Security


Security is managed in many ways with the WLSE. First, basic security requirements are sent and used consistently throughout the WLAN. For example, the WLSE might require all APs in the organization to use a specific length of key. The WLSE also uses Radio Manager to locate and cut off rogue APs.

Managing Security

To configure security via WLSE depends on the security settings you wish to enable, as well as the type of radio you use. First, follow Templates > Configure, then select Security. Next, you are presented with a list of options. Table 10-3 lists those options and describes what you can do with them.

Table 10-3. Security Settings

Security Setting

Description

Admin Access

Used to add users to the system, remove users from the system, and assign user privileges.

SSID 802.11b/g

Used to configure SSID 802.11b/g settings, including:

  • Authentication methods

  • Authentication servers

  • Key management

  • Proxy Mobile IP

  • Accounting

SSID 802.11a

Used to configure SSID 802.11a settings, including:

  • Authentication methods

  • Authentication servers

  • Key management

  • Proxy Mobile IP

  • Accounting

WEP 802.11b and 802.11g

Used to manage keys for 802.11b/g radio interfaces settings, including:

  • Key length

  • Ciphers

  • Send and receive keys

  • Key rotation

WEP 802.11a

Used to manage keys for 802.11a radio interfaces settings, including:

  • Key length

  • Ciphers

  • Send and receive keys

  • Key rotation

Server Manager

Used to select and configure the backup RADIUS server.

Advanced Security

Sets up the AP to authenticate client devices and uses a combination of MAC- and EAP-based authentication. If this is enabled, clients that use 802.11 open authentication first attempt authentication via MAC. If MAC fails, the AP waits for the client to try EAP authentication.

Local RADIUS Server

Used to configure the local RADIUS server.


Note

Version 2.11 of WLSE includes a wizard for building templates.


Rogue AP Detection and Mitigation

WLSE's radio monitoring feature uses radio measurement capabilities of IOS-based Cisco APs and client adapters to discover unauthorized APs that send beacons. If beacons are detected, Radio Manager examines the beacon for the MAC address of the AP and sends that back to WDS to see if the address is one of the authorized APs in the WDS list. If not, WDS sends it up to the WLSE.

The administrator is given the opportunity to categorize the newly detected AP. They are placed into one of four AP types:

  • Managed AP An authorized AP that needs management from WLSE.

  • Unmanaged AP An authorized AP that does not need management from WLSE.

  • Friendly AP An AP that is not connected to the WLAN, although WLSE detects it. For example, your neighbor's AP can radiate into your office.

  • Rogue AP An AP that is detected and can or cannot be connected to the WLAN. It has not been identified as managed, unmanaged, or friendly. This is the default setting when a new AP is discovered and remains this way until the administrator reclassifies the AP.

The Fault Summary Table is the source of important information about rogue APs. When you click on the link in the Address, Description, or Timestamp fields, you are shown several pieces of information. Table 10-4 lists the information that you can learn about this device.

Table 10-4. Rogue AP Detail

Information

Description

BSSID

Basic Service Set Identifier.

State

The device's state.

Vendor

The name of the device's vendor.

Change to a Friendly AP

To reclassify this as a friendly device, click Change to a Friendly AP, and then refresh your browser.

Delete

To delete this notification, click Delete, and then refresh your browser.


In addition to basic information about the rogue AP, Table 10-5 lists information that can help you physically locate the rogue AP.

Table 10-5. Rogue AP Location Details

Information

Description

Location

Gives an estimated location of the AP.

Timestamp

Lists the date and time the AP was detected.

View in Location Manager

Click View in Location Manager for an approximate, graphical location of the rogue AP.


If the rogue AP is connected to a Cisco switch, you might identify the switch port to which it's connected if you use the Switch Port Location feature. Table 10-6 lists the information you can get from this feature.

Table 10-6. Switch Port Location Details

Information

Description

Switch IP

The IP address of the switch to which the AP is connected.

Switch port

The switch port to which the AP is connected.

Traced MAC address

The rogue AP's MAC address.

Timestamp

The date and time when the rogue AP was detected.

Re-Trace

Re-run the trace. This is useful if the AP moved to another switch port since its initial detection.


When a rogue AP fault is created, you can also configure the WLSE to suppress the port to which that rogue AP is connected.

The WLSE is a powerful piece of equipment and keystone of Cisco SWAN solution. To use the robust features of the WLSE, however, you must ensure that the network devices and the WLSE are all properly configured. Keep in mind that there is no substitute to plan and carefully implement WLSE. It pays dividends in the long run.




Cisco 802.11 Wireless Networking Quick Reference
Cisco 802.11 Wireless Networking Quick Reference
ISBN: 158705227X
EAN: 2147483647
Year: 2005
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net