What is a rogue access point?
A rogue access point is an unauthorized wireless device that is connected to your wired network. This distinguishes it from a 'neighbor network' (an AP in the same building from a different organization, which is on their network, not yours) and from an 'evil twin' (an AP mimicking your SSID to capture client credentials, which may or may not be connected to your network). A true rogue AP — whether placed intentionally by an attacker or accidentally by an employee plugging in a home router — creates an unauthorized entry point to your internal network, bypassing your firewall and security controls.
Three categories of unwanted APs
Rogue APs are physically connected to your wired network (unauthorized, potentially malicious). Neighbor networks are APs from adjacent organizations visible in the RF environment (not on your network, but they congest shared channels). Evil twins are APs broadcasting your SSID to lure clients into connecting to an attacker-controlled device (may or may not be on your network — the danger is credential theft and traffic interception). Each category requires a different response: rogue APs need physical removal and network investigation; neighbor networks need channel planning; evil twins need client-side validation and user education.
How rogue APs are detected
Detection requires seeing an AP's BSSID (MAC address) in the RF environment and then determining whether it is connected to your wired network. 802.11 air-monitoring (scanning mode on an AP radio or a dedicated sensor) captures visible BSSIDs. Wired-side correlation checks whether the AP's MAC address has appeared on a switch port — if an AP is broadcasting an unknown SSID and you can find its MAC on your wired infrastructure, it's a rogue. Enterprise Wi-Fi controllers (Cisco Meraki, Aruba Central, Ruckus SmartZone) include rogue detection features. TekFidelityIQ's security audit layer surfaces rogue AP alerts, evil twin SSIDs, and unknown networks visible at each site.
Why continuous monitoring beats periodic scans
A one-time RF scan tells you what was visible at that moment. A rogue AP plugged in on Monday afternoon and removed Friday morning would be completely invisible to a Wednesday-morning spot check. Continuous monitoring means every snapshot cycle checks for new or previously unseen BSSIDs at each site, flags them immediately, and preserves a timeline of when the device appeared and disappeared. For security and compliance, this evidence trail is often as important as the detection itself.
What to do when you find one
When a rogue AP is detected: first, confirm it's actually on your network (check switch port MAC tables). If confirmed, isolate the switch port immediately, then physically locate and remove the device. Document the incident — when it appeared, which port, what network it was broadcasting. Investigate how it got connected (employee error, contractor, physical security breach). Review access logs for the period it was active. If it was an evil twin (SSID match but not on your wired network), alert users on that network segment and review client auth logs for anomalies.
Frequently Asked Questions
- What is the difference between a rogue AP and a neighbor network?
- A rogue AP is connected to your wired network without authorization. A neighbor network is an AP from a different organization that you can see in the RF environment but is not connected to your network.
- Can TekFidelityIQ detect rogue access points?
- Yes. TekFidelityIQ's security audit layer flags unknown SSIDs, BSSIDs, and potential evil twins visible at each site and generates alerts when new unauthorized devices appear.
TekFidelityIQ
See Wi-Fi health monitoring in action
Launch the interactive demo or request a free Wi-Fi Health Review — no obligation, results in about 48 hours.