Cisco Systems OL-8376-01 manual

Page 63

Chapter 1 FAQs and Troubleshooting

Intrusion Detection System FAQs and Troubleshooting

WLSE considers hardware, both client and access points, to be trusted sources, and assumes that vendors are reporting the field correctly. WLSE expects only client machines and peripherals to emit beacons with the IBSS flag set (it is very unlikely that an access point would emit an IBSS beacon). In rare cases, however, a malicious station can spoof the field. If this happens, WLSE will report whatever value the field is set to.

Q.How often does rogue AP detection occur and can it be customized?

A.Rogues can be detected within 90 seconds, but are not reported for another 180 seconds. This delay allows as many APs as possible to detect the rogue, which helps pinpoint the rogue’s location. Detection frequency cannot be customized, but rogue AP detection and the fault priority that is assigned can be enabled and disabled for the network.

Q.How long does it typically take for the WLSE to detect a rogue access point after it is connected to the network?

A.To detect a rogue AP, Radio Monitoring must be enabled. Radio monitoring gathers radio reports every 90 seconds, so if at least one AP can hear the rogue, WLSE will detect the rogue in approximately 360 to 450 seconds. (It takes 1 to 2 measurement intervals for Radio Monitoring to report a rogue, and the WLSE waits for 3 measurement intervals for other surrounding APs or clients to report the same radio.)

Q.Can I disable transmit on an AP and yet allow it to receive signals so that it can participate in rogue AP detection?

A.The solution you want is called scanning-only AP mode. Scanning-Only AP mode puts a radio interface in a dedicated mode monitoring the air space surrounding it without carrying any regular WLAN user traffic. For more information, see the scanning-only AP mode information in the online help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, 2.13.

Q.I want to disable Radio Monitoring and detect rogue APs only when AP Radio Scan jobs are scheduled. Is this possible?

A.Radio Monitoring is the preferred method for detecting rogue APs. AP Radio Scan jobs can detect rogues, but only during the scan (approximately 3 to 4 minutes); any rogues that show up after the scan are not detected. In addition, because the scan is so short, it is possible that some rogues will not be detected because they do not respond with a Probe Request during the active scan. When Radio Monitoring is enabled, the rogue will eventually be detected by the beacon frame; it is statistically possible that a beacon will not be seen during an AP scan.

Q.What requirements and configuration are needed before a client can participate in rogue AP detection?

A.Participation is automatic. Cisco and CCX clients gather radio frequency information as instructed by the APs to which they are associated. APs gather similar information. This data is aggregated at the WDS device and then analyzed by the WLSE.

Q.Can the client be used to help triangulate a rogue AP?

A.The client’s data does not get factored into location triangulation; only the AP data is used.

Q.How can I automatically adjust the channel and power settings on my managed APs to overcome the coverage problems introduced by rogue APs?

A.To automatically adjust channel and power settings on managed APs after detecting rogue APs, run RM Assisted Configuration (or Auto Site Survey from the Location Manager wizard).

FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine

 

OL-8376-01

1-51

 

 

 

Image 63
Contents Customer Order Number OL-8376-01 Corporate HeadquartersCopyright 2006 Cisco Systems, Inc. All rights reserved N T E N T S Fault Descriptions Italic font AudienceConventions ConventionAvailable Formats Product Documentation105/wlse/213/index.htm Obtaining DocumentationCisco.com Product Documentation DVDOrdering Documentation Reporting Security Problems in Cisco Products Documentation FeedbackCisco Product Security Overview Cisco Technical Support & Documentation Website Obtaining Technical AssistanceSubmitting a Service Request Definitions of Service Request SeverityObtaining Additional Publications and Information Xii General FAQs General FAQs and TroubleshootingFAQs and Troubleshooting General FAQs and Troubleshooting MIB Name Description General Troubleshooting If no, see Symptom Cannot log in as a system administrator., Possible Cause Restart the system services by entering the following Symptom The system time or date is incorrect # ip name-server ip-address Deployment Wizard Troubleshooting Faults FAQs Faults FAQs and TroubleshootingFAQs and Troubleshooting Faults FAQs and Troubleshooting Faults Troubleshooting Recommended Action Not applicable Devices FAQs Devices FAQs and TroubleshootingFAQs and Troubleshooting Devices FAQs and Troubleshooting Discovery/Device Management Troubleshooting Devices TroubleshootingMessage Possible Cause Recommended Action Discovered but could not be FAQs and Troubleshooting Devices FAQs and Troubleshooting Configuration FAQs Configuration FAQs and TroubleshootingOL-8376-01 Page OL-8376-01 Configuration Troubleshooting Auto-Managed Configuration Assign Templates Firmware FAQs Firmware FAQs and TroubleshootingFirmware Troubleshooting Recommended Action FAQs and Troubleshooting Firmware FAQs and Troubleshooting Reports FAQs and Troubleshooting Reports FAQsTelnet Credential Fields Required Reports Troubleshooting Recommended Action None Click jobvm.log Radio Monitoring Radio Manager FAQs and TroubleshootingRadio Manager FAQs ConfigurationAuto Re-Site Survey MiscellaneousWDS AP? When Wlse is used for initial setup OL-8376-01 Auto Re-Site Survey Select Devices Discover Managed/Unmanaged Radio Manager TroubleshootingAssisted Site survey Wizard Sites FAQs and TroubleshootingSites FAQs Location ManagerRadio Parameter Generation AP Radio ScanAssisted Site Survey Wizard FAQs and Troubleshooting Sites FAQs and Troubleshooting AP Radio Scan Sites Troubleshooting FAQs and Troubleshooting Sites FAQs and Troubleshooting FAQs and Troubleshooting Sites FAQs and Troubleshooting Detecting Rogue APs Intrusion Detection System FAQs and TroubleshootingIntrusion Detection System FAQs APs in Scanning-Only ModeDetecting Rogue APs Page OL-8376-01 Intrusion Detection System Troubleshooting Admin FAQs Admin FAQs and TroubleshootingFAQs and Troubleshooting Admin FAQs and Troubleshooting Redundancy State Description Admin Troubleshooting Recommended Action FAQs and Troubleshooting Admin FAQs and Troubleshooting Select Faults Manage Fault Settings Generating Diagnostics for Technical Assistance Troubleshooting Tools for the Wlse ApplianceInternal AAA Server Wlse Express FAQs Fault Descriptions Access Point /Bridge Faults To ruleUtilization % Engine, Release CiscoWorks Wireless LAN SolutionSsid Version number See IDS Intrusion Detection System Faults,Table-name. OID-name Problem-detailsNewChannel Vlan numberVlan Channel origChannelRadio Interface Faults Broadcast is disabled for Radio-x Radio Interface Faults Rate % Reason, IgnoredFault. See Q.What are the results Verify RM Capability IDS Intrusion Detection System Faults IDS Faults IDS CcmpFloodcount Framecount,IntervalwindOwsize Channel Frames Sntp Enabled That is observed generating ViolationNumber of Ccmp Replay Fault threshold set for Number of Tkip Local Fault threshold set for Cd11IfStationRole from Unregistered Clients One or more unregistered clients Voice Faults Wlse FaultsThreshold% Wlse LAN Solution Engine, 2.13. or in the onlinePEAP/RADIUS AAA Server FaultsEAP-FAST EAP-MD5, Leap EAP-MD5 /LEAPEAP-MD5 EAP-FAST5EAP LeapPeap Radius Degraded utilization % Switch FaultsUtilization % Wlsm Faults Router FaultOL-8376-01 D E IN-2 IN-3 IN-4 HttpNAT Detection, frequencyIN-6 IN-7 SSHIN-8 WDSWlsm IN-10