying to steal client information
AP spoofing: BSSID = legitimate BSSID, but not legitimate SSID
The severity is always “Very High” and requires attention.
More details: https://docs.engenius.ai/whitepapers/airguard/evil-twin

Malicious Attack

DoS attack trying to let clients or specific clients not able to connect to the AP

De-Auth attack: The rogue client sends a high volume of “De-Auth” traffic, so clients are always de-auth.
Dis-association attack: The rogue client sends a high volume of “Dis-association” traffic, so clients are always disassociated.
Attacked Party: Either specific client (MAC address) or broadcast (all MAC ff:ff:ff:ff:ff:ff)
More Details: https://docs.engenius.ai/whitepapers/airguard/malicious-attacks

RF Jamming

RF Jammer sends RF noise on a certain channel to increase the SNR rate or keep the SSID/channel busy, so the client cannot connect to SSIDs on the channel.

More details: https://docs.engenius.ai/whitepapers/airguard/rf-jamming

Other SSID

There are many BYOD devices (employee’s mobile phones) broadcasting SSID for their own use, which is harmless
Whitelisted SSID
More Details : https://docs.engenius.ai/whitepapers/airguard/rules-and-classifications#other-ssids

Last updated 1 year ago