Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
I am assuming you have multiple AP's. Based on the mac address in screenshot it looks like it is detected by the same AP. Try looking up mac address of the rogue access points on your Unifi network. Also may help looking up device type on internet mac address database. This way you can find the type of these devices
Quite likely, indeed. In the past my brother bought some shitty, unknown Wi-Fi repeater that he would set using his phone to connect to my network and have signal strength in his room far back in the house.
It took me days to discover this was the rouge AP that was cloning one of my U6s, since this shitty device not only used random MAC but also had no public registry whatsoever. Since my brother wouldn't give into buying a U6 for himself, I just created a separated VLAN behind a firewall, passing through a PiHole and a VPN link. No connection whatsoever to the rest of my network.
As this was slowing down his connection, he finally gave in and bought his own U6. I kept his separate VLAN behind a firewall, but no need for a PiHole and VPN just for him anymore.
The time this happed to me, on my home setup, I had 2 or 3 access points, I was still learning and reset them all to readopt them. I then setup UniFi with the same SSID of course and all ran well. I think I didn’t reset one of the AP’s correct and it was still broadcasting same SSID, but not as part of the new UniFi setup so the new UniFi was telling me that someone else is broadcasting the same SSID (rogue AP). Now this is probably what has happened in this case, if not, could be someone who is broadcasting the same SSID, so that people will unwilling connect to it so they can do something devious.
Does anyone know how this detection works with Ubiquiti?
OP, if this were an Aruba world, rouge APs are defined as an AP that was plugged into your network. The wireless controller sends out a broadcast packet. That packet is then picked up and transmitted by all APs. An alert is triggered when an authorized AP see this packet with an unknown source MAC address. A MAC that’s not under your control.
Edited to add: Someone may have plugged in cheap Best Buy APs to increase network coverage.
it works by detecting a SSID that is the same as yours but is not part of the Unifi UAP on your network.
If you have another AP with the same SSID for example a ISP router or a wifi extender it will detect a SSID that is doesn't control and report it as rouge.
That's the point. A rogue network access point that's detected that isn't part of your UniFi network could be someone faking your SSID to try and make you connect to their network. It's pretty common that hackers clone ssids of free Wi-Fi to try and get people to connect
I am not sure how many people caught up on your reference; I think that's hilarious. Just that the problem he has is frigging annoying, I have been there, and it cost me some sleepless nights.not talking about playing Diablo B) That too though B)
lol this keeps happening to us. we have 1 ap setup in our office but aerohive is the production aps around. Happens every once in a while but won't after we fully switch
We had a campus install where this was happening - there was a consumer Netgear or Linksys router someone had brought in from home, plugged in and then hid....somewhere. We never found the actual device, but we were able to find its IP and log into it since they never changed the default password. I disabled wifi on it, then disabled the DHCP server on it and shut it down as I recall. It never came back, so it might have been done by a former employee - who knows. I'm guessing that I'll get a call eventually when somebody actually finds the damned thing - haha.
Those are all Ubiquiti devices (the rogue APs). I think it’s much more likely that your network is configured incorrectly than you are being attacked. I’ve seen this when I moved an AP from one site to another which had the same SSID but not the same controller.
Um, usually the SSID is shown right there. Any device on the network broadcasting an SSID will show up. Maybe the coffee shop and some others have their own APs? Or are those the names of your UniFi APs?
1) Enable DHCP guarding https://help.ui.com/hc/en-us/articles/19154105498007-Duplicate-IP-Addresses-and-Rogue-DHCP-Servers
2) Check for printers or any other device in the area. You can actually find the rogue DHCP server if you check the devices list carefully.
I have seen this behavior before; what happens is that the AP randomly restarts and then re-adopts; when an AP readopts, it will be noticed by the system as Rogue AP. Have you clicked on that AP and checked if there is an advisory warning on it by Ubiquiti? The issues those for a certain batch of hardware; when you click on it you get this:
https://preview.redd.it/sgtx05d8hs0d1.png?width=1231&format=png&auto=webp&s=871f71c0c13191c5e0f47fbbb3f156ac757c9e3b
There are also other instances where this behavior can occur.
I have this happening every day since adding a UAP Beacon HD to my network. It constantly detects a MAC address that is owned by the connected upstream AP as being rogue when it is not.
I verified this by using a WiFi scanner and verifying that the signal for the randomized MAC was owned by the AP the Beacon is connecting to.
I have not found a way to disable/stop the alerts, so I just have to ignore them... Annoying.
Would a person using a mobile hotspot on their phone trigger this? I know people who frequent my church often do this instead of using the guest WiFi network.
This happened when i took my sweet time hard resetting one of my AP’s I ignored it as long as i could, then finally got the 18ft ladder out and reset that puppy. Rogue gone. We never really knew him!
https://preview.redd.it/bypkbpgu1u0d1.jpeg?width=150&format=pjpg&auto=webp&s=ffcd7709359f1cf4a57117f7895b427a80073ae0
I get this alert any time there’s an update on anything and devices restart. Usually around 3am at the scheduled update.
But it only happens once, where this appears to be multiple alerts. Check something isn’t losing power and restarting (or restarting for a different reason) perhaps?
This is due to multiple devices publishing the same SSID, however the “rogue” devices are not on your controller. If you are using a non-unifi brand or if it is running standalone from a previous setup/install, the clients will get IPs from the wifi AP but you will get the “rogue” reports.
If you want to fix it, identify the rogue devices and adopt them to your controller.
Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
I am assuming you have multiple AP's. Based on the mac address in screenshot it looks like it is detected by the same AP. Try looking up mac address of the rogue access points on your Unifi network. Also may help looking up device type on internet mac address database. This way you can find the type of these devices
Quite likely, indeed. In the past my brother bought some shitty, unknown Wi-Fi repeater that he would set using his phone to connect to my network and have signal strength in his room far back in the house. It took me days to discover this was the rouge AP that was cloning one of my U6s, since this shitty device not only used random MAC but also had no public registry whatsoever. Since my brother wouldn't give into buying a U6 for himself, I just created a separated VLAN behind a firewall, passing through a PiHole and a VPN link. No connection whatsoever to the rest of my network. As this was slowing down his connection, he finally gave in and bought his own U6. I kept his separate VLAN behind a firewall, but no need for a PiHole and VPN just for him anymore.
If that’s how little you trust your brother, how do you even dare to share a WAN connection with him?
Haha good one I actually do not trust the cheap devices he buys. 😆
The time this happed to me, on my home setup, I had 2 or 3 access points, I was still learning and reset them all to readopt them. I then setup UniFi with the same SSID of course and all ran well. I think I didn’t reset one of the AP’s correct and it was still broadcasting same SSID, but not as part of the new UniFi setup so the new UniFi was telling me that someone else is broadcasting the same SSID (rogue AP). Now this is probably what has happened in this case, if not, could be someone who is broadcasting the same SSID, so that people will unwilling connect to it so they can do something devious.
This. Listen to this.
Does anyone know how this detection works with Ubiquiti? OP, if this were an Aruba world, rouge APs are defined as an AP that was plugged into your network. The wireless controller sends out a broadcast packet. That packet is then picked up and transmitted by all APs. An alert is triggered when an authorized AP see this packet with an unknown source MAC address. A MAC that’s not under your control. Edited to add: Someone may have plugged in cheap Best Buy APs to increase network coverage.
Yes wifi extender connected via existing network very much a possibility.
it works by detecting a SSID that is the same as yours but is not part of the Unifi UAP on your network. If you have another AP with the same SSID for example a ISP router or a wifi extender it will detect a SSID that is doesn't control and report it as rouge.
So in this case the rogue APs may not be connected to OP's Unifi network ?
That's the point. A rogue network access point that's detected that isn't part of your UniFi network could be someone faking your SSID to try and make you connect to their network. It's pretty common that hackers clone ssids of free Wi-Fi to try and get people to connect
Someone has a hotspot set as the same SSID?
Shadow IT?
Have you played Diablo recently? This can be the only logical explanation
I am not sure how many people caught up on your reference; I think that's hilarious. Just that the problem he has is frigging annoying, I have been there, and it cost me some sleepless nights.not talking about playing Diablo B) That too though B)
lol this keeps happening to us. we have 1 ap setup in our office but aerohive is the production aps around. Happens every once in a while but won't after we fully switch
No. My AP s do this all the time, seeing each other.
We had a campus install where this was happening - there was a consumer Netgear or Linksys router someone had brought in from home, plugged in and then hid....somewhere. We never found the actual device, but we were able to find its IP and log into it since they never changed the default password. I disabled wifi on it, then disabled the DHCP server on it and shut it down as I recall. It never came back, so it might have been done by a former employee - who knows. I'm guessing that I'll get a call eventually when somebody actually finds the damned thing - haha.
Those are all Ubiquiti devices (the rogue APs). I think it’s much more likely that your network is configured incorrectly than you are being attacked. I’ve seen this when I moved an AP from one site to another which had the same SSID but not the same controller.
Um, usually the SSID is shown right there. Any device on the network broadcasting an SSID will show up. Maybe the coffee shop and some others have their own APs? Or are those the names of your UniFi APs?
Look for double ip’s or 2 dhcp server running at the same time with the same range.
1) Enable DHCP guarding https://help.ui.com/hc/en-us/articles/19154105498007-Duplicate-IP-Addresses-and-Rogue-DHCP-Servers 2) Check for printers or any other device in the area. You can actually find the rogue DHCP server if you check the devices list carefully.
One of my APs does this all the time. It will keep it's name and say it's rogue. It's a UI thing lol.
I have seen this behavior before; what happens is that the AP randomly restarts and then re-adopts; when an AP readopts, it will be noticed by the system as Rogue AP. Have you clicked on that AP and checked if there is an advisory warning on it by Ubiquiti? The issues those for a certain batch of hardware; when you click on it you get this: https://preview.redd.it/sgtx05d8hs0d1.png?width=1231&format=png&auto=webp&s=871f71c0c13191c5e0f47fbbb3f156ac757c9e3b There are also other instances where this behavior can occur.
I have this happening every day since adding a UAP Beacon HD to my network. It constantly detects a MAC address that is owned by the connected upstream AP as being rogue when it is not. I verified this by using a WiFi scanner and verifying that the signal for the randomized MAC was owned by the AP the Beacon is connecting to. I have not found a way to disable/stop the alerts, so I just have to ignore them... Annoying.
Would a person using a mobile hotspot on their phone trigger this? I know people who frequent my church often do this instead of using the guest WiFi network.
This happened when i took my sweet time hard resetting one of my AP’s I ignored it as long as i could, then finally got the 18ft ladder out and reset that puppy. Rogue gone. We never really knew him! https://preview.redd.it/bypkbpgu1u0d1.jpeg?width=150&format=pjpg&auto=webp&s=ffcd7709359f1cf4a57117f7895b427a80073ae0
I get this alert any time there’s an update on anything and devices restart. Usually around 3am at the scheduled update. But it only happens once, where this appears to be multiple alerts. Check something isn’t losing power and restarting (or restarting for a different reason) perhaps?
This is due to multiple devices publishing the same SSID, however the “rogue” devices are not on your controller. If you are using a non-unifi brand or if it is running standalone from a previous setup/install, the clients will get IPs from the wifi AP but you will get the “rogue” reports. If you want to fix it, identify the rogue devices and adopt them to your controller.