Cisco Systems OL-8376-01 manual

Page 64

Chapter 1 FAQs and Troubleshooting

Intrusion Detection System FAQs and Troubleshooting

Q.I understand that WLSE does not accept SNMP traps that indicate an AP detected a rogue. So why is an AP that is currently designated as the WDS generating rogue AP SNMP traps?

A.The AP is generating the detected rogue trap, not the WDS functionality currently operating within the AP. This trap is based on authentication tattletale rogue detection, which is currently not reported to the WLSE.

WLSE uses radio measurements to detect the rogues. The authentication tattletale method uses a message sent from a participating client that indicates some type of authentication issue with some other AP. This other AP is considered to be rogue for one of these reasons:

The rogue was not running 802.1x.

Authentication with the rogue timed out.

Bad user password.

Authentication challenge failed.

This tattletale method is enabled on the AP itself, detected by the AP, and flagged at the AP via the trap.

Q.I configured the Friendly AP-to-Rogue AP no-observation period as 5 minutes, moved a rogue AP (AP1) to the friendly list, and shut down its radio. After 5 minutes, AP1 was moved to the rogue AP list. When I moved AP1 back to the friendly list, it was immediately (with in 40 seconds) moved back to the rogue AP list.

A.When the Friendly-to-Rogue policy evaluates a site, any device that hasn’t been seen in “too long a time” is reclassified as rogue. This time period starts when WLSE last observed the device, not after the administrator has set it to Friendly. To keep an unmanaged device as Friendly, set the maximum unobserved time to a value larger than the amount of time the device is expected to not be observed. For example, if a friendly AP is turned off after business hours, the maximum unobserved time should be at least 14 hours (or more for weekends) or the WLSE will reclassify it as rogue.

Q.What should I do when my system is overrun with rogue APs?

A.Some networks might experience large numbers of rogues due to the nature of their neighboring networks or a one-time storm. When the number of unknown (rogue infra-structure or ad-hoc) radios is high (greater than 5000), your network might experience performance degradation. This can occur when your network is in a crowded airspace, you have products such as printers that have wireless functions that create and/or rotate ad-hoc network IDs, that are attacked by the FakeAP program, or that have APs sending corrupt beacon reports. To handle large numbers of rogues:

Use IDS > Manage Network Wide Settings to disable all rogue detection and processing from either infrastructure or ad-hoc rogues (or both).

If your network is in a crowded airspace, examine the report IDS > Manage Rogues. This report shows you the RSSI value for the detected rogues. Sorting by RSSI might give you a limit of RSSI values that you could use in IDS > Manage Network Wide Settings as a threshold.

Use IDS > Manage Rogues to delete the rogues that are no longer an issue (for example, from a temporary storm or isolated occurrence) to free up space in the WLSE.

For an explanation of the fault, see IDS (Intrusion Detection System) Faults, page 2-14.

Q.Why is a fault generated regardless of the threshold set for detecting rogue APs with an defined RSSI value under IDS > Manage Network-Wide IDS Settings?

For example, the threshold is set for detecting a rouge AP with an RSSI value of greater than -80dBM, but alerts are being generated for a rogue AP with an RSSI value of -200 dBm.

A.What happens is as follows:

FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine

1-52

OL-8376-01

 

 

Image 64
Contents Corporate Headquarters Customer Order Number OL-8376-01Copyright 2006 Cisco Systems, Inc. All rights reserved N T E N T S Fault Descriptions Audience ConventionsConvention Italic fontProduct Documentation Available FormatsObtaining Documentation 105/wlse/213/index.htmProduct Documentation DVD Cisco.comOrdering Documentation Documentation Feedback Reporting Security Problems in Cisco ProductsCisco Product Security Overview Obtaining Technical Assistance Cisco Technical Support & Documentation WebsiteDefinitions of Service Request Severity Submitting a Service RequestObtaining Additional Publications and Information Xii General FAQs and Troubleshooting General FAQsFAQs and Troubleshooting General FAQs and Troubleshooting MIB Name Description General Troubleshooting If no, see Symptom Cannot log in as a system administrator., Possible Cause Restart the system services by entering the following Symptom The system time or date is incorrect # ip name-server ip-address Deployment Wizard Troubleshooting Faults FAQs and Troubleshooting Faults FAQsFAQs and Troubleshooting Faults FAQs and Troubleshooting Faults Troubleshooting Recommended Action Not applicable Devices FAQs and Troubleshooting Devices FAQsFAQs and Troubleshooting Devices FAQs and Troubleshooting Devices Troubleshooting Discovery/Device Management TroubleshootingMessage Possible Cause Recommended Action Discovered but could not be FAQs and Troubleshooting Devices FAQs and Troubleshooting Configuration FAQs and Troubleshooting Configuration FAQsOL-8376-01 Page OL-8376-01 Configuration Troubleshooting Auto-Managed Configuration Assign Templates Firmware FAQs and Troubleshooting Firmware FAQsFirmware Troubleshooting Recommended Action FAQs and Troubleshooting Firmware FAQs and Troubleshooting Reports FAQs Reports FAQs and TroubleshootingTelnet Credential Fields Required Reports Troubleshooting Recommended Action None Click jobvm.log Radio Manager FAQs and Troubleshooting Radio Manager FAQsConfiguration Radio MonitoringMiscellaneous Auto Re-Site SurveyWDS AP? When Wlse is used for initial setup OL-8376-01 Auto Re-Site Survey Radio Manager Troubleshooting Select Devices Discover Managed/UnmanagedSites FAQs and Troubleshooting Sites FAQsLocation Manager Assisted Site survey WizardAP Radio Scan Radio Parameter GenerationAssisted Site Survey Wizard FAQs and Troubleshooting Sites FAQs and Troubleshooting AP Radio Scan Sites Troubleshooting FAQs and Troubleshooting Sites FAQs and Troubleshooting FAQs and Troubleshooting Sites FAQs and Troubleshooting Intrusion Detection System FAQs and Troubleshooting Intrusion Detection System FAQsAPs in Scanning-Only Mode Detecting Rogue APsDetecting Rogue APs Page OL-8376-01 Intrusion Detection System Troubleshooting Admin FAQs and Troubleshooting Admin FAQsFAQs and Troubleshooting Admin FAQs and Troubleshooting Redundancy State Description Admin Troubleshooting Recommended Action FAQs and Troubleshooting Admin FAQs and Troubleshooting Select Faults Manage Fault Settings Troubleshooting Tools for the Wlse Appliance Generating Diagnostics for Technical AssistanceInternal AAA Server Wlse Express FAQs Fault Descriptions To rule Access Point /Bridge FaultsUtilization % CiscoWorks Wireless LAN Solution Engine, ReleaseSsid See IDS Intrusion Detection System Faults, Version numberProblem-details Table-name. OID-nameVlan number VlanChannel origChannel NewChannelRadio Interface Faults Broadcast is disabled for Radio-x Radio Interface Faults Reason, Ignored Rate %Fault. See Q.What are the results Verify RM Capability IDS Intrusion Detection System Faults IDS Faults Ccmp IDSFramecount,Intervalwind FloodcountOwsize Channel Frames Enabled That is observed generating Violation SntpNumber of Ccmp Replay Fault threshold set for Number of Tkip Local Fault threshold set for Cd11IfStationRole from Unregistered Clients One or more unregistered clients Wlse Faults Voice FaultsThreshold% LAN Solution Engine, 2.13. or in the online WlseAAA Server Faults EAP-FASTEAP-MD5, Leap EAP-MD5 /LEAP PEAP/RADIUSEAP-FAST5 EAP-MD5Leap EAPPeap Radius Switch Faults Degraded utilization %Utilization % Router Fault Wlsm FaultsOL-8376-01 D E IN-2 IN-3 Http IN-4Detection, frequency NATIN-6 SSH IN-7WDS IN-8Wlsm IN-10