Chapter 1 FAQs and Troubleshooting
Intrusion Detection System FAQs and Troubleshooting
WLSE considers hardware, both client and access points, to be trusted sources, and assumes that vendors are reporting the field correctly. WLSE expects only client machines and peripherals to emit beacons with the IBSS flag set (it is very unlikely that an access point would emit an IBSS beacon). In rare cases, however, a malicious station can spoof the field. If this happens, WLSE will report whatever value the field is set to.
Q.How often does rogue AP detection occur and can it be customized?
A.Rogues can be detected within 90 seconds, but are not reported for another 180 seconds. This delay allows as many APs as possible to detect the rogue, which helps pinpoint the rogue’s location. Detection frequency cannot be customized, but rogue AP detection and the fault priority that is assigned can be enabled and disabled for the network.
Q.How long does it typically take for the WLSE to detect a rogue access point after it is connected to the network?
A.To detect a rogue AP, Radio Monitoring must be enabled. Radio monitoring gathers radio reports every 90 seconds, so if at least one AP can hear the rogue, WLSE will detect the rogue in approximately 360 to 450 seconds. (It takes 1 to 2 measurement intervals for Radio Monitoring to report a rogue, and the WLSE waits for 3 measurement intervals for other surrounding APs or clients to report the same radio.)
Q.Can I disable transmit on an AP and yet allow it to receive signals so that it can participate in rogue AP detection?
A.The solution you want is called
Q.I want to disable Radio Monitoring and detect rogue APs only when AP Radio Scan jobs are scheduled. Is this possible?
A.Radio Monitoring is the preferred method for detecting rogue APs. AP Radio Scan jobs can detect rogues, but only during the scan (approximately 3 to 4 minutes); any rogues that show up after the scan are not detected. In addition, because the scan is so short, it is possible that some rogues will not be detected because they do not respond with a Probe Request during the active scan. When Radio Monitoring is enabled, the rogue will eventually be detected by the beacon frame; it is statistically possible that a beacon will not be seen during an AP scan.
Q.What requirements and configuration are needed before a client can participate in rogue AP detection?
A.Participation is automatic. Cisco and CCX clients gather radio frequency information as instructed by the APs to which they are associated. APs gather similar information. This data is aggregated at the WDS device and then analyzed by the WLSE.
Q.Can the client be used to help triangulate a rogue AP?
A.The client’s data does not get factored into location triangulation; only the AP data is used.
Q.How can I automatically adjust the channel and power settings on my managed APs to overcome the coverage problems introduced by rogue APs?
A.To automatically adjust channel and power settings on managed APs after detecting rogue APs, run RM Assisted Configuration (or Auto Site Survey from the Location Manager wizard).
FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine
|
| ||
|
|