Security is managed in many ways with the WLSE. First, basic security requirements are sent and used consistently throughout the WLAN. For example, the WLSE might require all APs in the organization to use a specific length of key. The WLSE also uses Radio Manager to locate and cut off rogue APs.
To configure security via WLSE depends on the security settings you wish to enable, as well as the type of radio you use. First, follow Templates > Configure, then select Security. Next, you are presented with a list of options. Table 10-3 lists those options and describes what you can do with them.
Table 10-3. Security Settings
Used to add users to the system, remove users from the system, and assign user privileges.
Used to configure SSID 802.11b/g settings, including:
Proxy Mobile IP
Used to configure SSID 802.11a settings, including:
Proxy Mobile IP
WEP 802.11b and 802.11g
Used to manage keys for 802.11b/g radio interfaces settings, including:
Send and receive keys
Used to manage keys for 802.11a radio interfaces settings, including:
Send and receive keys
Used to select and configure the backup RADIUS server.
Sets up the AP to authenticate client devices and uses a combination of MAC- and EAP-based authentication. If this is enabled, clients that use 802.11 open authentication first attempt authentication via MAC. If MAC fails, the AP waits for the client to try EAP authentication.
Local RADIUS Server
Used to configure the local RADIUS server.
Version 2.11 of WLSE includes a wizard for building templates.
Rogue AP Detection and Mitigation
WLSE's radio monitoring feature uses radio measurement capabilities of IOS-based Cisco APs and client adapters to discover unauthorized APs that send beacons. If beacons are detected, Radio Manager examines the beacon for the MAC address of the AP and sends that back to WDS to see if the address is one of the authorized APs in the WDS list. If not, WDS sends it up to the WLSE.
The administrator is given the opportunity to categorize the newly detected AP. They are placed into one of four AP types:
Managed AP An authorized AP that needs management from WLSE.
Unmanaged AP An authorized AP that does not need management from WLSE.
Friendly AP An AP that is not connected to the WLAN, although WLSE detects it. For example, your neighbor's AP can radiate into your office.
Rogue AP An AP that is detected and can or cannot be connected to the WLAN. It has not been identified as managed, unmanaged, or friendly. This is the default setting when a new AP is discovered and remains this way until the administrator reclassifies the AP.
The Fault Summary Table is the source of important information about rogue APs. When you click on the link in the Address, Description, or Timestamp fields, you are shown several pieces of information. Table 10-4 lists the information that you can learn about this device.
Table 10-4. Rogue AP Detail
Basic Service Set Identifier.
The device's state.
The name of the device's vendor.
Change to a Friendly AP
To reclassify this as a friendly device, click Change to a Friendly AP, and then refresh your browser.
To delete this notification, click Delete, and then refresh your browser.
In addition to basic information about the rogue AP, Table 10-5 lists information that can help you physically locate the rogue AP.
Table 10-5. Rogue AP Location Details
Gives an estimated location of the AP.
Lists the date and time the AP was detected.
View in Location Manager
Click View in Location Manager for an approximate, graphical location of the rogue AP.
If the rogue AP is connected to a Cisco switch, you might identify the switch port to which it's connected if you use the Switch Port Location feature. Table 10-6 lists the information you can get from this feature.
Table 10-6. Switch Port Location Details
The IP address of the switch to which the AP is connected.
The switch port to which the AP is connected.
Traced MAC address
The rogue AP's MAC address.
The date and time when the rogue AP was detected.
Re-run the trace. This is useful if the AP moved to another switch port since its initial detection.
When a rogue AP fault is created, you can also configure the WLSE to suppress the port to which that rogue AP is connected.
The WLSE is a powerful piece of equipment and keystone of Cisco SWAN solution. To use the robust features of the WLSE, however, you must ensure that the network devices and the WLSE are all properly configured. Keep in mind that there is no substitute to plan and carefully implement WLSE. It pays dividends in the long run.