RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
We use Splunk for all alerting. It's a syslog collector that can run any type of report based on schedules or cron. It can send emails or trigger scripts to run based on the alert. It's also very handy for tracking down client connectivity problems. The free version of splunk can monitor upto 500 MB of data/day which is rougly 500k-700k syslogs/day. From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Tuesday, December 08, 2009 9:58 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Stolen Wireless Device Tracking? Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to "flag" a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Lee H Badman wrote: > What is missing is a mechanism to “flag” a MAC address to alert on a > client device if it pops back up on the network so there may be an > opportunity to react. We have a somewhat crude but effective approach. We already use What's Up Gold to monitor servers and such. We've pre-populated WUG with three sets of IP addresses that will page me when they come up. Then we make DHCP assignments for the MAC addresses of stolen laptops to assign them one of those IPs. Not the cleanest system, but it has allowed us to recover a few items that hadn't gone directly to eBay... -- Celebrating the 150th anniversary of the publication of the Origin of Species. -- Cal Frye, Network Administrator, Oberlin College Mudd Library, x.56930 -- CIT will NEVER ask you for your password! www.calfrye.com, www.pitalabs.com "Education is not the filling of a pail but the lighting of a fire." --William Butler Yeats. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Stolen Wireless Device Tracking?
We've actually used airwave to solve this issue. It has the capability to flag and email/alert when the stolen MAC address appears anywhere on the wireless network. Also it can physically locate the device within VisualRF (mapping/location services). We located a "stolen" library laptop when it was plugged back into it's charging cart after being "lost" for weeks. -- Justin Hao Network Engineer Texas A&M University Networking and Information Security j...@tamu.edu Lee H Badman wrote: Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to “flag” a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Justin Hao Network Engineer Texas A&M University Networking and Information Security j...@tamu.edu (979)862-2162 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Stolen Wireless Device Tracking?
We have used Splunk which we have monitoring our logs anyway. We configure Splunk to generate alerts when it sees log entries for known stolen mac addresses asssociating with the system. We can then go on site with a hand held tool to find the client device. If the person with the stolen device is unwise enough to actually log into the system it's even easier to id them. -Matt Lee H Badman wrote: Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to “flag” a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee -- Matt Grover === University of Florida Sr. Network Engineer=== http://net-services.ufl.edu m...@ufl.edu=== Florida Lambda Rail (352)273-1061 === http://www.flrnet.org/ ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Airwave is also able to correlate the radius accounting/login information to the mac-address/ip and can show you a history of time/location as well. So even if you don't "catch" them online it will give you a history of where they were seen and/or the login name/auth information used. -justin Matt Grover wrote: We have used Splunk which we have monitoring our logs anyway. We configure Splunk to generate alerts when it sees log entries for known stolen mac addresses asssociating with the system. We can then go on site with a hand held tool to find the client device. If the person with the stolen device is unwise enough to actually log into the system it's even easier to id them. -Matt Lee H Badman wrote: Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to “flag” a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee -- Justin Hao Network Engineer Texas A&M University Networking and Information Security j...@tamu.edu (979)862-2162 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Not sure if have the location product, but I was able to setup an alert using the location product. It was a few years ago, but I believe it was pretty simple. On Tue, Dec 8, 2009 at 11:58 AM, Lee H Badman wrote: > Unfortunately, we experience the occasional theft of University-owned or > personal laptops. Using Cisco WCS, we can certainly find the last place a > device was, if the wireless adapter was on, before it egressed campus. > What is missing is a mechanism to “flag” a MAC address to alert on a client > device if it pops back up on the network so there may be an opportunity to > react. > > > > Has anyone else faced and conquered alerting on specific clients (for > whatever reason)? > > > > Thanks- > > > > Lee > > > > Lee H. Badman > > Wireless/Network Engineer > > Information Technology and Services > > Adjunct Instructor, iSchool > > Syracuse University > > 315 443-3003 > > > > > > > ** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/groups/. > > ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Hi Mike- I just got new information from Cisco. As you mention, with their location appliances/MSEs, you can accomplish this in the Context Aware Notifications. I feel silly for not knowing about it, but we are newly on newer code, and I think it's a recently added feature. But I'll be leveraging it soon. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Tuesday, December 08, 2009 2:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Not sure if have the location product, but I was able to setup an alert using the location product. It was a few years ago, but I believe it was pretty simple. On Tue, Dec 8, 2009 at 11:58 AM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to "flag" a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Lee, We have the MSE also. Context aware notifications gives you the ability to do what you want. Although we have a case currently open with Cisco because it is not working as they say. Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Hector- can you describe what's not working? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, December 08, 2009 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Lee, We have the MSE also. Context aware notifications gives you the ability to do what you want. Although we have a case currently open with Cisco because it is not working as they say. Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
When a specific event occurs, it just doesn't send the email. This might be specific to our setup, but we have tested the mail configuration under " Administration > Settings > Mail Server Configuration" and that works flawlessly. We provided a sniffer capture to Cisco and we are waiting to hear back from them. Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Tuesday, December 08, 2009 5:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Hector- can you describe what's not working? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, December 08, 2009 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Lee, We have the MSE also. Context aware notifications gives you the ability to do what you want. Although we have a case currently open with Cisco because it is not working as they say. Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Hmmm. Do you send other email alerts that work? (like controller/AP down) -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios Sent: Wednesday, December 09, 2009 8:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? When a specific event occurs, it just doesn't send the email. This might be specific to our setup, but we have tested the mail configuration under " Administration > Settings > Mail Server Configuration" and that works flawlessly. We provided a sniffer capture to Cisco and we are waiting to hear back from them. Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Tuesday, December 08, 2009 5:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Hector- can you describe what's not working? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, December 08, 2009 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Lee, We have the MSE also. Context aware notifications gives you the ability to do what you want. Although we have a case currently open with Cisco because it is not working as they say. Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Lee, We use the Airwave management system and have setup a trigger to fire an email to us if any MAC on the list is activated on our network. -- Shane Allan Godmere Senior Telecommunications Engineer II Michigan Technological University 1400 Townsend Dr. EERC-B31 Houghton, MI 49931 Lee H Badman wrote: Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to "flag" a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Haven't tried those yet. But under Context aware notifications, email does not work at all. Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Wednesday, December 09, 2009 7:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Hmmm. Do you send other email alerts that work? (like controller/AP down) -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios Sent: Wednesday, December 09, 2009 8:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? When a specific event occurs, it just doesn't send the email. This might be specific to our setup, but we have tested the mail configuration under " Administration > Settings > Mail Server Configuration" and that works flawlessly. We provided a sniffer capture to Cisco and we are waiting to hear back from them. Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Tuesday, December 08, 2009 5:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Hector- can you describe what's not working? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, December 08, 2009 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Lee, We have the MSE also. Context aware notifications gives you the ability to do what you want. Although we have a case currently open with Cisco because it is not working as they say. Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Yeah- now I see what you are talking about. It's not a simple alarm push to WCS which then emails it (we use these, they work). I can't see how to meaningfully set it up in the context aware settings- waiting for input from Cisco. -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios Sent: Wednesday, December 09, 2009 1:21 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Haven't tried those yet. But under Context aware notifications, email does not work at all. Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Wednesday, December 09, 2009 7:26 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Hmmm. Do you send other email alerts that work? (like controller/AP down) -Lee -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios Sent: Wednesday, December 09, 2009 8:03 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? When a specific event occurs, it just doesn't send the email. This might be specific to our setup, but we have tested the mail configuration under " Administration > Settings > Mail Server Configuration" and that works flawlessly. We provided a sniffer capture to Cisco and we are waiting to hear back from them. Hector -Original Message- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Tuesday, December 08, 2009 5:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Hector- can you describe what's not working? -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios [hr...@lsu.edu] Sent: Tuesday, December 08, 2009 4:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Lee, We have the MSE also. Context aware notifications gives you the ability to do what you want. Although we have a case currently open with Cisco because it is not working as they say. Hector Rios Louisiana State University ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Stolen Wireless Device Tracking?
We are using some home grown scripts that notify by sending text messages or emails whenever a device shows up on the network. All open source and notifications are usually within seconds of the device showing up. We get the location information from Cisco WCS. This is also scalable to include multiple campuses/schools. If anyone wants details of how we are doing this, just let me know. On Tue, 8 Dec 2009, Lee H Badman wrote: Date: Tue, 08 Dec 2009 11:58:25 -0500 From: Lee H Badman Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Stolen Wireless Device Tracking? Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to "flag" a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Todd M. Hall Sr. Network Analyst Information Technology Services Mississippi State University t...@msstate.edu 662-325-9311 (phone) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Hi Todd- I'd be curious to see what you have come up with- thanks. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Todd M. Hall [t...@msstate.edu] Sent: Wednesday, December 09, 2009 5:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? We are using some home grown scripts that notify by sending text messages or emails whenever a device shows up on the network. All open source and notifications are usually within seconds of the device showing up. We get the location information from Cisco WCS. This is also scalable to include multiple campuses/schools. If anyone wants details of how we are doing this, just let me know. On Tue, 8 Dec 2009, Lee H Badman wrote: > Date: Tue, 08 Dec 2009 11:58:25 -0500 > From: Lee H Badman > Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv > > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: [WIRELESS-LAN] Stolen Wireless Device Tracking? > > Unfortunately, we experience the occasional theft of University-owned or > personal laptops. Using Cisco WCS, we can certainly find the last place a > device was, if the wireless adapter was on, before it egressed campus. What > is missing is a mechanism to "flag" a MAC address to alert on a client device > if it pops back up on the network so there may be an opportunity to react. > > Has anyone else faced and conquered alerting on specific clients (for > whatever reason)? > > Thanks- > > Lee > > Lee H. Badman > Wireless/Network Engineer > Information Technology and Services > Adjunct Instructor, iSchool > Syracuse University > 315 443-3003 > > > > > ** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > -- Todd M. Hall Sr. Network Analyst Information Technology Services Mississippi State University t...@msstate.edu 662-325-9311 (phone) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
Re: [WIRELESS-LAN] Stolen Wireless Device Tracking?
We maintain a mysql database of the mac addresses of stolen devices. We use this to generate a dns config file and use it like a DNS RBL. We use ISC's dhcpd and send the logs to a central log server (syslog-ng). We use SEC to monitor syslog entries in realtime. One of the rules in SEC gets the mac address of every dhcpd query and does a dns query. If it is successful, notification is sent to our security officer as well as me. We then use WCS to find the exact location. We have recovered quite a few notebooks this way. The problem is that most stolen devices are taken off campus and sold on ebay or other online sites. What I would love to see is a central mysql database containing the mac addresses of stolen notebooks from lots of schools. All participating schools could then scan for all the stolen notebooks, not just their own. I think this would lead to a much higher recovery rate for all of us. There are probably legal issues with this concept, but it has potential. On Wed, 9 Dec 2009, Lee H Badman wrote: Date: Wed, 09 Dec 2009 17:49:55 -0500 From: Lee H Badman Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Hi Todd- I'd be curious to see what you have come up with- thanks. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Todd M. Hall [t...@msstate.edu] Sent: Wednesday, December 09, 2009 5:44 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? We are using some home grown scripts that notify by sending text messages or emails whenever a device shows up on the network. All open source and notifications are usually within seconds of the device showing up. We get the location information from Cisco WCS. This is also scalable to include multiple campuses/schools. If anyone wants details of how we are doing this, just let me know. On Tue, 8 Dec 2009, Lee H Badman wrote: Date: Tue, 08 Dec 2009 11:58:25 -0500 From: Lee H Badman Reply-To: The EDUCAUSE Wireless Issues Constituent Group Listserv To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: [WIRELESS-LAN] Stolen Wireless Device Tracking? Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to "flag" a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Todd M. Hall Sr. Network Analyst Information Technology Services Mississippi State University t...@msstate.edu 662-325-9311 (phone) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. -- Todd M. Hall Sr. Network Analyst Information Technology Services Mississippi State University t...@msstate.edu 662-325-9311 (phone) ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Lee, I'm following up on this thread from last year. We finally got Context Aware Notifications working on the MSE. We had a couple of issues but TAC helped us get them solved. The notifications are actually pretty cool and something that we had been looking for quite a while. We now should be able to better assist campus police with the detection and tracking of those occasional stolen laptops. BTW, we are running 6.0.170.0 on WCS and 6.0.188.0 on the WiSMs. Thanks, Hector Rios Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Tuesday, December 08, 2009 2:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Hi Mike- I just got new information from Cisco. As you mention, with their location appliances/MSEs, you can accomplish this in the Context Aware Notifications. I feel silly for not knowing about it, but we are newly on newer code, and I think it's a recently added feature. But I'll be leveraging it soon. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Tuesday, December 08, 2009 2:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Not sure if have the location product, but I was able to setup an alert using the location product. It was a few years ago, but I believe it was pretty simple. On Tue, Dec 8, 2009 at 11:58 AM, Lee H Badman wrote: Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to "flag" a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
RE: [WIRELESS-LAN] Stolen Wireless Device Tracking?
Thanks for the update, Hector. We got this running as well, it does work. I don't care for the need to sychronize the Loc Servers, but what the hey. Right before Christmas, I was able to shut down a one-man, years-running crime spree with this. Our police were thrilled, and a lot of people got property returned to them, so we have already seen value. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [wireless-...@listserv.educause.edu] On Behalf Of Hector J Rios [hr...@lsu.edu] Sent: Friday, February 12, 2010 9:15 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Lee, I’m following up on this thread from last year. We finally got Context Aware Notifications working on the MSE. We had a couple of issues but TAC helped us get them solved. The notifications are actually pretty cool and something that we had been looking for quite a while. We now should be able to better assist campus police with the detection and tracking of those occasional stolen laptops. BTW, we are running 6.0.170.0 on WCS and 6.0.188.0 on the WiSMs. Thanks, Hector Rios Louisiana State University From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Lee H Badman Sent: Tuesday, December 08, 2009 2:12 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Hi Mike- I just got new information from Cisco. As you mention, with their location appliances/MSEs, you can accomplish this in the Context Aware Notifications. I feel silly for not knowing about it, but we are newly on newer code, and I think it’s a recently added feature. But I’ll be leveraging it soon. -Lee From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:wireless-...@listserv.educause.edu] On Behalf Of Mike King Sent: Tuesday, December 08, 2009 2:56 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Stolen Wireless Device Tracking? Not sure if have the location product, but I was able to setup an alert using the location product. It was a few years ago, but I believe it was pretty simple. On Tue, Dec 8, 2009 at 11:58 AM, Lee H Badman mailto:lhbad...@syr.edu>> wrote: Unfortunately, we experience the occasional theft of University-owned or personal laptops. Using Cisco WCS, we can certainly find the last place a device was, if the wireless adapter was on, before it egressed campus. What is missing is a mechanism to “flag” a MAC address to alert on a client device if it pops back up on the network so there may be an opportunity to react. Has anyone else faced and conquered alerting on specific clients (for whatever reason)? Thanks- Lee Lee H. Badman Wireless/Network Engineer Information Technology and Services Adjunct Instructor, iSchool Syracuse University 315 443-3003 ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
