We take a similar tact, but use the idea of tracking the IP address reported by an internal campus web server to a specific location. (Which we need to do for virus outbreaks anyway) Because we use VLAN's it's a little tedious to search all networks for a similar mac address.
So we use a little server side script to report the IP address as its seen by our web server (this gives you the external address even on NAT enabled AP's. The process is as follows: 1. When we find the wireless signal that we can get internet connection on visit the following web page: http://www.evergreen.edu/netservices/clientinfo.asp (this page was designed small enough to display easily on pocket pc or other handheld). 2. Go to the internal router for the subnet or get on the same subnet and arp the ip to obtain the mac address. (there's problably more graceful ways to do this, particularly if you're on the same subnet). 3. Follow the switch tables to track the port to its physical location on our LAN. I find having the IP as reported by the web server, also lets me know how worried to be about the rougue AP, since it tells me instantly if its on a public network jack or a higher security network. (again VLANs make it harder to know). David Metzler The Evergreen State College -----Original Message----- From: 802.11 wireless issues listserv [mailto:[EMAIL PROTECTED] On Behalf Of Jeff Wolfe Sent: Friday, February 04, 2005 12:53 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Wireless Identification Tools Philippe Hanset wrote: > Don, > > A trick that I have been willing to test for a long time would be to > join the Rogue AP, send traffic to a know sniffing host in that same > layer2 network. > This will reveal the Wired MAC address of the AP. > Then search for that MAC on your wired side and disable the port. > (if you have a good circuit-to-switchport DB, you know the location as > well) > If the AP doesn't allow guests, we use Directional Antennas and > Wireless Sniffers as you mentioned. > > And as I have mentioned before: we rarely have Rogue APs in places > were we provide decent Free Wireless coverage! We've been able to have good luck by searching our switch FDBs for MAC addresses matching all but the last octet of the MAC address in the rogue AP's beacon. More often than not, manufacturers use sequential MAC addresses for the wired and wireless ports of their devices. Of the 5 or 6 rogues we've seen over the last year, all were locatable that way. YMMV.. :) -JEff ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
