Cisco Systems OL-8376-01 manual Detecting Rogue APs

Page 62

Chapter 1 FAQs and Troubleshooting

Intrusion Detection System FAQs and Troubleshooting

Detecting Rogue APs

Q.How does WLSE detect rogue APs?

A.Here is a brief summary of the rogue AP detection logic:

a.A rogue AP appears and starts sending out beacons and responding to probe-requests.

b.A nearby managed and RM-enabledAP or client detects the beacon (same channel or off-channel) or probe response (off-channel). The AP or client sends back a beacon report of the rogue AP in the next scheduled RM report. The scheduled internal RM reporting interval is 90 seconds, so this step can take up to 90 seconds to complete.

c.The WLSE Radio Manager (RM) receives the beacon report, recognizes that this AP is not in the system (not a managed AP, and not a previously detected radio), and triggers the rogue AP switch-port tracing logic. The WLSE RM does not issue a rogue AP fault at this time.

d.The WLSE RM waits for 3 measurement intervals (3x90, or 270 seconds) for other surrounding APs or clients to report the same radio. This delay allows as many APs as possible to detect the rogue and helps pinpoint the rogue’s location (which is reported in Step e.) When other APs or clients detect this radio, the reporting AP and the reported RSSI of the rogue AP are stored or updated in the WLSE RM database. This period of time also allows the switch port tracing logic to try to locate the switch port to which this rogue AP might connect. This logic happens in parallel. Depending on the size of the network, the switch port tracing logic may or may not finish before the end of this interval (270 seconds).

e.The WLSE RM issues a rogue AP fault. These first steps (b - e) can take from 270 to 360 seconds (3x90 to 4x90) to generate a fault against a particular rogue AP. After the fault has been generated, the fault notifications follow the standard WLSE fault notification process. (You must set up the e-mail notification to receive it.) The fault details page is updated so that when you click on the rogue AP’s location, the system will have enough information (if it is available) to do a location triangulation based on the RSSI from the different reporting APs.

f.The AP or client continues to update the rogue AP’s RSSI, and the Radio Manager continues to update this information in the WLSE. This allows the WLSE to keep the rogue AP’s location current and not limited to the position when it was first detected.

Q.What is the difference between a rogue and a friendly AP?

A.In WLSE, friendly stations are unknown stations that the administrator has identified as “okay”; all other are rogues. Unlike a rogue AP, a friendly AP will not trigger a rogue AP fault (that is, a friendly AP will not be detected as a rogue). To change the category type of a rogue AP to Friendly, select IDS > Manage Rogues.

Q.How does the WLSE distinguish between a rogue device and an ad-hoc device?

A.APs and clients detect beacons in the air and send the beacon information to the WLSE via the WDS. These beacons are standard 802.11 frames. If the beacon information does not match a managed radio in the WLSE (by MAC address), the WLSE will identify it as an Unknown Station.

An unknown station is either infrastructure or ad-hoc (IBSS). This determination is made from the beacon report; the 802.11 frame contains a byte indicating whether or not the beacon is IBSS (ad-hoc) or not (infrastructure). WLSE relies solely on this flag in the beacon to make this determination.

FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine

1-50

OL-8376-01

 

 

Image 62
Contents Corporate Headquarters Customer Order Number OL-8376-01Copyright 2006 Cisco Systems, Inc. All rights reserved N T E N T S Fault Descriptions Convention AudienceConventions Italic fontProduct Documentation Available FormatsObtaining Documentation 105/wlse/213/index.htmOrdering Documentation Cisco.comProduct Documentation DVD Cisco Product Security Overview Reporting Security Problems in Cisco ProductsDocumentation Feedback Obtaining Technical Assistance Cisco Technical Support & Documentation WebsiteObtaining Additional Publications and Information Submitting a Service RequestDefinitions of Service Request Severity Xii General FAQs and Troubleshooting General FAQsFAQs and Troubleshooting General FAQs and Troubleshooting MIB Name Description General Troubleshooting If no, see Symptom Cannot log in as a system administrator., Possible Cause Restart the system services by entering the following Symptom The system time or date is incorrect # ip name-server ip-address Deployment Wizard Troubleshooting Faults FAQs and Troubleshooting Faults FAQsFAQs and Troubleshooting Faults FAQs and Troubleshooting Faults Troubleshooting Recommended Action Not applicable Devices FAQs and Troubleshooting Devices FAQsFAQs and Troubleshooting Devices FAQs and Troubleshooting Devices Troubleshooting Discovery/Device Management TroubleshootingMessage Possible Cause Recommended Action Discovered but could not be FAQs and Troubleshooting Devices FAQs and Troubleshooting Configuration FAQs and Troubleshooting Configuration FAQsOL-8376-01 Page OL-8376-01 Configuration Troubleshooting Auto-Managed Configuration Assign Templates Firmware FAQs and Troubleshooting Firmware FAQsFirmware Troubleshooting Recommended Action FAQs and Troubleshooting Firmware FAQs and Troubleshooting Telnet Credential Fields Required Reports FAQs and TroubleshootingReports FAQs Reports Troubleshooting Recommended Action None Click jobvm.log Configuration Radio Manager FAQs and TroubleshootingRadio Manager FAQs Radio MonitoringWDS AP? Auto Re-Site SurveyMiscellaneous When Wlse is used for initial setup OL-8376-01 Auto Re-Site Survey Radio Manager Troubleshooting Select Devices Discover Managed/UnmanagedLocation Manager Sites FAQs and TroubleshootingSites FAQs Assisted Site survey WizardAP Radio Scan Radio Parameter GenerationAssisted Site Survey Wizard FAQs and Troubleshooting Sites FAQs and Troubleshooting AP Radio Scan Sites Troubleshooting FAQs and Troubleshooting Sites FAQs and Troubleshooting FAQs and Troubleshooting Sites FAQs and Troubleshooting APs in Scanning-Only Mode Intrusion Detection System FAQs and TroubleshootingIntrusion Detection System FAQs Detecting Rogue APsDetecting Rogue APs Page OL-8376-01 Intrusion Detection System Troubleshooting Admin FAQs and Troubleshooting Admin FAQsFAQs and Troubleshooting Admin FAQs and Troubleshooting Redundancy State Description Admin Troubleshooting Recommended Action FAQs and Troubleshooting Admin FAQs and Troubleshooting Select Faults Manage Fault Settings Troubleshooting Tools for the Wlse Appliance Generating Diagnostics for Technical AssistanceInternal AAA Server Wlse Express FAQs Fault Descriptions Utilization % Access Point /Bridge FaultsTo rule CiscoWorks Wireless LAN Solution Engine, ReleaseSsid See IDS Intrusion Detection System Faults, Version numberProblem-details Table-name. OID-nameChannel origChannel Vlan numberVlan NewChannelRadio Interface Faults Broadcast is disabled for Radio-x Radio Interface Faults Reason, Ignored Rate %Fault. See Q.What are the results Verify RM Capability IDS Intrusion Detection System Faults IDS Faults Ccmp IDSOwsize FloodcountFramecount,Intervalwind Channel Frames Enabled That is observed generating Violation SntpNumber of Ccmp Replay Fault threshold set for Number of Tkip Local Fault threshold set for Cd11IfStationRole from Unregistered Clients One or more unregistered clients Threshold% Voice FaultsWlse Faults LAN Solution Engine, 2.13. or in the online WlseEAP-MD5, Leap EAP-MD5 /LEAP AAA Server FaultsEAP-FAST PEAP/RADIUSEAP-FAST5 EAP-MD5Leap EAPPeap Radius Switch Faults Degraded utilization %Utilization % Router Fault Wlsm FaultsOL-8376-01 D E IN-2 IN-3 Http IN-4Detection, frequency NATIN-6 SSH IN-7WDS IN-8Wlsm IN-10