Re: [WIRELESS-LAN] Wireless Identification Tools
Yantis, Jonathan Lindsey wrote: Sometimes that is the case and sometimes not. I think what Jeff was saying is that they connected to the AP with a client and then pinged a Not necessarily. You can snarf it off the beacon, even if it is closed. device or something along those lines to get the clients mac to show up That certainly is a good method when it works, but the WAP may not be open. on a port. Then you don't have to worry about the APs mac, you just look for your own. Even if not obiwan, it is often within a few octets. Start with show mac-address-table | include ..xx and then remove more nibbles until you start getting hits. You still may not get close (WAPs with PCCard NICs will generally not be close ... e.g. RoamAbouts have Yago wired, but whatever Lucent-style you plug in on the wireless), but the usual Linksys/Dlink/Belkin crap will get caught this way. Sometimes you just have to resort to the Pringles Can of Death or the 4MegaWatt 2.4GHz transmitter, but start with these tricks. And if all else fails, I guarantee if you start walking around with a big wad of keys, a pair of wire-cutters, a BVS Locust, and a couple of your biggest and ugliest from the network goon squad, it won't take long to find the remaining WAPs ... just like rats skittering for the hole. --ckg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Identification Tools
Michael Dickson wrote: Using port security tends to open a can of worms with faculty and TA's who use hubs in overcrowded offices. Also, it does not defend against rogue AP's or other devices doing NAT, as only a single mac is seen on the switch. And not running it opens a security can of worms (though I give a big thumbs-up to Cisco for having per-port forwarding table limit < global switch limit). You are correct that it cannot help with NAT boxes, but it is a Good Thing anyway. We allow private networks, at the same per-station cost to users, if they want to order that, but the default is one port = one MAC. We also only run port-fast if it is a single station port, which is also a Good Thing. --ckg ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Identification Tools
If you are looking to find Ethernet devices on your network the open source Netdisco is good place to start: http://netdisco.org If you are running a homogenous network with Cisco, Foundry, or some other vendor that has CDP, etc support, it should be easy enough to whip up a Perl script that traces the port from the core down to the edge. I wrote one two years ago for our Cisco network and it does in seconds what took me minutes by hand with consecutive telnet sessions. Rogue PC's that showed up on our ResNET were automatically traced and recorded for later visitations. At the end of the day you don't want to have to walk around your dorms with a PocketPC to find rogue devices. I think you're much better off doing some wireside detection (that looks for nodes that have not registered with your ResNET system), use some more affordable wireless security such as provided by Network Chemistry, or, better yet, obviate the need by providing wireless service in those areas. Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Metzler, David Sent: Friday, February 04, 2005 7:18 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Identification Tools We take a similar tact, but use the idea of tracking the IP address reported by an internal campus web server to a specific location. (Which we need to do for virus outbreaks anyway) Because we use VLAN's it's a little tedious to search all networks for a similar mac address. So we use a little server side script to report the IP address as its seen by our web server (this gives you the external address even on NAT enabled AP's. The process is as follows: 1. When we find the wireless signal that we can get internet connection on visit the following web page: http://www.evergreen.edu/netservices/clientinfo.asp (this page was designed small enough to display easily on pocket pc or other handheld). 2. Go to the internal router for the subnet or get on the same subnet and arp the ip to obtain the mac address. (there's problably more graceful ways to do this, particularly if you're on the same subnet). 3. Follow the switch tables to track the port to its physical location on our LAN. I find having the IP as reported by the web server, also lets me know how worried to be about the rougue AP, since it tells me instantly if its on a public network jack or a higher security network. (again VLANs make it harder to know). David Metzler The Evergreen State College -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Wolfe Sent: Friday, February 04, 2005 12:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Identification Tools Philippe Hanset wrote: > Don, > > A trick that I have been willing to test for a long time would be to > join the Rogue AP, send traffic to a know sniffing host in that same > layer2 network. > This will reveal the Wired MAC address of the AP. > Then search for that MAC on your wired side and disable the port. > (if you have a good circuit-to-switchport DB, you know the location as > well) > If the AP doesn't allow guests, we use Directional Antennas and > Wireless Sniffers as you mentioned. > > And as I have mentioned before: we rarely have Rogue APs in places > were we provide decent Free Wireless coverage! We've been able to have good luck by searching our switch FDBs for MAC addresses matching all but the last octet of the MAC address in the rogue AP's beacon. More often than not, manufacturers use sequential MAC addresses for the wired and wireless ports of their devices. Of the 5 or 6 rogues we've seen over the last year, all were locatable that way. YMMV.. :) -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Identification Tools
We take a similar tact, but use the idea of tracking the IP address reported by an internal campus web server to a specific location. (Which we need to do for virus outbreaks anyway) Because we use VLAN's it's a little tedious to search all networks for a similar mac address. So we use a little server side script to report the IP address as its seen by our web server (this gives you the external address even on NAT enabled AP's. The process is as follows: 1. When we find the wireless signal that we can get internet connection on visit the following web page: http://www.evergreen.edu/netservices/clientinfo.asp (this page was designed small enough to display easily on pocket pc or other handheld). 2. Go to the internal router for the subnet or get on the same subnet and arp the ip to obtain the mac address. (there's problably more graceful ways to do this, particularly if you're on the same subnet). 3. Follow the switch tables to track the port to its physical location on our LAN. I find having the IP as reported by the web server, also lets me know how worried to be about the rougue AP, since it tells me instantly if its on a public network jack or a higher security network. (again VLANs make it harder to know). David Metzler The Evergreen State College -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Wolfe Sent: Friday, February 04, 2005 12:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Identification Tools Philippe Hanset wrote: > Don, > > A trick that I have been willing to test for a long time would be to > join the Rogue AP, send traffic to a know sniffing host in that same > layer2 network. > This will reveal the Wired MAC address of the AP. > Then search for that MAC on your wired side and disable the port. > (if you have a good circuit-to-switchport DB, you know the location as > well) > If the AP doesn't allow guests, we use Directional Antennas and > Wireless Sniffers as you mentioned. > > And as I have mentioned before: we rarely have Rogue APs in places > were we provide decent Free Wireless coverage! We've been able to have good luck by searching our switch FDBs for MAC addresses matching all but the last octet of the MAC address in the rogue AP's beacon. More often than not, manufacturers use sequential MAC addresses for the wired and wireless ports of their devices. Of the 5 or 6 rogues we've seen over the last year, all were locatable that way. YMMV.. :) -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Identification Tools
John, While this list is not definitive, the attached is used by Netdiso to try to identify access points from the wired side. My understanding is that the list was actually born within Kismet but I cannot verify that. Don -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of John Watters Sent: Friday, February 04, 2005 4:15 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Identification Tools Where can we find a good list of the MAC address ranges for wireless access points? If I just look by manufacturer (see http://standards.ieee.org/regauth/oui/index.shtml) I do not see a distinction between their access points & their NICs, switches, routers, and other network equipment? -jcw > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > From: Jeff Wolfe <[EMAIL PROTECTED]> > Date: Fri, 4 Feb 2005 15:53:26 -0500 > Subject: Re: [WIRELESS-LAN] Wireless Identification Tools > Reply-To: "802.11 wireless issues listserv" > Return-Path: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > In-Reply-To: <[EMAIL PROTECTED]> > References: <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Received: from listserv.educause.edu (isaco2.educause.edu [198.59.61.25]) > by bama.ua.edu (8.12.10/8.12.10) with ESMTP id j14L4pbL000857 > for <[EMAIL PROTECTED]>; Fri, 4 Feb 2005 15:04:52 -0600 (CST) > Sender: "802.11 wireless issues listserv" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > > Philippe Hanset wrote: > > Don, > > > > A trick that I have been willing to test for a long time would be > > to join the Rogue AP, send traffic to a know sniffing host > > in that same layer2 network. > > This will reveal the Wired MAC address of the AP. > > Then search for that MAC on your wired side and disable the port. > > (if you have a good circuit-to-switchport DB, you know the location as > > well) > > If the AP doesn't allow guests, we use Directional Antennas > > and Wireless Sniffers as you mentioned. > > > > And as I have mentioned before: we rarely have Rogue APs > > in places were we provide decent Free Wireless coverage! > > We've been able to have good luck by searching our switch FDBs for MAC > addresses matching all but the last octet of the MAC address in the > rogue AP's beacon. More often than not, manufacturers use sequential MAC > addresses for the wired and wireless ports of their devices. Of the 5 or > 6 rogues we've seen over the last year, all were locatable that way. > > YMMV.. :) > > > -JEff > > ** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list > can be found at http://www.educause.edu/groups/. > John Watters UA: Office of Information Technology 205-348-3992 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. 00:00:94:CB Asante, 00:01:03:7C 3Com, 00:01:24:24 SMC SMC7004AWBR, 00:01:24:F0 Acer, 00:01:24:F1 Acer, 00:01:f4Enterasys Networks, 00:02:2dAgere / Lucent Systems, 00:02:a5:6e:46 Compaq Computer Corporation, 00:02:a5:6e:47 Compaq Computer Corporation, 00:02:a5:6f Compaq Computer Corporation, 00:02:b3:65 Intel Corporation, 00:02:b3:86 Intel Corporation, 00:02:b3:92 Intel Corporation, 00:02:b3:94 Intel Corporation, 00:02:b3:B1 Intel Corporation, 00:02:6FSenao, 00:03:2fGlobal Sun Technology, Inc., 00:04:3A:3A Avaya ad-01444, 00:04:5a:0c The Linksys Group, Inc., 00:04:5A:0E Linksys WAP11, 00:04:5a:0f The Linksys Group, Inc., 00:04:5a:23 The Linksys Group, Inc., 00:04:5a:26 The Linksys Group, Inc., 00:04:5A:2E Linksys BEFW11S4, 00:04:5a:2f The Linksys Group, Inc., 00:04:5A:5A Linksys BEFW11S4, 00:04:5a:cc The Linksys Group, Inc., 00:04:5a:cd The Linksys Group, Inc., 00:04:5a:ce The Linksys Group, Inc., 00:04:5a:cf The Linksys Group, Inc., 00:04:5a:d0 The Linksys Group, Inc., 00:04:5a:d1 The Linksys Group, Inc., 00:04:5a:d2 The Linksys Group, Inc., 00:04:5a:d8 The Linksys Group, Inc., 00:04:5a:da The Linksys Group, Inc., 00:04:5a:db The Linksys Group, Inc., 00:04:5a:dd The Linksys Group, Inc., 00:04:5a:e4 The Linksys Group, Inc., 00:04:5a:e8 The Linksys Group, Inc., 00:04:5a:eb The Linksys Group, Inc., 00:04:5a:ee The Linksys Group, Inc., 00:04:5a:f6 The Linksys Group, Inc., 00:04:5a:f9 The Linksys Group, Inc., 00:04:5a:fa The Linksys Group, Inc., 00:04:5a:fc The Linksys Group, Inc., 00:04:5a:fd The Linksys Group, Inc., 00:04:75:62 3 Com Corporation, 00:04:75:75 3Com 3C
Re: [WIRELESS-LAN] Wireless Identification Tools
John Watters wrote: Where can we find a good list of the MAC address ranges for wireless access points? If I just look by manufacturer (see http://standards.ieee.org/regauth/oui/index.shtml) I do not see a distinction between their access points & their NICs, switches, routers, and other network equipment? I'm not aware that there is such a list. Even if there was, I imagine it'd be continuously out of date. As I mentioned earlier, our technique is to capture an AP beacon frame and extract the MAC address in the beacon frame. (Usually, the WLSE does that part of the job for us, although we do occasionally wander around with netstumbler.) Once we have the MAC from the beacon, we just query our network management database for all mac addresses that are similar, except for the last octet eg: 'select * from macdb where mac like "nn:nn:nn:nn:nn:%"'. We then investigate any wired MAC addresses that turn up in the search. So far, this method has worked for all the rogues we've investigated.. I expect that sooner or later we'll find some APs that don't have sequential MAC addresses, but that's just the way it goes. -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Identification Tools
There aren't any easy answers, but both AirTight Networks (a startup) and AirDefense play their wireless and wireside detection and mitigation algorithms quite strongly. In fact, all the wireless security vendors, including Red M and AirMagnet will make some mention of 'proprietary' or 'patented' in regards to their detection algorithms. AirTight doesn't require any proprietary hardware for their wireside detection (AirDefense uses a Linux-base appliance to host their distributed version), so perhaps it's worth it to ask them for a 30-day trial and see if they prove their worth. http://www.airtightnetworks.net/products/products-spectraguard.html Regards, Frank -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Donald Gallerie Sent: Friday, February 04, 2005 1:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Identification Tools In an effort to better identify rogue access points, can any of you recommend tools that would make the physical and network pinpointing of WAPs a bit easier. We have identified a number of rogues but cannot ascertain exactly where they are. We have tried getting the mac address from the wireless side and doing an arp lookup but oftentimes they are running NAT and the mac on the wired side is different. We would like to sweep the campus and get as much information as we can in a single pass (automatic documentation features would also be useful). I had thought about using a directional antenna and netstumbler but thought others may have found other, more user friendly tools. Any recommendations? Don Gallerie Assistance Director Telecommunications The University at Albany ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Identification Tools
Sometimes that is the case and sometimes not. I think what Jeff was saying is that they connected to the AP with a client and then pinged a device or something along those lines to get the clients mac to show up on a port. Then you don't have to worry about the APs mac, you just look for your own. -- Jonathan Yantis - [EMAIL PROTECTED] - (843-953-7770) -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Justin N. Borthwick Sent: Friday, February 04, 2005 4:22 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Identification Tools I think that what Jeff was implying was that if you know the wireless side MAC address for the access point then it is a good bet that the wired side MAC address is within one digit of it. So use a wireless sniffer and find the wireless side and then start hunting for a MAC address that has all but the same last digit. It has also been my experience that the addresses are most often within one digit of each other and always the last digit. Justin Borthwick Systems Programmer, Senior University of Wyoming Ivinson 237 [EMAIL PROTECTED] Phone: (307) 766-2815 Fax: (307) 766-2984 -Original Message- From: John Watters [mailto:[EMAIL PROTECTED] Sent: Friday, February 04, 2005 2:15 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Identification Tools Where can we find a good list of the MAC address ranges for wireless access points? If I just look by manufacturer (see http://standards.ieee.org/regauth/oui/index.shtml) I do not see a distinction between their access points & their NICs, switches, routers, and other network equipment? -jcw > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > From: Jeff Wolfe <[EMAIL PROTECTED]> > Date: Fri, 4 Feb 2005 15:53:26 -0500 > Subject: Re: [WIRELESS-LAN] Wireless Identification Tools > Reply-To: "802.11 wireless issues listserv" > Return-Path: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > In-Reply-To: <[EMAIL PROTECTED]> > References: <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Received: from listserv.educause.edu (isaco2.educause.edu [198.59.61.25]) > by bama.ua.edu (8.12.10/8.12.10) with ESMTP id j14L4pbL000857 > for <[EMAIL PROTECTED]>; Fri, 4 Feb 2005 15:04:52 -0600 (CST) > Sender: "802.11 wireless issues listserv" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > > Philippe Hanset wrote: > > Don, > > > > A trick that I have been willing to test for a long time would be > > to join the Rogue AP, send traffic to a know sniffing host > > in that same layer2 network. > > This will reveal the Wired MAC address of the AP. > > Then search for that MAC on your wired side and disable the port. > > (if you have a good circuit-to-switchport DB, you know the location as > > well) > > If the AP doesn't allow guests, we use Directional Antennas > > and Wireless Sniffers as you mentioned. > > > > And as I have mentioned before: we rarely have Rogue APs > > in places were we provide decent Free Wireless coverage! > > We've been able to have good luck by searching our switch FDBs for MAC > addresses matching all but the last octet of the MAC address in the > rogue AP's beacon. More often than not, manufacturers use sequential MAC > addresses for the wired and wireless ports of their devices. Of the 5 or > 6 rogues we've seen over the last year, all were locatable that way. > > YMMV.. :) > > > -JEff > > ** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list > can be found at http://www.educause.edu/groups/. > John Watters UA: Office of Information Technology 205-348-3992 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Identification Tools
I think that what Jeff was implying was that if you know the wireless side MAC address for the access point then it is a good bet that the wired side MAC address is within one digit of it. So use a wireless sniffer and find the wireless side and then start hunting for a MAC address that has all but the same last digit. It has also been my experience that the addresses are most often within one digit of each other and always the last digit. Justin Borthwick Systems Programmer, Senior University of Wyoming Ivinson 237 [EMAIL PROTECTED] Phone: (307) 766-2815 Fax: (307) 766-2984 -Original Message- From: John Watters [mailto:[EMAIL PROTECTED] Sent: Friday, February 04, 2005 2:15 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Identification Tools Where can we find a good list of the MAC address ranges for wireless access points? If I just look by manufacturer (see http://standards.ieee.org/regauth/oui/index.shtml) I do not see a distinction between their access points & their NICs, switches, routers, and other network equipment? -jcw > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > From: Jeff Wolfe <[EMAIL PROTECTED]> > Date: Fri, 4 Feb 2005 15:53:26 -0500 > Subject: Re: [WIRELESS-LAN] Wireless Identification Tools > Reply-To: "802.11 wireless issues listserv" > Return-Path: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > In-Reply-To: <[EMAIL PROTECTED]> > References: <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Received: from listserv.educause.edu (isaco2.educause.edu [198.59.61.25]) > by bama.ua.edu (8.12.10/8.12.10) with ESMTP id j14L4pbL000857 > for <[EMAIL PROTECTED]>; Fri, 4 Feb 2005 15:04:52 -0600 (CST) > Sender: "802.11 wireless issues listserv" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > > Philippe Hanset wrote: > > Don, > > > > A trick that I have been willing to test for a long time would be > > to join the Rogue AP, send traffic to a know sniffing host > > in that same layer2 network. > > This will reveal the Wired MAC address of the AP. > > Then search for that MAC on your wired side and disable the port. > > (if you have a good circuit-to-switchport DB, you know the location as > > well) > > If the AP doesn't allow guests, we use Directional Antennas > > and Wireless Sniffers as you mentioned. > > > > And as I have mentioned before: we rarely have Rogue APs > > in places were we provide decent Free Wireless coverage! > > We've been able to have good luck by searching our switch FDBs for MAC > addresses matching all but the last octet of the MAC address in the > rogue AP's beacon. More often than not, manufacturers use sequential MAC > addresses for the wired and wireless ports of their devices. Of the 5 or > 6 rogues we've seen over the last year, all were locatable that way. > > YMMV.. :) > > > -JEff > > ** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list > can be found at http://www.educause.edu/groups/. > John Watters UA: Office of Information Technology 205-348-3992 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Identification Tools
Where can we find a good list of the MAC address ranges for wireless access points? If I just look by manufacturer (see http://standards.ieee.org/regauth/oui/index.shtml) I do not see a distinction between their access points & their NICs, switches, routers, and other network equipment? -jcw > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > From: Jeff Wolfe <[EMAIL PROTECTED]> > Date: Fri, 4 Feb 2005 15:53:26 -0500 > Subject: Re: [WIRELESS-LAN] Wireless Identification Tools > Reply-To: "802.11 wireless issues listserv" > > Return-Path: <[EMAIL PROTECTED]> > Message-ID: <[EMAIL PROTECTED]> > In-Reply-To: <[EMAIL PROTECTED]> > References: <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Received: from listserv.educause.edu (isaco2.educause.edu [198.59.61.25]) > by bama.ua.edu (8.12.10/8.12.10) with ESMTP id j14L4pbL000857 > for <[EMAIL PROTECTED]>; Fri, 4 Feb 2005 15:04:52 -0600 (CST) > Sender: "802.11 wireless issues listserv" > > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > > Philippe Hanset wrote: > > Don, > > > > A trick that I have been willing to test for a long time would be > > to join the Rogue AP, send traffic to a know sniffing host > > in that same layer2 network. > > This will reveal the Wired MAC address of the AP. > > Then search for that MAC on your wired side and disable the port. > > (if you have a good circuit-to-switchport DB, you know the location as > > well) > > If the AP doesn't allow guests, we use Directional Antennas > > and Wireless Sniffers as you mentioned. > > > > And as I have mentioned before: we rarely have Rogue APs > > in places were we provide decent Free Wireless coverage! > > We've been able to have good luck by searching our switch FDBs for MAC > addresses matching all but the last octet of the MAC address in the > rogue AP's beacon. More often than not, manufacturers use sequential MAC > addresses for the wired and wireless ports of their devices. Of the 5 or > 6 rogues we've seen over the last year, all were locatable that way. > > YMMV.. :) > > > -JEff > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list > can be found at http://www.educause.edu/groups/. > John Watters UA: Office of Information Technology 205-348-3992 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Identification Tools
Philippe Hanset wrote: Don, A trick that I have been willing to test for a long time would be to join the Rogue AP, send traffic to a know sniffing host in that same layer2 network. This will reveal the Wired MAC address of the AP. Then search for that MAC on your wired side and disable the port. (if you have a good circuit-to-switchport DB, you know the location as well) If the AP doesn't allow guests, we use Directional Antennas and Wireless Sniffers as you mentioned. And as I have mentioned before: we rarely have Rogue APs in places were we provide decent Free Wireless coverage! We've been able to have good luck by searching our switch FDBs for MAC addresses matching all but the last octet of the MAC address in the rogue AP's beacon. More often than not, manufacturers use sequential MAC addresses for the wired and wireless ports of their devices. Of the 5 or 6 rogues we've seen over the last year, all were locatable that way. YMMV.. :) -JEff ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Identification Tools
Don, A trick that I have been willing to test for a long time would be to join the Rogue AP, send traffic to a know sniffing host in that same layer2 network. This will reveal the Wired MAC address of the AP. Then search for that MAC on your wired side and disable the port. (if you have a good circuit-to-switchport DB, you know the location as well) If the AP doesn't allow guests, we use Directional Antennas and Wireless Sniffers as you mentioned. And as I have mentioned before: we rarely have Rogue APs in places were we provide decent Free Wireless coverage! Philippe Hanset University of Tennessee On Fri, 4 Feb 2005, Donald Gallerie wrote: > In an effort to better identify rogue access points, can any of you > recommend tools that would make the physical and network pinpointing of WAPs > a bit easier. We have identified a number of rogues but cannot ascertain > exactly where they are. We have tried getting the mac address from the > wireless side and doing an arp lookup but oftentimes they are running NAT > and the mac on the wired side is different. > > We would like to sweep the campus and get as much information as we can > in a single pass (automatic documentation features would also be useful). I > had thought about using a directional antenna and netstumbler but thought > others may have found other, more user friendly tools. > > Any recommendations? > > Don Gallerie > Assistance Director > Telecommunications > The University at Albany > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Innerwireless Distributed Antenna System?
Title: WIRELESS-LAN Digest - 1 Feb 2005 to 2 Feb 2005 (#2005-13) We had a presentation on this from Johnson Controls yesterday. My RF-oriented colleagues thought it was a good idea in many ways. We didn't get as deep as pricing but suspect we won't be willing to pay what it takes. I suspect the ROI only works if you have multiple wireless systems that are important to you (only guessing though). Doing this just for WiFi may not make sense. So, sure, it would be nice if the two-way radios used by field personnel of various sorts worked everywhere, but how much money is that worth. Another problem is that no one entity is responsible for all the wireless services that might benefit. One interesting aspect was the capability to work with one or more cellular carriers to plug into the system so everyone's cell phone would work in such buildings. Theoretically you could get a carrier to pay YOU to put their stuff in large dorms due to the thousands of customers that would come their way. Tom Zeller Indiana University [EMAIL PROTECTED] ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Identification Tools
That is true about disrupting the hubs in offices, but that battle has already been waged on our network for the most part (and we won). You are right about the NAT part, it doesn't fix the problem with the NAT gateways but it does fix basic APs handing out campus addresses and a few other problems we had in addition to our other tools. YMMV -- Jonathan Yantis - [EMAIL PROTECTED] - (843-953-7770) -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Michael Dickson Sent: Friday, February 04, 2005 3:14 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Identification Tools Using port security tends to open a can of worms with faculty and TA's who use hubs in overcrowded offices. Also, it does not defend against rogue AP's or other devices doing NAT, as only a single mac is seen on the switch. Mike *** Michael Dickson Phone: 413-545-9639 Network Analyst Fax: 413-545-3203 University of Massachusetts Email: [EMAIL PROTECTED] Network Systems and Services *** Yantis, Jonathan Lindsey wrote: > One way we have found to mitigate rouge APs (and this only works on > newer networks) is through port security. I you are running cisco 2950s > or newer on your wired lan, you can use this method to restrict each > port on your lan to a single device and this in turn knocks off any > associated clients to an AP since the AP itself takes up one mac > address. > > We use the following port level commands: > > switchport mode access > switchport port-security > switchport port-security aging time 1 > switchport port-security violation restrict > > > This lets users disconnect their desktops and plug up a laptop if they > want, but it still restricts the port to one mac address per 1min > interval. > > > I know this isn't exactly what you were looking for but it is one more > way we have found to make things easier. It also knocks off consumer > hubs and switches too. Other than that, we do like you, ministumbler on > an ipaq or netstumbler on windows (or kismet on linux). > > > -- Jonathan Yantis - [EMAIL PROTECTED] - (843-953-7770) > > -Original Message- > From: 802.11 wireless issues listserv > [mailto:[EMAIL PROTECTED] On Behalf Of Donald Gallerie > Sent: Friday, February 04, 2005 2:17 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Wireless Identification Tools > > In an effort to better identify rogue access points, can any of you > recommend tools that would make the physical and network pinpointing of > WAPs > a bit easier. We have identified a number of rogues but cannot > ascertain > exactly where they are. We have tried getting the mac address from the > wireless side and doing an arp lookup but oftentimes they are running > NAT > and the mac on the wired side is different. > > We would like to sweep the campus and get as much information as we can > in a single pass (automatic documentation features would also be > useful). I > had thought about using a directional antenna and netstumbler but > thought > others may have found other, more user friendly tools. > > Any recommendations? > > Don Gallerie > Assistance Director > Telecommunications > The University at Albany > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
802.1x, news
http://www.securew2.com is now open-source, supporting 802.1x with EAP-TTLS for Windows XP/2000/CE. A good complement to the existing open-source development from http://www.open1x.org (supports POSIX OSes) Philippe Hanset University of Tennessee On Fri, 4 Feb 2005, Michael Dickson wrote: > Using port security tends to open a can of worms with faculty and TA's > who use hubs in overcrowded offices. Also, it does not defend against > rogue AP's or other devices doing NAT, as only a single mac is seen on > the switch. > >Mike > > *** > Michael Dickson Phone: 413-545-9639 > Network Analyst Fax: 413-545-3203 > University of Massachusetts Email: [EMAIL PROTECTED] > Network Systems and Services > *** > > Yantis, Jonathan Lindsey wrote: > > One way we have found to mitigate rouge APs (and this only works on > > newer networks) is through port security. I you are running cisco 2950s > > or newer on your wired lan, you can use this method to restrict each > > port on your lan to a single device and this in turn knocks off any > > associated clients to an AP since the AP itself takes up one mac > > address. > > > > We use the following port level commands: > > > > switchport mode access > > switchport port-security > > switchport port-security aging time 1 > > switchport port-security violation restrict > > > > > > This lets users disconnect their desktops and plug up a laptop if they > > want, but it still restricts the port to one mac address per 1min > > interval. > > > > > > I know this isn't exactly what you were looking for but it is one more > > way we have found to make things easier. It also knocks off consumer > > hubs and switches too. Other than that, we do like you, ministumbler on > > an ipaq or netstumbler on windows (or kismet on linux). > > > > > > -- Jonathan Yantis - [EMAIL PROTECTED] - (843-953-7770) > > > > -Original Message- > > From: 802.11 wireless issues listserv > > [mailto:[EMAIL PROTECTED] On Behalf Of Donald Gallerie > > Sent: Friday, February 04, 2005 2:17 PM > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: [WIRELESS-LAN] Wireless Identification Tools > > > > In an effort to better identify rogue access points, can any of you > > recommend tools that would make the physical and network pinpointing of > > WAPs > > a bit easier. We have identified a number of rogues but cannot > > ascertain > > exactly where they are. We have tried getting the mac address from the > > wireless side and doing an arp lookup but oftentimes they are running > > NAT > > and the mac on the wired side is different. > > > > We would like to sweep the campus and get as much information as we can > > in a single pass (automatic documentation features would also be > > useful). I > > had thought about using a directional antenna and netstumbler but > > thought > > others may have found other, more user friendly tools. > > > > Any recommendations? > > > > Don Gallerie > > Assistance Director > > Telecommunications > > The University at Albany > > > > ** > > Participation and subscription information for this EDUCAUSE Constituent > > Group discussion list can be found at http://www.educause.edu/groups/. > > > > ** > > Participation and subscription information for this EDUCAUSE Constituent > > Group discussion list can be found at http://www.educause.edu/groups/. > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Identification Tools
Airmagnet laptop or handheld will work. At 02:16 PM 2/4/2005, you wrote: In an effort to better identify rogue access points, can any of you recommend tools that would make the physical and network pinpointing of WAPs a bit easier. We have identified a number of rogues but cannot ascertain exactly where they are. We have tried getting the mac address from the wireless side and doing an arp lookup but oftentimes they are running NAT and the mac on the wired side is different. We would like to sweep the campus and get as much information as we can in a single pass (automatic documentation features would also be useful). I had thought about using a directional antenna and netstumbler but thought others may have found other, more user friendly tools. Any recommendations? Don Gallerie Assistance Director Telecommunications The University at Albany ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Bill Lawrence RCDD, LAN Specialist Georgia Institute of Technology Office of Information Technology 258 4th Street NW Atlanta, GA 30332-0715 Phone: 404-894-9504 Fax: 404-894-3599 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Wireless Identification Tools
Using port security tends to open a can of worms with faculty and TA's who use hubs in overcrowded offices. Also, it does not defend against rogue AP's or other devices doing NAT, as only a single mac is seen on the switch. Mike *** Michael Dickson Phone: 413-545-9639 Network Analyst Fax: 413-545-3203 University of Massachusetts Email: [EMAIL PROTECTED] Network Systems and Services *** Yantis, Jonathan Lindsey wrote: One way we have found to mitigate rouge APs (and this only works on newer networks) is through port security. I you are running cisco 2950s or newer on your wired lan, you can use this method to restrict each port on your lan to a single device and this in turn knocks off any associated clients to an AP since the AP itself takes up one mac address. We use the following port level commands: switchport mode access switchport port-security switchport port-security aging time 1 switchport port-security violation restrict This lets users disconnect their desktops and plug up a laptop if they want, but it still restricts the port to one mac address per 1min interval. I know this isn't exactly what you were looking for but it is one more way we have found to make things easier. It also knocks off consumer hubs and switches too. Other than that, we do like you, ministumbler on an ipaq or netstumbler on windows (or kismet on linux). -- Jonathan Yantis - [EMAIL PROTECTED] - (843-953-7770) -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Donald Gallerie Sent: Friday, February 04, 2005 2:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Identification Tools In an effort to better identify rogue access points, can any of you recommend tools that would make the physical and network pinpointing of WAPs a bit easier. We have identified a number of rogues but cannot ascertain exactly where they are. We have tried getting the mac address from the wireless side and doing an arp lookup but oftentimes they are running NAT and the mac on the wired side is different. We would like to sweep the campus and get as much information as we can in a single pass (automatic documentation features would also be useful). I had thought about using a directional antenna and netstumbler but thought others may have found other, more user friendly tools. Any recommendations? Don Gallerie Assistance Director Telecommunications The University at Albany ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Wireless Identification Tools
One way we have found to mitigate rouge APs (and this only works on newer networks) is through port security. I you are running cisco 2950s or newer on your wired lan, you can use this method to restrict each port on your lan to a single device and this in turn knocks off any associated clients to an AP since the AP itself takes up one mac address. We use the following port level commands: switchport mode access switchport port-security switchport port-security aging time 1 switchport port-security violation restrict This lets users disconnect their desktops and plug up a laptop if they want, but it still restricts the port to one mac address per 1min interval. I know this isn't exactly what you were looking for but it is one more way we have found to make things easier. It also knocks off consumer hubs and switches too. Other than that, we do like you, ministumbler on an ipaq or netstumbler on windows (or kismet on linux). -- Jonathan Yantis - [EMAIL PROTECTED] - (843-953-7770) -Original Message- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Donald Gallerie Sent: Friday, February 04, 2005 2:17 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Wireless Identification Tools In an effort to better identify rogue access points, can any of you recommend tools that would make the physical and network pinpointing of WAPs a bit easier. We have identified a number of rogues but cannot ascertain exactly where they are. We have tried getting the mac address from the wireless side and doing an arp lookup but oftentimes they are running NAT and the mac on the wired side is different. We would like to sweep the campus and get as much information as we can in a single pass (automatic documentation features would also be useful). I had thought about using a directional antenna and netstumbler but thought others may have found other, more user friendly tools. Any recommendations? Don Gallerie Assistance Director Telecommunications The University at Albany ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Wireless Identification Tools
In an effort to better identify rogue access points, can any of you recommend tools that would make the physical and network pinpointing of WAPs a bit easier. We have identified a number of rogues but cannot ascertain exactly where they are. We have tried getting the mac address from the wireless side and doing an arp lookup but oftentimes they are running NAT and the mac on the wired side is different. We would like to sweep the campus and get as much information as we can in a single pass (automatic documentation features would also be useful). I had thought about using a directional antenna and netstumbler but thought others may have found other, more user friendly tools. Any recommendations? Don Gallerie Assistance Director Telecommunications The University at Albany ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
