Hello Hussein
First of all it’s important to understand what the term rogue refers to. It doesn’t only refer to access points, but also to clients that have erroneously connected to those access points. There are two things that can be done to contain both the rogue AP and the rogue clients that have connected to them. The first has to do with the rogue clients, while the second has to do with the rogue AP itself.
- When a rogue client is detected, the legitimate access points can send a de-authentication packet to these clients that will disassociate them from the rogue AP, allowing them to re-associate with a legitimate AP.
- When a rogue AP is detected, a legitimate AP can connect to the rogue as a client and send Rogue Location Discovery Protocol (RLDP) packets, which is a method of rogue AP mitigation.
Now getting to your question, in monitor mode, an AP is simply used as a sensor. In other words, it only receives signals and processes them for the purpose of determining the condition of things over the air. Specifically, an AP will scan all configured channels every 12 seconds. In this mode, the AP is able to send de-authetnication packets to detected rogue clients, but no other mitigation activities are possible.
In Rogue Detector mode, 100% of the AP’s resources are dedicated to listening for and detecting rogues. But it doesn’t do this over the air, but over the wire. In this mode, the AP radio is turned off completely, and it listens for ARP packets only, on the wire. Such a device should be connected to all broadcast domains in the wireless network through a trunk link.
In any case, both of these modes feed the WLC information that can then be used by all of the APs in the network to send de-authentication packets to rogue clients, and RLDP packets to rogue APs.
More information and details about how this works can be found here:
I hope this has been helpful!
Laz