Security is managed in many ways with the WLSE. First, basic security requirements are sent and used consistently throughout the WLAN. For example, the WLSE might require all APs in the organization to use a specific length of key. The WLSE also uses Radio Manager to locate and cut off rogue APs. Managing Security To configure security via WLSE depends on the security settings you wish to enable, as well as the type of radio you use. First, follow Templates > Configure, then select Security. Next, you are presented with a list of options. Table 10-3 lists those options and describes what you can do with them. Table 10-3. Security SettingsSecurity Setting | Description |
---|
Admin Access | Used to add users to the system, remove users from the system, and assign user privileges. | SSID 802.11b/g | Used to configure SSID 802.11b/g settings, including: Authentication methods Authentication servers Key management Proxy Mobile IP Accounting
| SSID 802.11a | Used to configure SSID 802.11a settings, including: Authentication methods Authentication servers Key management Proxy Mobile IP Accounting
| WEP 802.11b and 802.11g | Used to manage keys for 802.11b/g radio interfaces settings, including: Key length Ciphers Send and receive keys Key rotation
| WEP 802.11a | Used to manage keys for 802.11a radio interfaces settings, including: Key length Ciphers Send and receive keys Key rotation
| Server Manager | Used to select and configure the backup RADIUS server. | Advanced Security | Sets up the AP to authenticate client devices and uses a combination of MAC- and EAP-based authentication. If this is enabled, clients that use 802.11 open authentication first attempt authentication via MAC. If MAC fails, the AP waits for the client to try EAP authentication. | Local RADIUS Server | Used to configure the local RADIUS server. |
Note Version 2.11 of WLSE includes a wizard for building templates. Rogue AP Detection and Mitigation WLSE's radio monitoring feature uses radio measurement capabilities of IOS-based Cisco APs and client adapters to discover unauthorized APs that send beacons. If beacons are detected, Radio Manager examines the beacon for the MAC address of the AP and sends that back to WDS to see if the address is one of the authorized APs in the WDS list. If not, WDS sends it up to the WLSE. The administrator is given the opportunity to categorize the newly detected AP. They are placed into one of four AP types: Managed AP An authorized AP that needs management from WLSE. Unmanaged AP An authorized AP that does not need management from WLSE. Friendly AP An AP that is not connected to the WLAN, although WLSE detects it. For example, your neighbor's AP can radiate into your office. Rogue AP An AP that is detected and can or cannot be connected to the WLAN. It has not been identified as managed, unmanaged, or friendly. This is the default setting when a new AP is discovered and remains this way until the administrator reclassifies the AP. The Fault Summary Table is the source of important information about rogue APs. When you click on the link in the Address, Description, or Timestamp fields, you are shown several pieces of information. Table 10-4 lists the information that you can learn about this device. Table 10-4. Rogue AP DetailInformation | Description |
---|
BSSID | Basic Service Set Identifier. | State | The device's state. | Vendor | The name of the device's vendor. | Change to a Friendly AP | To reclassify this as a friendly device, click Change to a Friendly AP, and then refresh your browser. | Delete | To delete this notification, click Delete, and then refresh your browser. |
In addition to basic information about the rogue AP, Table 10-5 lists information that can help you physically locate the rogue AP. Table 10-5. Rogue AP Location DetailsInformation | Description |
---|
Location | Gives an estimated location of the AP. | Timestamp | Lists the date and time the AP was detected. | View in Location Manager | Click View in Location Manager for an approximate, graphical location of the rogue AP. |
If the rogue AP is connected to a Cisco switch, you might identify the switch port to which it's connected if you use the Switch Port Location feature. Table 10-6 lists the information you can get from this feature. Table 10-6. Switch Port Location DetailsInformation | Description |
---|
Switch IP | The IP address of the switch to which the AP is connected. | Switch port | The switch port to which the AP is connected. | Traced MAC address | The rogue AP's MAC address. | Timestamp | The date and time when the rogue AP was detected. | Re-Trace | Re-run the trace. This is useful if the AP moved to another switch port since its initial detection. |
When a rogue AP fault is created, you can also configure the WLSE to suppress the port to which that rogue AP is connected. The WLSE is a powerful piece of equipment and keystone of Cisco SWAN solution. To use the robust features of the WLSE, however, you must ensure that the network devices and the WLSE are all properly configured. Keep in mind that there is no substitute to plan and carefully implement WLSE. It pays dividends in the long run. |