It is important to know the authenticity of APs on your network because unauthorized or misconfigured APs can introduce severe security vulnerabilities.
APs are classified in these categories:
- Authorized — APs connected to your network that match your Authorized WLAN Policy.
- Misconfigured — Authorized APs with a configuration that does not match your Authorized WLAN Policy.
- Rogue — Unauthorized APs connected to your network that do not match your Authorized WLAN Policy.
- External — Neighborhood APs operating in the vicinity of your network, but are not connected to your network.
- Uncategorized — New APs discovered by Wi-Fi Cloud that have not yet been classified. APs are then assigned a potential classification based on their network connectivity to the monitored network and their compliance with the Authorized WLAN Policy.
- All WatchGuard APs connected to your network that match your Authorized WLAN Policy are auto-classified as Authorized.
- All APs not managed by Wi-Fi Cloud (such as third-party APs) connected to your network that match your Authorized WLAN Policy are auto-classified as Potentially Authorized. You must manually classify these APs as Authorized.
- All APs not managed by Wi-Fi Cloud (such as third-party APs) connected to your network that do not match your Authorized WLAN Policy are auto-classified as Potentially Rogue.
- All APs not managed by Wi-Fi Cloud (such as third-party APs) not connected to your network are auto-classified as Potentially External.
Configure AP Auto-Classification
AP auto-classification is enabled by default. You can fine-tune the auto-classification behavior if you do not want External or Rogue APs to be automatically classified.
We recommend you use the default settings to automatically classify External and Rogue APs.
From Manage, select Configuration > WIPS > AP Auto-classification.
- Automatically move Potentially External APs in the Uncategorized list to the External Folder — The External AP may change classification if Wi-Fi Cloud detects that the AP is connected to the wired enterprise network at a later time.
- Automatically move Potentially External APs in the Uncategorized list to the Rogue Folder — When an AP is automatically classified as Rogue, the AP stays in that classification until an administrator manually reclassifies the AP. A Rogue AP will never be automatically changed to a different classification without administrator intervention.
Monitor AP Classification
You can see how Wi-Fi Cloud classifies APs on your network from the Monitoring > Security > APs page in Manage.
For more information, see Monitor Access Points.
If you have known APs that are listed as Uncategorized, you can manually set the classification category of the AP to set it as Authorized. Make sure you verify the location and configuration of the device before changing an AP classification category.
- In Manage, select Monitoring > Security > APs.
- Select the AP that is classified as Uncategorized.
- Click the icon on the tool bar.
- Select the Authorized category.
If you do not recognize the device, you can also manually set the category to Rogue to make sure clients cannot connect to the device until you can determine its location and configuration.
You can perform this procedure for other categories of APs, but in the case of Misconfigured or Rogue APs, you must make sure that the AP is a known AP and the configuration is correct to prevent security vulnerabilities on your wireless network.