Re: [WIRELESS-LAN] locate the rogue AP from wired side

[Frank Bulk - iNAME.com]

I don't believe that Netstumbler catches devices that hide their SSID.   While Cisco's WLSE 2.5 identifies rogues, it's not a solution I would get just to identify rogues.  WLSE remains primarily a configuration system for AP's.  Of course, if you already have Cisco AP's, then WLSE is a no-brainer.    Wireless containment is a nice feature, but few have it; only Aruba's wireless switch can auto-contain.  The rest it's either manual or in consideration for implementation.  The vendors can all do it (it's just a DeAuth), but there are some liability concerns, obvious in situations where your system is on the 10th floor of a 25 floor building.   Frank >>> [EMAIL PROTECTED] Tuesday, February 17, 2004 5:44:12 pm >>> Here are a few hints Re: Rogue AP Detection: 1. We found that they usually pop up in areas of low or no coverage (of campus wireless network). So, generally people will take them home, if you provide better coverage at their spot... 2. Some WLAN software management tools have introduced Rogue AP detection (via wired), but that is fairly rudimentary: trying SNMP with well known community strings, telnet, http server - similar to OS fingerprinting. You could devise a plan with all these options, but beware - this is still very unreliable. 3. Netstumbler (and such) is the best method, but you may not catch it if Rogue AP is not on when you survey. Even if you find one, that may not be enough to identify a wired port. In order to catch the port (assuming NAT on AP is on) you need to do something like attempt a connection to a server (or just a ping) you have under control and trace back IP/MAC/port. 4. APs doing automatic Rogue AP detection: that is under development or already released by key players. I haven't seen Cisco WLSE in action, but a few screen captures looked interesting. Proxim AP2K will send a trap, but then you have to do all the processing, etc. You still may not know which port to shut down, but at least it reduces the number of field visits! -predrag --------------------------------------------------------------------- Predrag Radulovic Phone: (865) 974-0301 OIT - Network Services Fax: (865) 974-8655 2339 Dunford Hall University of Tennessee, E-mail: [EMAIL PROTECTED] Knoxville, TN 37996 http://web.utk.edu/~prerad --------------------------------------------------------------------- ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/ . ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/cg/.