Monitoring Access Points
This section describes access to the controller access points summary details. Use the main date area to access the respective access point details.
Choose Monitor > Access Points to access this page. This section provides more detailed information regarding monitoring access points and contains the following topics:
Searching Access Points
Use the Prime Infrastructure Search feature to find specific access points or to create and save custom searches. See the Search Methods section in the Cisco Prime Infrastructure 2.0 User Guide for additional information.
Viewing a List of Access Points
Choose Monitor > Access Points or perform an access point search to access this page.
This page enables you to view a summary of access points including the default information listed in Table 5-42 .
Table 5-42 Access Point Search Results
|
|
AP Name Ethernet MAC |
The name assigned to the access point. Click a list item to view access point details. See the “Monitoring Access Points Details” section for more information. |
IP Address |
Local IP address of the access point. |
Radio |
Protocol of the rogue access point is 802.11a, 802.11b or 802.11g. Click a list item to view access point radio details. See the “Monitoring Access Point Radio Details” section for more information. |
Map Location |
Click a list item to go to the location indicated on the list. |
Controller |
Click a list item to display a graphic and information about the controller. See the “Monitoring System Summary” section for more information. |
Client Count |
Displays the total number of clients currently associated with the controller. |
Admin Status |
Displays the administration state of the access point as either enabled or disabled. |
AP Mode |
Displays the operational mode of the access point. |
Oper Status |
Displays the operational status of the Cisco WLAN Solution device, either Up or Down. If the admin status is disabled, the operation status is labeled as down and there are no alarms. |
Alarm Status |
Alarms are color coded as follows: – Clear—No Alarm – Red—Critical Alarm – Orange—Major Alarm – Yellow—Minor Alarm Note This status is radio alarm status ONLY and does not includes the admin status in the operation status. |
Configuring the Access Point List Display
To add, remove, or reorder columns in the table, click the Edit View link to go to the Edit View page. Table 5-43 lists the optional access point parameters available for the search results.
Table 5-43 Edit View Search Results
|
|
AP Type |
Indicates the type of access point (unified or autonomous). |
Antenna Azim. Angle |
Indicates the horizontal angle of the antenna. |
Antenna Diversity |
Indicates if antenna diversity is enabled or disabled. Antenna diversity refers to the access point sampling the radio signal from two integrated antenna ports to choose the preferred antenna. |
Antenna Elev. Angle |
Indicates the elevation angle of the antenna. |
Antenna Gain |
The peak gain of the dBi of the antenna for directional antennas and the average gain in dBi for omni-directional antennas connected to the wireless network adapter. The gain is in multiples of 0.5 dBm. An integer value 4 means 4 x 0.5 = 2 dBm of gain. |
Antenna Mode |
Indicates the antenna mode such as omni, directional, or non-applicable. |
Antenna Name |
Indicates the antenna name or type. |
Audit Status |
Indicates one of the following audit statuses: – Mismatch—Configuration differences were found between Prime Infrastructure and controller during the last audit. – Identical—No configuration differences were found during the last audit. – Not Available—Audit status is unavailable. |
Base Radio MAC |
Indicates the MAC address of the base radio. |
Bridge Group Name |
Indicates the name of the bridge group used to group the access points, if applicable. |
CDP Neighbors |
Indicates all directly connected Cisco devices. |
Channel Control |
Indicates whether the channel control is automatic or custom. |
Channel Number |
Indicates the channel on which the Cisco Radio is broadcasting. |
Channel Width |
Indicates the channel bandwidth for this radio. The Channel Width field is supported only for 11n APs. Displays “N/A” for other APs. |
Controller Port |
Indicates the number of controller ports. |
Google Earth Location |
Indicates whether or not a Google Earth location is assigned and indicates the location. |
Location |
Indicates the physical location of the access point. |
Node Hops |
Indicates the number of hops between access points. |
OfficeExtend AP |
Specifies whether or not OfficeExtend access is enabled. If it is disabled, the access point is remotely deployed which increases the security risk. |
PoE Status |
Indicates the power over Ethernet status of the access point. The possible values include the following: – Low—The access point draws low power from the Ethernet. – Lower than 15.4 volts—The access point draws lower than 15.4 volts from the Ethernet. – Lower than 16.8 volts—The access point draws lower than 16.8 volts from the Ethernet. – Normal—The power is high enough for the operation of the access point. – Not Applicable—The power source is not from the Ethernet. |
Primary Controller |
Indicates the name of the primary controller for this access point. |
Radio MAC |
Indicates the radio MAC address. |
Reg. Domain Supported |
Indicates whether or not the regulatory domain is supported. |
Serial Number |
Indicates the access point serial number. |
Slot |
Indicates the slot number. |
Tx Power Control |
Indicates whether the transmission power control is automatic or custom. |
Tx Power Level |
Indicates the transmission power level. |
Up Time |
Indicates how long the access point has been up in days, hours, minutes and seconds. |
WLAN Override Names |
Indicates the WLAN override profile names. |
WLAN Override |
Indicates whether WLAN Override is enabled or disabled. |
Configuring the List of Access Points Display
The Edit View page allows you to add, remove, or reorder columns in the Access Points table.
To edit the available columns in the alarms table, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Click the Edit View link.
Step 3
To add an additional column to the access points table, click to highlight the column heading in the left column. Click Show to move the heading to the right column. All items in the right column are displayed in the table.
Step 4
To remove a column from the access points table, click to highlight the column heading in the right column. Click Hide to move the heading to the left column. All items in the left column are not displayed in the table.
Step 5
Use the Up/Down buttons to specify the order in which the information appears in the table. Highlight the desired column heading and click Up or Down to move it higher or lower in the current list.
Step 6
Click Reset to restore the default view.
Step 7
Click Submit to confirm the changes.
Note
See the “Viewing a List of Access Points” section for additional access point fields than can be added through Edit View.
Generating a Report for Access Points
Note
You cannot customize any report that you create in the Access Points list (Monitor > Access Points).
To generate a report for access points, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Click to select the access point(s) for which you want to run a report.
Step 3
Choose the applicable report from the Select a report drop-down list.
Step 4
Click Go.
Table 5-44 lists the available reports.
Table 5-44 Access Point Reports
|
|
|
Load |
Generates a report with load information. |
See the “Monitoring Traffic Load” section for more information. |
Dynamic Power Control |
Generates a report with Dynamic Power Control information. |
See the “Monitoring Dynamic Power Control” section for more information. |
Noise |
Generates a report with Noise information. |
See the “Monitoring Access Points Noise” section for more information. |
Interference |
Generates a report with Interference information. |
See the “Monitoring Access Points Interference” section for more information. |
Coverage (RSSI) |
Generates a report with Coverage (RSSI) information. |
See the “Monitoring Access Points Coverage (RSSI)” section for more information. |
Coverage (SNR) |
Generates a report with Coverage (SNR) information. |
See the “Monitoring Access Points Coverage (SNR)” section for more information. |
Up/Down Statistics |
Time in days, hours and minutes since the last reboot. Generates a report with Up Time information. |
See the “Monitoring Access Points Up/Down Statistics” section for more information. |
Voice Statistics |
Generates a report for selected access points showing radio utilization by voice traffic. |
See the “Monitoring the Access Points Voice Statistics” section for more information. |
Voice TSM Table |
Generates a report for selected access points and radio, organized by client device showing QoS status, PLR, and latency of its voice traffic stream. |
See the “Monitoring the Access Points Voice TSM Table” section for more information. |
Voice TSM Reports |
Graphical representation of the TSM table except that metrics from the clients are averaged together on the graphs. |
See the “Monitoring the Access Points Voice TSM Reports” section for more information. |
802.11 Counters |
Displays counters for access points at the MAC layer. Statistics such as error frames, fragment counts, RTS/CTS frame count, and retried frames are generated based on the filtering criteria and can help interpret performance (and problems, if any) at the MAC layer. |
See the “Monitoring Access Points 802.11 Counters” section for more information. |
AP Profile Status |
Displays access point load, noise, interference, and coverage profile status. |
See the “Monitoring Access Points AP Profile Status” section for more information. |
Air Quality vs. Time |
Displays the air quality index of the wireless network during the configured time duration. |
See the “Monitoring Air Quality” section for more information. |
Traffic Stream Metrics |
Useful in determining the current and historical quality of service (QoS) for given clients at the radio level. It also displays uplink and downlink statistics such as packet loss rate, average queuing delay, distribution of delayed packets, and roaming delays. |
See the “Monitoring Access Points Traffic Stream Metrics” section for more information. |
Tx Power and Channel |
Displays the channel plan assignment and transmit power level trends of devices based on the filtering criteria used when the report was generated. It could help identify unexpected behavior or issues with network performance. |
See the “Monitoring Access Points Tx Power and Channel” section for more information. |
VoIP Calls Graph |
Helps analyze wireless network usage from a voice perspective by providing details such as the number and duration of VoIP calls (per radio) on the network over time. To be able to gather useful data from this report, VoIP snooping must be enabled on the WLAN. This report displays information in a graph. |
See the “Monitoring VoIP Calls” section for more information. |
VoIP Calls Table |
Provides the same information as the VoIP Calls Graph report but in table form. |
See the “Monitoring VoIP Calls” section for more information. |
Voice Statistics |
Helps analyze wireless network usage from a voice perspective by providing details such as percentage of bandwidth used by voice clients, voice calls, roaming calls, and rejected calls (per radio) on the network. To be able to gather useful data from this report, make sure call admission control (CAC) is supported on voice clients. |
See the “Monitoring Voice Statistics” section for more information. |
Worst Air Quality APs |
Provides a high-level, easy-to- understand metric to facilitate an "at a glance" understanding of where interference problems are impacting the network. Air Quality (AQ) is reported at a channel, floor, and system level and it supports AQ alerts, so that you can be automatically notified when AQ falls below a desired threshold. |
See the “Monitoring Air Quality” section for more information. |
Monitoring Traffic Load
Traffic Load is the total amount of bandwidth used for transmitting and receiving traffic. This enables WLAN managers to track network growth and plan network growth ahead of client demand.
To access the access point load report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Step 3
From the Generate a report for selected APs drop-down list, choose Load.
Step 4
Click Go. The Load report displays for the selected access points.
Table 5-45 lists the fields displayed on this page.
Table 5-45 Traffic Load
|
|
AP Name |
Click the access point name to view access point details. See the “Monitoring Access Points Details” section for more information. |
Radio |
Protocol of the rogue access point is either 802.11a, 802.11b or 802.11g. Click the radio to view On-Demand Statistics for this access point. See the “Monitoring Access Point Radio Details” section for more information. |
Attached Client Count |
Number of clients attached (Actual and Threshold.) |
Channel Utilization |
802.11a RF utilization threshold between 0 and 100 percent (Actual and Threshold). |
Receive Utilization |
802.11a or 802.11b/g RF receive utilization threshold between 0 and 100 percent. |
Transmit Utilization |
802.11a or 802.11b/g RF transmit utilization threshold between 0 and 100 percent. |
Status |
Status of the client connection. |
Monitoring Dynamic Power Control
To access the access point Load report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Step 3
From the Generate a report for selected APs drop-down list, choose Dynamic Power Control.
Step 4
Click Go. The Dynamic Power Control report displays the selected access points.
Table 5-46 lists the dynamic control fields for access points displayed on this page.
Table 5-46 Dynamic Power Control Page Fields
|
|
AP Name |
This is the name assigned to the access point. Click an access point name in the list to access its fields. See the “Monitoring Access Points Details” section for more information. |
Radio |
Protocol of the rogue access point is either 802.11a, or 802.11b/g. Click a Cisco Radio in the list to access its fields. See the “Monitoring Access Point Radio Details” section for more information. |
Current Power Level |
Displays the operating transmit power level from the transmit power table. Access point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power. Note The power levels and available channels are defined by the Country Code Setting, and are regulated on a country by country basis. |
Power Assignment Mode |
Dynamic transmit power assignment has three modes: – Automatic—The transmit power is periodically updated for all Cisco 1000 Series lightweight access points that permit this operation. – On Demand—Transmit power is updated when the Assign Now button is selected. – Fixed—No dynamic transmit power assignments occur and value are set to their global default. The default is Automatic. – Recommended Power Level. |
Monitoring Access Points Noise
To access the access point Noise report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Note
If multiple access points are selected, they must have the same radio type.
Step 3
From the Generate a report selected APs drop-down list, choose Noise.
Step 4
Click Go. The Noise report displays the selected access points.
This page displays a bar graph of noise (RSSI in dBm) for each channel.
Monitoring Access Points Interference
To access the access point Interference report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Note
If multiple access points are selected, they must have the same radio type.
Step 3
From the Generate a report for selected APs drop-down list, choose Interference.
Step 4
Click Go. The Interference report displays the selected access points.
This page displays a bar graph of interference (RSSI in dBm) for each channel:
- High interference -40 to 0 dBm.
- Marginal interference -100 to -40 dBm.
- Low interference -110 to -100 dBm.
Monitoring Access Points Coverage (RSSI)
To access the access point Coverage (RSSI) report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Step 3
From the Generate a report for selected APs drop-down list, choose Coverage (RSSI).
Step 4
Click Go. The Coverage (RSSI) report displays the selected access points.
This page displays a bar graph of client distribution by received signal strength showing the number of clients versus RSSI in dBm.
Monitoring Access Points Coverage (SNR)
To access the access point Coverage (SNR) report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Step 3
From the Generate a report for selected APs drop-down list, choose Coverage (SNR).
Step 4
Click Go. The Coverage (SNR) report displays the selected access points.
This page displays a bar graph of client distribution by signal-to-noise ratio showing the number of clients versus SNR.
Monitoring Access Points Up/Down Statistics
To access the access point Up/Down Statistics report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box of the applicable access point.
Step 3
From the Generate a report for selected APs drop-down list, choose Up/Down Statistics.
Click Go. The Up/Down Statistics report displays the selected access points.
Note
Up Time is time in days, hours, and minutes since the last reboot.
This page displays a line graph of access point up time graphed against time.
If you select more than one access point, the following message appears:
Please select only one AP for the Up Time Report.
Monitoring the Access Points Voice Statistics
This generates a report for selected access points showing radio utilization by voice traffic. The report includes the number of current calls.
Note
Voice Statistics reports are only applicable for CAC/WMM clients.
To access the access point Voice Statistics report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box(es) of the applicable access point(s).
Step 3
From the Generate a report for selected APs drop-down list, choose Voice Statistics.
Click Go. The Voice Statistics report displays for the selected access points.
The page displays the following access point voice statistics:
Monitoring the Access Points Voice TSM Table
This generates a report for selected access points and radio, organized by client device showing QoS status, PLR, and latency of its voice traffic stream.
To access the access point Voice TSM Table report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box of the applicable access point.
Step 3
From the Generate a report for selected APs drop-down list, choose Voice TSM Table.
Step 4
Click Go. The Voice Traffic Stream Metrics Table report displays the selected access point.
Table 5-47 lists the Voice Traffic Stream Metrics Table page fields.
Table 5-47 Voice Traffic Stream Metrics Table Page Fields
|
|
Time |
Time that the statistics were gathered from the access point(s). |
Client MAC |
MAC address of the client. This shows a list of the clients evaluated during the most recent 90 second interval. The client could be a VoIP phone, laptop, PDA and refers to any client attached to the access point collecting measurements. |
QoS |
QoS values (packet latency, packet jitter, packet loss, roaming time) which can affect the WLAN are monitored. Access points and clients measure the metrics, access points collect the measurements and send them to the controller. The access points update the controller with traffic stream metric information every 90 seconds and 10 minutes of data is stored at one time. |
% PLR (Downlink) |
Percentage of packets lost on the downlink (access point to client) during the 90 second interval. |
% PLR (Uplink) |
Percentage of packets lost on the uplink (client to access point) during the 90 second interval. |
Avg Queuing Delay (ms) (Downlink) |
Average queuing delay in milliseconds for the downlink. Average packet queuing delay is the average delay of voice packets traversing the voice queue. Packet queue delay is measured beginning when a packet is queued for transmission and ending when the packet is successfully transmitted. It includes time for re-tries, if needed. |
Avg Queuing Delay (ms) (Uplink) |
Average queuing delay in milliseconds for the uplink. Average packet queuing delay is the average delay of voice packets traversing the voice queue. Packet queue delay is measured beginning when a packet is queued for transmission and ending when the packet is successfully transmitted. It includes time for re-tries, if needed. |
% Packets > 40 ms Queuing Delay |
Percentage of queuing delay packets greater than 40 ms. |
% Packets > 20 ms Queuing Delay |
Percentage of queuing delay packets greater than 20 ms. |
Roaming Delay |
Roaming delay in milliseconds. Roaming delay, which is measured by clients, is measured beginning when the last packet is received from the old access point and ending when the first packet is received from the new access point after a successful roam. |
Monitoring the Access Points Voice TSM Reports
This report provides a graphical representation of the Voice Traffic Stream Metrics Table except that metrics from the clients are averaged together on the graphs.
To access the access point Voice Traffic Stream Metrics Table report, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the check box of the applicable access point.
Step 3
From the Generate a report for selected APs drop-down list, choose Voice TSM Reports.
Click Go. The Voice Traffic Stream Metrics Table report displays for the selected access point.
This page displays line graphs of the following downlink and uplink metric information, including times and dates (see Table 5-48 ).
Table 5-48 Voice Traffic Stream Metrics Table Reports Page Fields
|
|
Average Queuing Delay (ms) |
Average queuing delay in milliseconds. Average packet queuing delay is the average delay of voice packets traversing the voice queue. Packet queue delay is measured beginning when a packet is queued for transmission and ending when the packet is successfully transmitted. It includes time for re-tries, if needed. |
% Packet with less than 10 ms delay |
Percentage of packets with less than 10 milliseconds delay. |
% Packet with more than 10 < 20 ms delay |
Percentage of packets with more than 10 milliseconds delay but less than 20 milliseconds delay. |
% Packet with more than 20 < 40 ms delay |
Percentage of packets with more than 20 milliseconds delay but less than 40 milliseconds delay. |
% Packet with more than 40 ms delay |
Percentage of packets with more than 40 milliseconds delay. |
Packet Loss Ratio |
Ratio of lost packets. |
Total Packet Count |
Number of total packets. |
Roaming Count |
Number of packets exchanged for roaming negotiations in this 90 seconds metrics page. |
Roaming Delay |
Roaming delay in milliseconds. |
Monitoring Access Points 802.11 Counters
Displays counters for access points at the MAC layer. Statistics such as error frames, fragment counts, RTS/CTS frame count, and retried frames are generated based on the filtering criteria and can help interpret performance (and problems, if any) at the MAC layer.
See the “Reports” section for more information on 802.11 Counters reports.
Monitoring Access Points AP Profile Status
Displays access point load, noise, interference, and coverage profile status.
See the “Reports” section for more information on AP Profile Status reports.
Monitoring Access Points Radio Utilization
See the “Reports” section for more information on Radio Utilization reports.
Monitoring Access Points Traffic Stream Metrics
Useful in determining the current and historical quality of service (QoS) for given clients at the radio level. It also displays uplink and downlink statistics such as packet loss rate, average queuing delay, distribution of delayed packets, and roaming delays.
See the “Reports” section for more information on Traffic Stream Metrics reports.
Monitoring Access Points Tx Power and Channel
See the “Reports” section for more information on Tx Power and Channel reports.
The Current Tx Power Level setting controls the maximum conducted transmit power. The maximum available transmit power varies according to the configured channel, individual country regulation, and access point capability. See the Product Guide or data sheet at www.cisco.com for each specific model to determine the access point capability.
The Current Tx Power Level setting of 1 represents the maximum conducted power setting for the access point. Each subsequent power level (for example. 2, 3, 4, and so on.) represents approximately a 50% (or 3dBm) reduction in transmit power from the previous power level.
Note
The actual power reduction might vary slightly for different models of access points.
Based on the configured antenna gain, the configured channel, and the configured power level, the actual transmit power at the access point can be reduced so that the specific country regulations are not exceeded.
Note
Irrespective of whether you choose Global or Custom assignment method, the actual conducted transmit power at the access point is verified such that country specific regulations are not exceeded.
Command Buttons
- Save—Save the current settings.
- Audit—Discover the present status of this access point.
Monitoring VoIP Calls
VoIP calls reports helps analyze wireless network usage from a voice perspective by providing details such as the number and duration of VoIP calls (per radio) on the network over time. To be able to gather useful data from this report, VoIP snooping must be enabled on the WLAN. This report displays information in a graph.
Click VoIP Calls Graph from the Report Launch Pad to open the VoIP Calls Graph Reports page. From this page, you can enable, disable, delete, or run currently saved report templates. See the “Reports” section for more information.
Monitoring Voice Statistics
Voice Statistics report helps analyze wireless network usage from a voice perspective by providing details such as percentage of bandwidth used by voice clients, voice calls, roaming calls, and rejected calls (per radio) on the network. To be able to gather useful data from this report, make sure Call Admission Control (CAC) is supported on voice clients. See the “Reports” section for more information.
Monitoring Air Quality
To facilitate an "at a glance" understanding of where interference problems are impacting the network, the Prime Infrastructure rolls up the detailed information into a high-level, easy-to- understand metric referred to as Air Quality (AQ). AQ is reported at a channel, floor, and system level and it supports AQ alerts, so that you can be automatically notified when AQ falls below a desired threshold. See the “Monitoring CleanAir Air Quality Events” section for more information.
Monitoring Access Points Details
The Access Points Details page enables you to view access point information for a single AP.
Choose Monitor > Access Points and click an item in the AP Name column to access this page. Depending on the type of access point, the following tabs might be displayed. This section provides the detailed information regarding each Access Points Details page tab and contains the following topics:
General Tab
Note
The General tab fields differ between lightweight and autonomous access points.
General—Lightweight Access Points
Table 5-49 lists the General (for Lightweight Access Points) Tab fields.
Table 5-49 General (for Lightweight Access Points) Tab Fields
|
|
|
AP Name |
Operator defined name of access point. |
AP IP address, Ethernet MAC address, and Base Radio MAC address |
IP address, Ethernet MAC address and Radio MAC address. |
Country Code |
The codes of the supported countries. Up to 20 countries can be supported per controller. Note Access points might not operate properly if they are not designed for use in your country of operation. For a complete list of country codes supported per product, see the following URL: http://www.cisco.com/en/US/docs/wireless/wcs/4.0/configuration/guide/wcscod.html. |
Link Latency Settings |
You can configure link latency on the controller to measure the link between an access point and the controller. See the “Configuring Link Latency Settings for Access Points” section for more information. – Current Link Latency (in msec)—The current round-trip time (in milliseconds) of heartbeat packets from the access point to the controller and back. – Minimum Link Latency (in msec)—Because link latency has been enabled or reset, the minimum round-trip time (in milliseconds) of heartbeat packets from the access point to the controller and back. – Maximum Link Latency (in msec)—Because link latency has been enabled or reset, the maximum round-trip time (in milliseconds) of heartbeat packets from the access point to the controller and back. |
LWAPP/CAPWAP Uptime |
Displays how long the LWAPP/CAPWAP connection has been active. |
LWAPP?CAPWAP Join Taken Time |
Displays how long the LWAPP/CAPWAP connection has been joined. |
Admin Status |
The administration state of the access point as either enabled or disabled. |
|
Local |
Default mode. Data clients are serviced while configured channels are scanned for noise and rogues. The access point goes off-channel for 50 ms and listens for rogues. It cycles through each channel for the period specified under the Auto RF configuration. Note To configure Local or FlexConnect access points for the Cisco Adaptive wIPS feature, choose Local or FlexConnect and select the Enhanced wIPS Engine Enabled check box. |
Monitor |
Radio receive only mode. The access point scans all configured channels every 12 seconds. Only deauthenticated packets are sent in the air with an access point configured this way. A monitor mode access point can connect as a client to a rogue acceess point. Note To configure access points for Cisco Adaptive wIPS feature, select Monitor. Select the Enhanced wIPS Engine Enabled check box and choose wIPS from the Monitor Mode Optimization drop-down list. Before you can enable an access point to be in wIPS mode, you must disable the access point radios. If you do not disable the access point radio, an error message appears. Note Once you have enabled the access point for wIPS, reenable the radios. |
Rogue Detector |
The access point radio is turned off and the access point listens to wired traffic only. The controllers that operate in this mode monitor the rogue access points. The controller sends all the rogue access point and client MAC address lists to the rogue detector, and the rogue detector forwards this information to the WLC. The MAC address list is compared to what the WLC access points heard over the network. If the MAC addresses match, you can determine which rogue access points are connected on the wired network. |
Sniffer |
The access point captures and forwards all the packets on a particular channel to a remote machine that runs AiroPeek. These packets contain information such as timestamp, signal strength, packet size, and so on. This feature can only be enabled if you run AiroPeek, which is a third-party network analyzer software that supports the decoding of data packets. |
FlexConnect |
Enables FlexConnect for up to six access points. The FlexConnect access points can switch client data traffic locally and perform client authentication locally when their connection to the controller is lost. Note FlexConnect must be selected to configure an OfficeExtend access point. When the AP mode is FlexConnect, FlexConnect configuration options display including the option to enable OfficeExtend AP and to enable Least Latency Controller Join. |
Bridge |
This is a special mode where an autonomous access point functions as a wireless client and connects to a lightweight access point. The bridge and its wired clients are listed as client in the Prime Infrastructure if the AP mode is set to Bridge, and the access point is bridge capable. |
Spectrum Expert |
This mode allows a CleanAir-enabled access point to be used extensively for interference detection on all monitored channels. All other functions such as IDS scanning and Wi-Fi are suspended. |
Enhanced wIPs Engine |
Enabled or Disabled, to enable the monitoring of the security attacks using Cisco Adaptive wIPS feature. |
Operational Status |
Registered or Not Registered, as determined by the controller. |
Registered Controller |
The controller to which the access point is registered. Click to display the registered controller details. See the “Monitoring System Summary” section for more information. |
Primary Controller |
The name of the primary controller for this access point. |
Port Number |
The SNMP name of the access point primary controller. The access point attempts to associate with this controller first for all network operations and in the event of a hardware reset. |
AP Uptime |
Displays how long the access point has been active to receive and transmit. |
Map Location |
Customer-definable location name for the access point. Click to look at the actual location on a map. Choose Monitor > Access Points > name > Map Location for more information. |
Google Earth Location |
Indicates whether a Google Earth location is assigned. |
Location |
The physical location where the access point is placed (or Unassigned). |
Statistics Timer |
This counter sets the time in seconds that the access point sends its DOT11 statistics to the controller. |
PoE Status |
The power over ethernet status of the access point. The possible values include the following: – Low—The access point draws low power from the Ethernet. – Lower than 15.4 volts—The access point draws lower than 15.4 volts from the Ethernet. – Lower than 16.8 volts—The access point draws lower than 16.8 volts from the Ethernet. – Normal—The power is high enough for the operation of the access point. – Not Applicable—The power source is not from the Ethernet. |
Rogue Detection |
Indicates whether or not Rogue Detection is enabled. Note Rogue detection is disabled automatically for OfficeExtend access points because these access points, which are deployed in a home environment, are likely to detect a large number of rogue devices. For more information regarding OfficeExtend access points, see the Cisco Wireless LAN Controller Configuration Guide. |
OfficeExtend AP |
Indicates whether or not the access point is enabled as an OfficeExtend access point. The default is Enabled. |
Encryption |
Indicates whether or not encryption is enabled. Note Enabling or disabling encryption functionality causes the access point to reboot which then causes a loss of connectivity for clients. Note DTLS data encryption is enabled automatically for OfficeExtend access points to maintain security. Encryption is only available if the access point is connected to a 5500 series controller with a Plus license. |
Least Latency Join |
The access point switches from a priority order search (primary, secondary, and then tertiary controller) to a search for the controller with the best latency measurement (least latency). The controller with the least latency provides the best performance. |
Telnet Access |
Indicates whether or not Telnet Access is enabled. |
SSH Access |
Indicates whether or not SSH is enabled. Note An OfficeExtend access point might be connected directly to the WAN which could allow external access if the default password is used by the access point. Because of this, Telnet and SSH access are disabled automatically for OfficeExtend access points. |
|
Software Version |
The operating system release.version.dot.maintenance number of the code currently running on the controller. |
Boot Version |
The operating system bootloader version number. |
|
AP Type |
Type of Access Point |
AP Model |
Access point model number. |
Cisco IOS Version |
The Cisco IOS Release details. |
AP Certificate Type |
Either Self Signed or Manufacture Installed. |
FlexConnect Mode Supported |
Indicates if FlexConnect mode is supported or not. |
wIPS Profile (when applicable)
|
Profile Name |
Click the user-assigned profile name to view wIPS profile details. |
Profile Version |
|
Unique Device Identifier (UDI)
|
Name |
Name of the Cisco AP for access points. |
Description |
Description of the access point. |
Product ID |
Orderable product identifier. |
Version ID |
Version of product identifier. |
Serial Number |
Unique product serial number. |
Run Ping Test Link |
Click to ping the access point. The results are displayed in a pop-up dialog box. |
Alarms Link |
Click to display alarms associated with this access point. |
Events Link |
Click to display events associated with this access point. |
General—Autonomous
Note
For autonomous clients, the Prime Infrastructure only collects client counts. The client counts in the Monitor page and reports have autonomous clients included. Client search, client traffic graphs, or other client reports (such as Unique Clients, Busiest Clients, Client Association) do not include clients from autonomous access points.
Table 5-50 lists the General (for Autonomous Access Points) tab fields.
Table 5-50 General (for Autonomous Access Points) Tab Fields
|
|
AP Name |
Operator defined name of access point. |
AP IP address and Ethernet MAC address |
IP address, Ethernet MAC address of the access point. |
AP UpTime |
Indicates how long the access point has been up in number of days, hours, minutes, and seconds. |
Map Location |
Customer-definable location name for the access point. Click to look at the actual location on a map. See the “Monitoring Maps” section for more information. |
WGB Mode |
Indicates whether or not the access point is in work group bridge mode. |
|
SysObjectId SysDescription SysLocation SysContact |
System Object ID. The system device type and current version of firmware. The physical location of the device, such as a building name or room in which it is installed. The name of the system administrator responsible for the device. |
|
Software Version |
The operating system release.version.dot.maintenance number of the code currently running on the controller. |
CPU Utilization |
Displays the maximum, average, and minimum CPU utilization over the specified amount of time. |
Memory Utilization |
Displays the maximum, average, and minimum memory utilization over the specified amount of time. |
|
AP Type |
Autonomous or lightweight. |
AP Model |
The Access Point model number. |
AP Serial Number |
Unique serial number for this access point. |
FlexConnect Mode Supported |
If FlexConnect mode is supported or not. |
Unique Device Identifier (UDI)
|
Name |
Name of Cisco AP for access points. |
Description |
Description of access point. |
Product ID |
Orderable product identifier. |
Version ID |
Version of product identifier. |
Serial Number |
Unique product serial number. |
Note
Memory and CPU utilization charts are displayed.
Note
Click Alarms to display the alarms associated with the access point.
Click Events to display events associated with the access point.
Interfaces Tab
Table 5-51 lists the Interfaces tab fields.
Table 5-51 Interfaces Tab Fields
|
|
|
Admin Status |
Indicates whether the Ethernet interface is enabled. |
Operational Status |
Indicates whether the Ethernet interface is operational. |
Rx Unicast Packets |
Indicates the number of unicast packets received. |
Tx Unicast Packets |
Indicates the number of unicast packets sent. |
Rx Non-Unicast Packets |
Indicates the number of non-unicast packets received. |
Tx Non-Unicast Packets |
Indicates the number of non-unicast packets sent. |
|
Protocol |
802.11a/n or 802.11b/g/n. |
Admin Status |
Indicates whether the access point is enabled or disabled. |
CleanAir Capable |
Indicates whether the access point is able to use CleanAir. |
CleanAir Status |
Indicates the status of CleanAir. |
Channel Number |
Indicates the channel on which the Cisco Radio is broadcasting. |
Extension Channel |
Indicates the secondary channel on which Cisco radio is broadcasting. |
Power Level |
Access Point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power. |
Channel Width |
Indicates the channel bandwidth for this radio interface. See the “Configuring 802.11a/n RRM Dynamic Channel Allocation” section for more information on configuring channel bandwidth. Minimum (default) setting is 20 MHz. Maximum setting is the maximum channel width supported by this radio. |
Antenna Name |
Identifies the type of antenna. |
Click an interface name to view its properties (see Table 5-52 ).
Table 5-52 Interface Properties
|
|
AP Name |
Name of the Access Point. |
Link speed |
Indicates the speed of the interface in Mbps. |
RX Bytes |
Indicates the total number of bytes in the error-free packets received on the interface. |
RX Unicast Packets |
Indicates the total number of unicast packets received on the interface. |
RX Non-Unicast Packets |
Indicates the total number of non-unicast or mulitcast packets received on the interface. |
Input CRC |
Indicates the total number of CRC error in packets received on the interface. |
Input Errors |
Indicates the sum of all errors in the packets while receiving on the interface. |
Input Overrun |
Indicates the number of times the receiver hardware was incapable of handing received data to a hardware buffer because the input rate exceeded the receiver capability to handle the data. |
Input Resource |
Indicates the total number of resource errors in packets received on the interface. |
Runts |
Indicates the number of packets that are discarded because they are smaller than the medium minimum packet size. |
Throttle |
Indicates the total number of times the interface advised a sending NIC that it was overwhelmed by packets being sent and to slow the pace of delivery. |
Output Collision |
Indicates the total number of packet retransmitted due to an Ethernet collision. |
Output Resource |
Indicates the total number of resource errors in packets transmitted on the interface. |
Output Errors |
Indicates the sum of all errors that prevented the final transmission of packets out of the interface. |
Operational Status |
Indicates the operational state of the physical Ethernet interface on the AP. |
Duplex |
Indicates the duplex mode of an interface. |
TX Bytes |
Indicates the total number of bytes in the error-free packets transmitted on the interface. |
TX Unicast Packets |
Indicates the total number of unicast packets transmitted on the interface. |
TX Non-Unicast Packets |
Indicates the total number of non-unicast or mulitcast packets transmitted on the interface. |
Input Aborts |
Indicates the total number of packet aborted while receiving on the interface. |
Input Frames |
Indicates the total number of packet received incorrectly having a CRC error and a non-integer number of octets on the interface. |
Input Drops |
Indicates the total number of packets dropped while receiving on the interface because the queue was full. |
Unknown Protocol |
Indicates the total number of packet discarded on the interface due to an unknown protocol. |
Giants |
Indicates the number of packets that are discarded because they exceed the maximum packet size of the medium. |
Interface Resets |
Indicates the number of times that an interface has been completely reset. |
Output No Buffer |
Indicates the total number of packets discarded because there was no buffer space. |
Output Underrun |
Indicates the number of times the transmitter has been running faster than the router can handle. |
Output Total Drops |
Indicates the total number of packets dropped while transmitting from the interface because the queue was full. |
CDP Neighbors Tab
Table 5-53 lists the CDP Neighbors tab fields.
Note
This tab is visible only when the CDP is enabled.
Table 5-53 CDP Neighbors Tab Fields
|
|
AP Name |
The name assigned to the access point. |
AP IP Address |
IP address of the access point. |
Port No |
Port number connected or assigned to the access point. |
Local Interface |
Identifies the local interface. |
Neighbor Name |
Name of the neighboring Cisco device. |
Neighbor Address |
Network address of the neighboring Cisco device. |
Neighbor Port |
Port of the neighboring Cisco device. |
Duplex |
Indicates Full Duplex or Half Duplex. |
Interface Speed |
Speed at which the interface operates. |
Current Associated Clients Tab
Table 5-54 lists the Current Associated Clients tab fields.
Note
This tab is visible only when there are clients associated to the AP (CAPWAP or Autonomous AP).
Table 5-54 Current Associated Clients Tab Fields
|
|
Username |
Click the username to view the Monitor Client Details page for this client. See the “Monitoring Clients and Users” section for more information. |
IP Address |
IP address of the associated client. |
Client MAC Address |
Click the client MAC address to view the Monitor Client Details page for this client. See the “Monitoring Clients and Users” section for more information. |
Association Time |
Date and time of the association. |
UpTime |
Time duration of the association. |
SSID |
User-defined SSID name. |
SNR (dB) |
Signal to Noise Ratio in dB of the associated client. |
RSSI |
Received Signal Strength Indicator in dBm. |
Bytes Tx |
This indicates the total amount of data that has passed through the Ethernet interface either way. |
Bytes Rx |
This indicate the total amount of data that has been received through the Ethernet interface either way |
When the access point is not associated with the controller, then the database is used to retrieve the data (rather than the controller itself). If the access point is not associated, the following fields appear. |
User Name |
Username of the client. |
IP Address |
Local IP Address |
Client MAC Address |
Client MAC Address |
Association Time |
Timestamp of the client association. |
Session Length |
Time length of the session |
SSID |
User-defined SSID name. |
Protocol |
|
Avg. Session Throughput |
|
Traffic (MB) as before |
|
Note
Click the Edit View link to add, remove or reorder columns in the Current Associated Clients table. See the “Configuring the List of Access Points Display” section for adding a new field using the Edit View.
SSID Tab
Table 5-55 lists the SSID tab fields.
Note
This tab is visible only when the access point is Autonomous AP and there are SSIDs configured on the AP.
Table 5-55 SSID Tab
|
|
SSID |
Service Set Identifier being broadcast by the access point radio. |
SSID Vlan |
SSID on an access point is configured to recognize a specific VLAN ID or name. |
SSID Vlan Name |
SSID on an access point is configured to recognize a specific VLAN ID or name. |
MB SSID Broadcast |
SSID broadcast disabled essentially makes your Access Point invisible unless a wireless client already knows the SSID, or is using tools that monitor or 'sniff' traffic from an AP's associated clients. |
MB SSID Time Period |
Within this specified time period, internal communication within the SSID continues to work. |
Clients Over Time Tab
This tab displays the following charts:
- Client Count on AP—Displays the total number of clients currently associated with an access point over time.
- Client Traffic on AP—Displays the traffic generated by the client connected in the AP distribution over time.
Note
The information that appears in the above charts is presented in a time-based graph. For graphs that are time-based, there is a link bar at the top of the graph page that displays 6h, 1d, 1w, 2w, 4w, 3m, 6m, 1y, and Custom. When selected, the data for that time frame is retrieved and the corresponding graph is displayed. See the “Time-Based Graphs” section on page 6-71 for more information.
Monitoring Access Point Radio Details
Choose Monitor > Access Points and click an item in the Radio column to access this page.
Choose Monitor > Maps and click an item in the Name column, then click an access point icon to access this page.
Choose Monitor > Access Points and click an item in the AP Name column, click 802.11a or 802.11b on the AP Interfaces tab to access this page. This page enables you to view access point information for a single 802.11a or 802.11b/g Cisco Radio.
The default is to show On Demand Statistics. Use the View drop-down list to choose a different view:
Monitoring On Demand Statistics
To view On Demand Statistics for an access point, click the Radio of the applicable access point in the Monitor > Access Points page. The Radio Details page defaults to On Demand Statistics. See the “Monitoring Access Point Radio Details” section for more information on radio details.
Note
You can also select On Demand Statistics from the View drop-down list located on the Radio Details page.
This page enables you to view the following access point 802.11a or 802.11b Cisco Radio statistics for a single access point.
General
- AP Name—Click to view the access point details. See the “Monitoring Access Points Details” section for more information.
- AP MAC Address
- Radio
- CleanAir Capable—Indicates if the access point is CleanAir Capable.
- AP in SE-Connect Mode—Yes or No. Indicates if the access point is connected in SE-Connect mode.
- CleanAir Enabled—Indicates if CleanAir is enabled on this access point.
- CleanAir Sensor Status—Indicates the operational status of the CleanAir censor (Up or Down).
- Admin Status—Enabled or disabled.
- Operational Status—Displays the operational status of the Cisco Radios (Up or Down).
- Controller—Click to display controller system details. See the “Monitoring System Summary” section for more information.
- Channel—The channel upon which the Cisco Radio is broadcasting.
- Extension Channel—Indicates the secondary channel on which Cisco radio is broadcasting.
- Channel Width—Indicates the channel bandwidth for this radio interface. See the “Configuring 802.11a/n RRM Dynamic Channel Allocation” section for more information on configuring channel bandwidth.
- Power Level—Access Point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power.
The power levels and available channels are defined by the Country Code setting, and are regulated on a country by country basis.
- Port—(1 to 24) Port to which the access point is connected.
- Map Location—Click to display the floor map showing the access point location.
Management Frame Protection
- Protection Capability—All Frames
- Validation Capability—All Frames
- MFP Version Supported—Management Frame Protection version supported and configured.
Profile Information
- Noise Profile—Notification sent when Noise Profile state changes between Success and Failure.
- Interference Profile—Notification sent when Interference Profile state changes between Success and Failure.
- Load Profile—Notification sent when Load Profile state changes between Success and Failure.
- Coverage Profile—Notification sent when Coverage Profile state changes between Success and Failure.
Note
Click Success or Failure to view associated alarms.
Noise by Channel (dBm)
Graph showing channel and noise.
Interference by Channel (dBm%)
Graph showing the percentage of interference per channel.
Note
Channel Utilization is a combination of Receive Power (RX) + Transmit Power (TX) + Interference.
Interference—Access points report on the percentage of the medium taken up by interfering 802.11 transmissions (this can be from overlapping signals from foreign APs, as well as non-neighbors).
Note
The channel list (as configured from the RRM page) is scanned completely using the “channel scan duration” field under monitor intervals. For example, if scanning all 11 channels in 2.4 GHz, and using the default duration (180 seconds), you get: 180/11 = 16.36 seconds approximately between each channel that is being scanned.
Load Statistics
- RX Utilization—802.11a or 802.11b/g RF receive utilization threshold between 0 and 100 percent.
- TX Utilization—802.11a or 802.11b/g RF transmit utilization threshold between 0 and 100 percent.
- Channel Utilization—802.11a RF utilization threshold between 0 and 100 percent (Subcolumns for Actual and Threshold).
- Attached Client Count—The number of clients attached.
General Tab
This section describes the information that appears on the General tab and contains the following topics:
% Client Count by RSSI
Graph with % and Received Signal Strength Indicator.
% Client Count by SNR
Graph with % and Signal-to-Noise Ratio.
Channel Utilization (% Busy)
Graph displaying the channel number on the x-axis and channel utilization on the y-axis.
Noise by Channel(dBm)
Graph displaying the channel on the x-axis and power in dBm on the y-axis.
Rx Neighbors
- Radio MAC Address
- AP Name—Click to view access point details.
- Map—Click to view the map.
- Mobility Group-Leader IP Address
- Neighbor Channel
- Channel Bandwidth
- RSSI (dBm)
Channel Utilization Statistics
- Time
- Picc—Percentage of time consumed by received frames from co-channel APs and clients.
- Pib—Percentage of time consumed by interference on the channel which cannot be correctly demodulated.
Note
Picc and Pib values should give a good indication of the percentage of time the access point is busy because of co channel interference.
Client Count Over last 24 Hrs
This graph shows the client count specific to the AP radios (in the last 24 hours).
CleanAir Tab
This section describes the information that appears on the CleanAir tab and contains the following topics:
Air Quality
This graph displays the air quality index of the wireless network. A value of 100 indicates the air quality is best and a value of 1 indicates maximum interference.
Interference Power
This graph displays the interference power of the interfering devices on the channel number.
Non-WiFi Channel Utilization
This graph displays the non-WiFi channel utilization of the wireless network.
Active Interferers
This section displays the details of the active interferers on the wireless network. The following details are available:
- Interferer Name—The name of the interfering device.
- Affected Channels—The channel the interfering device is affecting.
- Detected Time—The time at which the interference was detected.
- Severity—The severity index of the interfering device.
- Duty Cycle(%)—The duty cycle (in percentage) of the interfering device.
- RSSI(dBm)—The Received Signal Strength Indicator of the interfering device.
Monitoring Operational Parameters
To view Operational Parameters for an access point radio, follow these steps:
Step 1
Choose Monitor > Access Points, click the radio for the applicable access point.
Step 2
From the View drop-down list, choose Operational Parameters.
Step 3
Click Go.
This page enables you to view configuration information for a single 802.11a or 802.11b Cisco radio.
General
- AP Name—Click to view the access point details. See the “Monitoring Access Points Details” section for more information.
- AP MAC Address
- Radio
- Admin Status—Enabled or disabled.
- Operational Status—Displays the operational status of the Cisco Radios (Up or Down).
- Controller—Click to display controller system details. See the “Monitoring System Summary” section for more information.
- Channel—The channel upon which the Cisco Radio is broadcasting.
- Extension Channel—Indicates the secondary channel on which Cisco radio is broadcasting.
- Channel Width—Indicates the channel bandwidth for this radio interface. See the “Configuring 802.11a/n RRM Dynamic Channel Allocation” section for more information on configuring channel bandwidth.
- Power Level—Access Point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power.
The power levels and available channels are defined by the Country Code setting, and are regulated on a country by country basis.
- Port—(1 to 24) Port to which the access point is connected.
- Map Location—Click to display the floor map showing the access point location.
Station Configuration Parameters
- Configuration Type—Automatic or Custom.
- Number of WLANs—1 (one) is the default.
- Medium Occupancy Limit—Indicates the maximum amount of time, in TU, that a point coordinator might control the usage of the wireless medium without relinquishing control for long enough to allow at least one instance of DCF access to the medium. The default value is 100, and the maximum value is 1000.
- CFP Period—The number of DTIM intervals between the start of CFPs.
- CFP Max. Duration—The maximum duration of the CFP in TU that might be generated by the PCF.
- BSSID—MAC address of the access point.
- Beacon Period—The rate at which the SSID is broadcast by the access point, from 100 to 600 milliseconds.
- DTIM Period—The number of beacon intervals that shall elapse between transmission of Beacon frames containing a TIM element whose DTIM Count field is 0. This value is transmitted in the DTIM Period field of Beacon frames.
- Country String—Identifies the country in which the station is operating. The first two octets of this string are the two character country code.
Physical Channel Parameters
- Current Channel—Current operating frequency channel.
- Configuration—Locally customized or globally controlled.
- Current CCA Mode—CCA method in operation. Valid values:
–
Energy detect only (edonly) = 01.
–
Carrier sense only (csonly) = 02.
–
Carrier sense and energy detect (edandcs)= 04.
–
Carrier sense with timer (cswithtimer)= 08.
–
High rate carrier sense and energy detect (hrcsanded)=16.
- ED/TI Threshold—The Energy Detect and Threshold being used to detect a busy medium (frequency). CCA reports a busy medium upon detecting the RSSI above this threshold.
Physical Antenna Parameters
- Antenna Type—Internal or External.
- Diversity—Enabled via the internal antennas or via either Connector A or Connector B. (Enabled or Disabled).
RF Recommendation Parameters
- Channel—802.11a Low Band, Medium Band, and High Band; 802.11b/g.
- Tx Power Level—Zero (0) if Radio Resource Management (RRM) disabled, 1 - 5 if Radio Resource Management (RRM) is enabled.
- RTS/CTS Threshold—Zero (0) if Radio Resource Management (RRM) disabled, 1 - 5 if Radio Resource Management (RRM) is enabled.
- Fragmentation Threshold—Zero (0) if Radio Resource Management (RRM) is disabled.
MAC Operation Parameters
- Configuration Type—Automatic or Custom.
- RTS Threshold—This attribute indicates the number of octets in an MPDU, below which an RTS/CTS handshake is not performed.
An RTS/CTS handshake is performed at the beginning of any frame exchange sequence where the MPDU is a Data or Management type, the MPDU has an individual address in the Address1 field, and the length of the MPDU is greater than this threshold. Setting this attribute to be larger than the maximum MSDU size turns off the RTS/CTS handshake for Data or Management type frames transmitted by this STA. Setting this attribute to zero turns on the RTS/CTS handshake for all frames of Data or Management type transmitted by this STA. The default value of this attribute shall be 2347.
- Short Retry Limit—The maximum number of transmission attempts of a frame, the length of which is less than or equal to dot11RTSThreshold, that shall be made before a failure condition is indicated. The default value of this attribute is 7.
- Long Retry Limit—The maximum number of transmission attempts of a frame, the length of which is greater than dot11RTSThreshold, that shall be made before a failure condition is indicated. The default value of this attribute shall be 4.
- Fragmentation Threshold—The current maximum size, in octets, of the MPDU that might be delivered to the PHY. An MSDU shall be broken into fragments if its size exceeds the value of this attribute after adding MAC headers and trailers. An MSDU or MMPDU shall be fragmented when the resulting frame has an individual address in the Address1 field, and the length of the frame is larger than this threshold. The default value for this attribute shall be the lesser of 2346 or the aMPDUMaxLength of the attached PHY and shall never exceed the lesser of 2346 or the aMPDUMaxLength of the attached PHY. The value of this attribute shall never be less than 256.
- Max Tx MSDU Lifetime—The elapsed time in TU, after the initial transmission of an MSDU, after which further attempts to transmit the MSDU shall be terminated. The default value of this attribute is 512.
- Max Rx Lifetime—The MaxReceiveLifetime shall be the elapsed time in TU, after the initial reception of a fragmented MMPDU or MSDU, after which further attempts to reassemble the MMPDU or MSDU shall be terminated. The default value is 512.
Tx Power
- # Supported Power Levels—Five or fewer power levels, depending on operator preference.
- Tx Power Level x—Access point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power.
Note
The power levels and available channels are defined by the Country Code setting, and are regulated on a country by country basis.
- Tx Power Configuration—Globally controlled or customized for this access point (Custom or Global).
- Current Tx Power Level—Displays the operating transmit power level from the transmit power table.
Monitoring 802.11 MAC Counters
To view Operational Parameters for an access point radio, follow these steps:
Step 1
Choose Monitor > Access Points, click the radio for the applicable access point.
Step 2
From the View drop-down list, choose 802.11 MAC Counters.
Step 3
Click Go.
This page enables you to view 802.11 MAC Counter information for a single 802.11a or 802.11b Cisco Radio.
General
- AP Name—Click to view the access point details. See the “Monitoring Access Points Details” section for more information.
- AP MAC Address
- Radio
- Admin Status—Enabled or disabled.
- Operational Status—Displays the operational status of the Cisco Radios (Up or Down).
- Controller—Click to display controller system details. See the “Monitoring System Summary” section for more information.
- Channel—The channel upon which the Cisco Radio is broadcasting.
- Extension Channel—Indicates the secondary channel on which Cisco radio is broadcasting.
- Channel Width—Indicates the channel bandwidth for this radio interface. See the “Configuring 802.11a/n RRM Dynamic Channel Allocation” section for more information on configuring channel bandwidth.
Note
Minimum (default) setting is 20 MHz. Maximum setting is the maximum channel width supported by this radio.
- Power Level—Access Point transmit power level: 1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power.
The power levels and available channels are defined by the Country Code setting, and are regulated on a country by country basis.
- Port—(1 to 24) Port to which the access point is connected.
- Map Location—Click to display the floor map showing the access point location.
RF Counters
- Tx Fragment Count—This counter is incremented for each successfully received MPDU Data or Management type.
- Multicast Tx Frame Count—This counter increments only when the multicast bit is set in the destination MAC address of a successfully transmitted MSDU. When operating as a STA in an ESS, where these frames are directed to the access point, this implies having received an acknowledgment to all associated MPDUs.
- Tx Failed Count—This counter increments when an MSDU is not transmitted successfully due to the number of transmit attempts exceeding retry limit.
- Retry Count—This counter increments when an MSDU is successfully transmitted after one or more retransmissions.
- Multiple Retry Count—This counter increments when an MSDU is successfully transmitted after two or more retransmissions.
- Frame Duplicate Count—This counter increments when a frame is received that the Sequence Control field indicates is a duplicate.
- RTS Success Count—This counter increments when a CTS is received in response to an RTS.
- RTS Failure Count—This counter increments when a CTS is not received in response to an RTS.
- ACK Failure Count—This counter increments when an ACK is not received when expected.
- Rx Fragment Count—The total number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets).
- Multicast Rx Framed Count—This counter increments when a MSDU is received with the multicast bit set in the destination MAC address.
- FCS Error Count—This counter increments when an FCS error is detected in a received MPDU.
- Tx Frame Count—This counter increments for each successfully transmitted MSDU.
- WEP Undecryptable Count—This counter increments when a frame is received with the WEP subfield of the Frame Control field set to one and the WEP On value for the key mapped to the AT MAC address indicates that the frame should not have been encrypted or that frame is discarded due to the receiving STA not implementing the privacy option.
Monitoring View Alarms
To access the View Alarms page from the Monitor Access Points page, follow these steps:
Note
When the AP is disassociated, in the Monitor > Access Points page, the radio status has a critical status. There is only one alarm, AP disassociated. This is because radio alarms are correlated to AP disassociated alarm.
Note
When the controller goes down, the controller inventory dashlet shows the controller status as critical. But the radio inventory dashlet retains the last known status. In the Monitor > Access Point page, the AP alarm status is shown as "Unknown".
Step 1
Choose Monitor > Access Points.
Step 2
Select the Radio Type in the Radio Type column of the applicable access point.
Step 3
From the View drop-down list, choose View Alarms.
Step 4
Click Go.
For more information on Viewing Alarms, see the “Monitoring Alarms” section.
Monitor View Events
To access the View Events page from the Monitor Access Points page, follow these steps:
Step 1
Choose Monitor > Access Points.
Step 2
Select the Radio Type in the Radio Type column of the applicable access point.
Step 3
From the View drop-down list, select View Events.
Step 4
Click Go.
For more information on viewing events, see the “Monitoring Events” section.
Monitoring Third-Party Access Points
Prime Infrastructure supports the monitoring of certain third-party access points.
For third-party access points, the following parameters are monitored:
- Current configuration of SSID
- Mode
- Current Channel
- Tx-Power
- RTS Threshold
- Retry Limit
- Preamble
- Beacon Interval
- Power management
- Load balance
- Rates
- DTIM Period
- LMS address
|
- Encryption
- Status
- Ageout
- MTU
- Location
- Hide SSID
- Deny Broadcast
- BG mode
- Radio Chipset
- Regulatory Domain
- Country Code
- Tx Rates
|
To view third-party access point details, follow these steps:
Step 1
Choose Monitor > Third Party Access Points.
Step 2
In the Third-Party Access Point page, click the access point’s name. The information appears on the General tab.
Monitoring Mesh Access Points
Mesh Health monitors the overall health of Cisco Aironet 1500 and 1520 series outdoor access points as well as Cisco Aironet 1130 and 1240 series indoor access points when configured as mesh access points, except as noted. Tracking this environmental information is particularly critical for access points that are deployed outdoors. The following factors are monitored:
- Temperature: Displays the internal temperature of the access point in Fahrenheit and Celsius (Cisco Aironet 1510 and 1520 outdoor access points only).
- Heater status: Displays the heater as on or off (Cisco Aironet 1510 and 1520 outdoor access points only)
- AP Up time: Displays how long the access point has been active to receive and transmit.
- LWAPP Join Taken Time: Displays how long it took to establish the LWAPP connection (excluding Cisco Aironet 1505 access points).
- LWAPP Up Time: Displays how long the LWAPP connection has been active (excluding Cisco Aironet 1505 access points).
Mesh Health information is displayed in the General Properties page for mesh access points.
Note
The wIPS mode is not supported in the Cisco Aironet 1500 series mesh access points.
To view the mesh health details for a specific mesh access point, follow these steps:
Step 1
Choose Monitor > Access Points. A listing of radios belonging to access points appears.
Note
The radio status (not an access point status) is displayed when you choose Monitor > Access Points. The given status is updated frequently from traps and wireless status polling and takes several minutes to reflect actual radio status. The overall status of an access point can be found by viewing the access point on a map.
Note
You can also use the New Search button to display the mesh access point summary. With the New Search option, you can further define the criteria of the access points that appear. Search criteria include AP Type, AP Mode, Radio Type, and 802.11n Support.
Step 2
Click the AP Name link to display details for that mesh access point. The General tab for that mesh access point appears.
Note
You can also access the General tab for a mesh access point from an Prime Infrastructure map page. To display the page, double-click the mesh access point label. A tabbed page appears and displays the General tab for the selected access point.
To add, remove, or reorder columns in the table, click the Edit View link in the Monitor > Access Points page.
Mesh Statistics Tab
Mesh Statistics are reported when a child mesh access point authenticates or associates with a parent mesh access point.
Security entries are removed and no longer displayed when the child mesh access point disassociates from the controller.
The following mesh security statistics are displayed for mesh access points:
To view the mesh statistics for a specific mesh access point, follow these steps:
Step 1
Choose Monitor > Access Points. A listing of radios belonging to access points appears.
Note
The radio status (not an access point status) is displayed when you choose Monitor > Access Points. The given status is updated frequently from traps and wireless status polling and takes several minutes to reflect actual radio status. The overall status of an access point can be found by viewing the access point on a map.
Note
You can also use the New Search button to display the access point summary. With the New Search option, you can further define the criteria of the access points that display. Search criteria includes AP Name, IP address, MAC address, Controller IP or Name, Radio type, and Outdoor area.
Step 2
Click the AP Name link of the target mesh access point.
A tabbed page appears and displays the General Properties page for the selected access point.
Step 3
Click the Mesh Statistics tab. A three-tabbed Mesh Statistics page appears.
Note
The Mesh Statistics tab and its subordinate tabs (Bridging, Queue and Security) only appear for mesh access points. The Mesh Link Alarms and Mesh Link Events links are accessible from each of the three tabbed panels. You can click these links to view the relevant alarms and events.
Note
You can also access the Mesh Securities page for a mesh access point from a Prime Infrastructure map. To display the page, double-click the mesh access point label.
Summaries of the Bridging, Queue and Security Statistics and their definitions are provided in Table 5-56 , Table 5-57 and Table 5-58 respectively.
Table 5-56 Bridging Mesh Statistics
|
|
Role |
The role of the mesh access point. Options are mesh access point (MAP) and root access point (RAP). |
Bridge Group Name |
The name of the bridge group to which the MAP or RAP is a member. We recommend assigning membership in a bridge group name. If one is not assigned, a MAP is by default assigned to a default bridge group name. |
Backhaul Interface |
The radio backhaul for the mesh access point. |
Routing State |
The state of parent selection. Values that display are seek, scan and maint. Maint appears when parent selection is complete. |
Malformed Neighbor Packets |
The number of malformed packets received from the neighbor. Examples of malformed packets include malicious floods of traffic such as malformed or short DNS packets and malformed DNS replies. |
Poor Neighbor SNR |
The number of times the signal-to-noise ratio falls below 12 dB on the backhaul link. |
Excluded Packets |
The number of packets received from excluded neighbor mesh access points. |
Insufficient Memory |
The number of insufficient memory conditions. |
RX Neighbor Requests |
The number of broadcast and unicast requests received from the neighbor mesh access points. |
RX Neighbor Responses |
The number of responses received from the neighbor mesh access points. |
TX Neighbor Requests |
The number of unicast and broadcast requests sent to the neighbor mesh access points. |
TX Neighbor Responses |
The number of responses sent to the neighbor mesh access points. |
Parent Changes |
The number of times a mesh access point (child) moves to another parent. |
Neighbor Timeouts |
The number of neighbor timeouts. |
Node Hops |
The number of hops between the MAP and the RAP. Click the value link to display a dialog box which enables you to configure details of what is reported, how often the node hop value is updated, and view a graphical representation of the report. |
Table 5-57 Queue Mesh Statistics
|
|
Silver Queue |
The average and peak number of packets waiting in the silver (best effort) queue during the defined statistics time interval. Packets dropped and queue size is also summarized. |
Gold Queue |
The average and peak number of packets waiting in the gold (video) queue during the defined statistics time interval. Packets dropped and queue size is also summarized. |
Platinum Queue |
The average and peak number of packets waiting in the platinum (voice) queue during the defined statistics time interval. Packets dropped and queue size is also summarized. |
Bronze Queue |
The average and peak number of packets waiting in the bronze (background) queue during the defined statistics time interval. Packets dropped and queue size is also summarized. |
Management Queue |
The average and peak number of packets waiting in the management queue during the defined statistics time interval. Packets dropped and queue size is also summarized. |
Table 5-58 Security Mesh Statistics
|
|
Packets Transmitted |
Summarizes the total number of packets transmitted during security negotiations by the selected mesh access point. |
Packets Received |
Summarizes the total number of packets received during security negotiations by the selected mesh access point. |
Association Request Failures |
Summarizes the total number of association request failures that occur between the selected mesh access point and its parent. |
Association Request Timeouts |
Summarizes the total number of association request time outs that occur between the selected mesh access point and its parent. |
Association Request Success |
Summaries the total number of successful association requests that occur between the selected mesh access point and its parent. |
Authentication Request Failures |
Summarizes the total number of failed authentication requests that occur between the selected mesh access point and its parent. |
Authentication Request Timeouts |
Summarizes the total number of authentication request timeouts that occur between the selected mesh access point and its parent. |
Authentication Request Success |
Summarizes the total number of successful authentication requests between the selected mesh access point and its parent mesh node. |
Reassociation Request Failures |
Summarizes the total number of failed reassociation requests between the selected mesh access point and its parent. |
Reassociation Request Timeouts |
Summarizes the total number of reassociation request timeouts between the selected mesh access point and its parent. |
Reassociation Request Success |
Summarizes the total number of successful reassociation requests between the selected mesh access point and its parent. |
Reauthentication Request Failures |
Summarizes the total number of failed reauthentication requests between the selected mesh access point and its parent. |
Reauthentication Request Timeouts |
Summarizes the total number of reauthentication request timeouts that occurred between the selected mesh access point and its parent. |
Reauthentication Request Success |
Summarizes the total number of successful reauthentication requests that occurred between the selected mesh access point and its parent. |
Invalid Association Request |
Summarizes the total number of invalid association requests received by the parent mesh access point from the selected child mesh access point. This state might occur when the selected child is a valid neighbor but is not in a state that allows association. |
Unknown Association Requests |
Summarizes the total number of unknown association requests received by the parent mesh access point from its child. The unknown association requests often occur when a child is an unknown neighbor mesh access point. |
Invalid Reassociation Request |
Summarizes the total number of invalid reassociation requests received by the parent mesh access point from a child. This might happen when a child is a valid neighbor but is not in a proper state for reassociation. |
Unknown Reassociation Request |
Summarizes the total number of unknown reassociation requests received by the parent mesh access point from a child. This might happen when a child mesh access point is an unknown neighbor. |
Invalid Reauthentication Request |
Summarizes the total number of invalid reauthentication requests that occurred between the selected mesh access point and its parent.This state might occur when the selected mesh access point is a valid neighbor but is not in a state that allows reauthentication. |
Mesh Links Tab
Table 5-59 lists the Mesh Links tab fields.
Note
This tab is visible only for mesh access points. You can click the Mesh Link Alarms and Mesh Link Events links to view the relevant alarms and events.
Table 5-59 Mesh Links Tab Fields
|
|
Type |
The type of the access point. |
AP Name |
The name assigned to the access point. |
AP MAC Address |
The MAC address of the access point. |
PER |
The Packet Error Rate measured from the total packets that are transmitted in the link test. |
Link Detail |
Click to view the details of the mesh link alarms, mesh link events, and link metrics. |
Link Test |
The test used to measure the air link quality between the AP and the neighbor AP. |
Channel |
The channel number of the mesh access point. |
Link SNR (dB) |
The air link SNR measured between the AP and the neighbor AP. |
SNR Down |
The Signal Noise Ratio measured on the air link from the AP to the neighbor AP. |
SNR Up |
The Signal Noise Ratio measured on the air link from the neighbor AP to the AP. |
Note
Click the Edit View link to add, remove or reorder columns in the Mesh Links table. See the “Configuring the List of Access Points Display” section for adding a new field using the Edit View.
Retrieving the Unique Device Identifier on Controllers and Access Points
The unique device identifier (UDI) standard uniquely identifies products across all Cisco hardware product families, enabling customers to identify and track Cisco products throughout their business and network operations and to automate their asset management systems. The standard is consistent across all electronic, physical, and standard business communications. The UDI consists of five data elements:
- The orderable product identifier (PID)
- The version of the product identifier (VID)
- The serial number (SN)
- The entity name
- The product description
The UDI is burned into the EEPROM of controllers and lightweight access points at the factory and can be retrieved through the GUI.
To retrieve the UDI on controllers and access points, perform the following steps:
Step 1
Choose Monitor > Controllers/Access Points. The Controllers/Access Points page appears.
Step 2
Click the IP address of the controller/access point whose UDI information you want to retrieve. Data elements of the controller/access point UDI display. These elements are described in Table 5-60 .
Table 5-60 Maximum Number of Crypto Cards That can be Installed on a Cisco Wireless LAN Controller
|
Maximum Number of Crypto Cards
|
Cisco 2000 Series |
None |
Cisco 4100 Series |
One |
Cisco 4400 Series |
Two |
Monitoring Coverage Holes
Coverage holes are areas where clients cannot receive a signal from the wireless network. The Cisco Unified Network Solution, radio resource management (RRM) identifies these coverage hole areas and reports them to the Prime Infrastructure, enabling the IT manager to fill holes based on user demand.
Prime Infrastructure is informed about the reliability-detected coverage holes by the controllers. Prime Infrastructure alerts the user about these coverage holes. For more information on finding coverage holes, refer to Cisco Context-Aware Services documentation at this location:
http://www.cisco.com/en/US/docs/wireless/mse/3350/5.2/CAS/configuration/guide/msecg_ch7_CAS.html
Note
Coverage holes are displayed as alarms. Pre-coverage holes are displayed as events.
Monitoring Pre-Coverage Holes
To view pre-coverage hole events, perform these steps:
Step 1
Choose Monitor > Events to display all current events.
Step 2
To view pre-coverage hole events only, click the Advanced Search link.
Step 3
In the New Search page, change the Search Category drop-down to Events.
Step 4
From the Event Category drop-down list, choose Pre Coverage Hole, and click Go.
The Pre-Coverage Hole Events page provides the information described in Table 5-61 .
Table 5-61 Pre-Coverage Hole Fields
|
|
Severity |
Pre-coverage hole events are always considered informational (Info). |
Client MAC Address |
MAC address of the client affected by the pre-coverage hole. |
AP MAC Address |
MAC address of the applicable access point. |
AP Name |
The name of the applicable access point. |
Radio Type |
The radio type (802.11b/g or 802.11a) of the applicable access point. |
Power Level |
Access point transmit power level: 1 = Maximum power allowed per country code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, and 5 = 0.195 to 6.25% power. |
Client Type |
Client type can be any of the following: laptop(0) pc(1) pda(2) dot11mobilephone(3) dualmodephone(4) wgb(5) scanner(6) tabletpc(7) printer(8) projector(9) videoconfsystem(10) camera(11) gamingsystem(12) dot11deskphone(13) cashregister(14) radiotag(15) rfidsensor(16) server(17) |
WLAN Coverage Hole Status |
Determines if the current coverage hole state is enabled or disabled. |
WLAN |
The name for this WLAN. |
Date/Time |
The date and time the event occurred. Click the title to toggle between ascending and descending order. |
Step 5
Choose a Client MAC Address to view pre-coverage hole details.
- General—Provides the following information:
–
Client MAC Address
–
AP MAC Address
–
AP Name
–
Radio Type
–
Power Level
–
Client Type
–
Category
–
Created
–
Generated By
–
Device AP Address
–
Severity
- Neighbor AP’s—Indicates the MAC addresses of nearby access points, their RSSI values, and their radio types.
- Message—Describes what device reported the pre-coverage hole and on which controller it was detected.
- Help—Provides additional information, if available, for handling the event.
Monitoring Rogue Access Points
This section describes security solutions for rogue devices. A rogue device is an unknown access point or client that is detected by managed access points in your network.
Rogue access points can disrupt wireless LAN operations by hijacking legitimate clients and using plain-text or other denial of service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to capture sensitive information, such as usernames and passwords. The hacker can then transmit a series of clear-to-send (CTS) frames. This action mimics an access point informing a particular client to transmit and instructing all others to wait, which results in legitimate clients being unable to access network resources. Therefore, wireless LAN service providers have a strong interest in banning rogue access points from the air space.
Because rogue access points are inexpensive and readily available, employees sometimes plug unauthorized rogue access points into existing LANs and build ad-hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security as they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. Even more alarming, wireless users frequently publish insecure access point locations, increasing the odds of having enterprise security breached.
Detecting Rogue Devices
The controllers continuously monitor all nearby access points and automatically discover and collect information on rogue access points and clients. When a controller discovers a rogue access point, it uses the Rogue Location Discovery Protocol (RLDP) to determine if the rogue is attached to your network.
Note
Prime Infrastructure consolidates all of the controllers rogue access point data.
You can configure controllers to use RLDP on all access points or only on access points configured for monitor (listen-only) mode. The latter option facilitates automated rogue access point detection in a crowded RF space, allowing monitoring without creating unnecessary interference and without affecting regular data access point functionality. If you configure a controller to use RLDP on all access points, the controller always chooses the monitor access point for RLDP operation if a monitor access point and a local (data) access point are both nearby. If RLDP determines that the rogue is on your network, you can choose to either manually or automatically contain the detected rogue. See the “Configuring Rogue Policies” section for information on enabling RLDP.
Note
Rogue access point partitions are associated with one of the detecting access points (the one with the latest or strongest RSSI value). If there is detecting access point information, the Prime Infrastructure uses the detecting controller. If the rogue access point is detected by two controllers which are in different partitions, the rogue access point partition might be changed at any time.
Classifying Rogue Access Points
Classification and reporting of rogue access points occurs through the use of rogue states and user-defined classification rules that enable rogues to automatically move between states. You can create rules that enable the controller to organize and display rogue access points as Friendly, Malicious, or Unclassified.
Note
Prime Infrastructure consolidates all of the controllers rogue access point data.
By default, none of the classification rules are enabled. Therefore, all unknown access points are categorized as Unclassified. When you create a rule, configure conditions for it, and enable the rule, the unclassified access points are reclassified. Whenever you change a rule, it is applied to all access points (friendly, malicious, and unclassified) in the Alert state only.
Note
Rule-based rogue classification does not apply to ad-hoc rogues and rogue clients.
Note
The 5500 series controllers support up to 2000 rogues (including acknowledged rogues); the 4400 series controllers, Cisco WiSM, and Catalyst 3750G Integrated Wireless LAN Controller Switch support up to 625 rogues; and the 2100 series controllers and Controller Network Module for Integrated Services Routers support up to 125 rogues. Each controller limits the number of rogue containments to three per radio (or six per radio for access points in monitor mode).
When the controller receives a rogue report from one of its managed access points, it responds as follows:
1.
The controller verifies that the unknown access point is in the friendly MAC address list. If it is, the controller classifies the access point as Friendly.
2.
If the unknown access point is not in the friendly MAC address list, the controller starts applying rogue classification rules.
3.
If the rogue is already classified as Malicious, Alert or Friendly, Internal or External, the controller does not reclassify it automatically. If the rogue is classified differently, the controller reclassifies it automatically only if the rogue is in the Alert state.
4.
The controller applies the first rule based on priority. If the rogue access point matches the criteria specified by the rule, the controller classifies the rogue according to the classification type configured for the rule.
5.
If the rogue access point does not match any of the configured rules, the controller classifies the rogue as Unclassified.
6.
The controller repeats the previous steps for all rogue access points.
7.
If RLDP determines that the rogue access point is on the network, the controller marks the rogue state as Threat and classifies it as Malicious automatically, even if no rules are configured. You can then manually contain the rogue (unless you have configured RLDP to automatically contain the rogue), which would change the rogue state to Contained. If the rogue access point is not on the network, the controller marks the rogue state as Alert, and you can manually contain the rogue.
8.
If desired, you can manually move the access point to a different classification type and rogue state.
As mentioned previously, the controller can automatically change the classification type and rogue state of an unknown access point based on user-defined rules, or you can manually move the unknown access point to a different classification type and rogue state. Table 5-62 shows the allowable classification types and rogue states from and to which an unknown access point can be configured.
Table 5-62 Allowable Classification Type and Rogue State Transitions
|
|
Friendly (Internal, External, Alert) |
Malicious (Alert) |
Friendly (Internal, External, Alert) |
Unclassified (Alert) |
Friendly (Alert) |
Friendly (Internal, External) |
Malicious (Alert, Threat) |
Friendly (Internal, External) |
Malicious (Contained, Contained Pending) |
Malicious (Alert) |
Unclassified (Alert, Threat) |
Friendly (Internal, External) |
Unclassified (Contained, Contained Pending) |
Unclassified (Alert) |
Unclassified (Alert) |
Malicious (Alert) |
If the rogue state is Contained, you have to uncontain the rogue access point before you can change the classification type. If you want to move a rogue access point from Malicious to Unclassified, you must delete the access point and allow the controller to reclassify it.
Rogue access points classification types include:
- Malicious—Detected but untrusted or unknown access points with a malicious intent within the system. They also refer to access points that fit the user-defined malicious rules or have been manually moved from the friendly access point classification. See the “Malicious Rogue APs” section for more information.
- Friendly—Known, acknowledged, or trusted access points. They also refer to access points that fit the user-defined friendly rogue access point rules. Friendly rogue access points cannot be contained. See the “Friendly Rogue APs” section for more information. For more information on configuring friendly access point rules, see the “Configuring a Friendly Access Point Template” section.
- Unclassified—Rogue access point that are not classified as either malicious or friendly. These access points can be contained and can be moved manually to the friendly rogue access point list. See for more information. See the “Unclassified Rogue APs” section for more information.
Malicious Rogue APs
Malicious rogue access points are detected but untrusted or unknown access points with a malicious intent within the system. They also refer to access points that fit the user-defined malicious rules or have been manually moved from the friendly access point classification.
The Security dashboard of the Prime Infrastructure home page displays the number of malicious rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active malicious rogue access points.
Malicious rogue access point states include:
- Alert—Indicates that the access point is not on the neighbor list or part of the user-configured Friendly AP list.
- Contained—The unknown access point is contained.
- Threat—The unknown access point is found to be on the network and poses a threat to WLAN security.
- Contained Pending—Indicates that the containment action is delayed due to unavailable resources.
- Removed—This unknown access point was seen earlier but is not seen now.
Click an underlined number in any of the time period categories for detailed information regarding the malicious rogue access points. See the “Monitoring Rogue Access Points” section for more information.
Friendly Rogue APs
Friendly rogue access points are known, acknowledged or trusted access points. They also refer to access points that fit the user-defined friendly rogue access point rules. Friendly rogue access points cannot be contained.
Note
Only the Prime Infrastructure users can add a rogue access point MAC address to the Friendly AP list. the Prime Infrastructure does not apply the Friendly AP MAC address to controllers.
The Security dashboard of the Prime Infrastructure home page displays the number of friendly rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active friendly rogue access points.
Friendly rogue access point states include the following:
- Internal—If the unknown access point is inside the network and poses no threat to WLAN security, you would manually configure it as Friendly, Internal. For example, the access points in your lab network.
- External—If the unknown access point is outside the network and poses no threat to WLAN security, you would manually configure it as Friendly, External. For example, the access points belonging to a neighboring coffee shop.
- Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly AP list.
Click an underlined number in any of the time period categories for detailed information regarding the friendly rogue access points. See the “Monitoring Rogue Access Points” section for more information.
To delete a rogue access point from the Friendly AP list, ensure that both the Prime Infrastructure and controller remove the rogue access point from the Friendly AP list. Change the rogue access point from Friendly AP Internal or External to Unclassified or Malicious Alert.
Unclassified Rogue APs
An unclassified rogue access point refers to a rogue access point that is not classified as either malicious or friendly. These access points can be contained and can be moved manually to the friendly rogue access point list.
The Security dashboard of the Prime Infrastructure home page displays the number of unclassified rogue access points for each applicable state for the past hour, the past 24 hours, and the total number of active unclassified rogue access points.
Unclassified rogue access point states include:
- Pending—On first detection, the unknown access point is put in the Pending state for 3 minutes. During this time, the managed access points determine if the unknown access point is a neighbor access point.
- Alert—The unknown access point is not on the neighbor list or part of the user-configured Friendly AP list.
- Contained—The unknown access point is contained.
- Contained Pending—The unknown access point is marked Contained, but the action is delayed due to unavailable resources.
Click an underlined number in any of the time period categories for further information. See the “Monitoring Rogue Access Points” section.
Monitoring Rogue AP Alarms
Rogue access point radios are unauthorized access points detected by one or more Cisco 1000 series lightweight access points. To open the Rogue AP Alarms page, do one of the following:
- Search for rogue APs.
- From the Prime Infrastructure home page, click the Security dashboard. This page displays all the rogue access points detected in the past hour and the past 24 hours. Click the rogue access point number to view the rogue access point alarms.
- Click the Malicious AP number link in the Alarm Summary.
Note
If there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use it to view additional alarms.
Note
Rogue access point partitions are associated with one of the detecting access points (the one with the latest or strongest RSSI value). If there is detecting access point information, the Prime Infrastructure uses the detecting controller. If the rogue access point is detected by two controllers which are in different partitions, the rogue access point partition might be changed at any time.
The Rogue AP Alarms page contains the following fields:
Note
When the Prime Infrastructure polls, some data might change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue.
- Severity—Indicates the severity of the alarm including the following icons:
Table 5-63 Alarm Severity Indicator Icons
|
|
|
Critical |
|
Major |
|
Minor |
|
Warning |
|
Info |
|
Unknown Note When the controller goes down, the controller inventory dashlet shown the controller status as critical. But the radio inventory dashlet, retains the last known status. In Monitor > AP page, the AP alarm status is shown as "Unknown". |
|
Clear—Appears if the rogue is no longer detected by any access point. Note Rogues can be detected by multiple access points. If one access point no longer detects the rogue but the other access point does, Clear is not sent. Note Once the severity of a rogue is Clear, the alarm is deleted from the Prime Infrastructure after 30 days. |
You can use the Severity Configuration feature to determine the level of severity for the following rogue access point alarm types:
–
Rogue detected
–
Rogue detected contained
–
Rogue detected on network
See the “Alarm and Event Dictionary” section for more information.
- Rogue MAC Address—Indicates the MAC address of the rogue access points. See the “Viewing Rogue AP Alarm Details” section.
- Vendor—Rogue access point vendor name or Unknown.
- Classification Type—Pending, Malicious, Friendly, or Unclassified.
- Radio Type—Lists all radio types applicable to this rogue access point.
- Strongest AP RSSI—Displays the strongest AP RSSI for this rogue access point across the life of the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest distance that existed between the rogue access point and your building or location. The higher the RSSI, the closer the location.
- No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point.
Note
This number comes from the Prime Infrastructure database It is updated every two hours. From the Monitor > Alarms > Alarm Details page, this number is a real-time number. It is updated each time you open the Alarm Details page for this rogue access point.
- Owner—Name of person to which this alarm is assigned, or (blank).
- Last Seen Time—Indicates the date and time that the rogue access point was last seen.
- State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point. See the “Classifying Rogue Access Points” section for additional information.
–
Malicious rogue states include: Alert, Contained, Threat, Contained Pending, and Removed. See the “Malicious Rogue APs” section for more information.
–
Friendly rogue states include: Internal, External, and Alert. See the “Friendly Rogue APs” section for more information.
–
Unclassified rogue states include: Pending, Alert, Contained, and Contained Pending. See the “Unclassified Rogue APs” section for more information.
- SSID—Indicates the service set identifier being broadcast by the rogue access point radio. It is blank if the SSID is not being broadcast.
- Map Location—Indicates the map location for this rogue access point.
- Acknowledged—Displays whether or not the alarm is acknowledged by the user.
You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality. See the “Acknowledging Alarms” section for more information.
Note
The alarm remains in the Prime Infrastructure, and you can search for all Acknowledged alarms using the alarm search functionality.
Caution
When you choose to contain a rogue device, the following warning appears: “There may be legal issues following this containment. Are you sure you want to continue?” The 2.4- and 5-GHz frequencies in the Industrial, Scientific, and Medical (ISM) band are open to the public and can be used without a license. As such, containing devices on another network could have legal consequences.
Select a command Menu
Select one or more alarms by selecting their respective check boxes, choose one of the following commands from the Select a command drop-down list, and click Go.
- Assign to me—Assign the selected alarm(s) to the current user.
- Unassign—Unassign the selected alarm(s).
- Delete—Delete the selected alarm(s).
- Clear—Clear the selected alarm(s). Indicates that the alarm is no longer detected by any access point.
Note
Once the severity is Clear, the alarm is deleted from the Prime Infrastructure after 30 days.
- Acknowledge Alarm—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page. See the “Acknowledging Alarms” section for more information.
Note
The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality.
- Unacknowledge Alarm—Unacknowledge an already acknowledged alarm.
- Email Notification—Takes you to the All Alarms > Email Notification page to view and configure email notifications. See the “Monitoring RFID Tags” section for more information.
- Severity Configuration—Allows you to change the severity level for newly-generated alarms. See the “Alarm and Event Dictionary” section for more information.
- Detecting APs—View the Cisco 1000 Series lightweight access points that are currently detecting the rogue access point. See the “Detecting Access Points” section for more information.
- Map (High Resolution)—Click to display a high-resolution map of the rogue access point location.
- Rogue Clients—Click to view a list of rogue clients associated with this rogue access point. The Rogue Clients page displays the Client MAC Address, when it was last heard, its current status, its controller, and the Rogue access point. See the “Viewing Rogue Client Details” section for more information. This information can also be accessed by using the Prime Infrastructure Search feature.
- Set State to ‘Unclassified - Alert’—Choose this command to tag the rogue access point as the lowest threat, continue monitoring the rogue access point, and to turn off Containment. See the “Unclassified Rogue APs” section for more information on Unclassified rogues.
- Set State to ‘Malicious - Alert’—Choose this command to tag the rogue access point as ‘Malicious’. See the “Malicious Rogue APs” section for more information on Malicious rogues.
- Set State to ‘Friendly - Internal’—Choose this command to tag the rogue access point as internal, add it to the Known Rogue APs list, and to turn off Containment. See the “Friendly Rogue APs” section for more information on Friendly rogues.
- Set State to ‘Friendly - External’—Choose this command to tag the rogue access point as external, add it to the Known Rogue APs list, and to turn off Containment. See the “Friendly Rogue APs” section for more information on Friendly rogues.
- 1 AP Containment—Target the rogue access point for containment by one access point. (Lowest containment level.)
- 2 AP Containment—Target the rogue access point for containment by two Cisco 1000 Series lightweight access points.
- 3 AP Containment—Target the rogue access point for containment by three Cisco 1000 Series lightweight access points.
- 4 AP Containment—Target the rogue access point for containment by four Cisco 1000 Series lightweight access points. (Highest containment level.)
Note
The higher the threat of the rogue access point, the higher the containment required.
Caution
Attempting to contain a rogue access point might lead to legal consequences. When you select any of the AP Containment commands and click
Go, a message “Containing a Rogue AP may have legal consequences. Do you want to continue?” appears. Click
OK if you are sure or click
Cancel if you do not wish to contain any access points.
Viewing Rogue AP Alarm Details
Rogue access point radios are unauthorized access points detected by Cisco 1000 Series lightweight access points. Alarm event details for each rogue access point are available in the Rogue AP Alarms list page.
To view alarm events for a rogue access point radio, click the rogue MAC address for the applicable alarm from the Monitor > Alarms page for rogue access point alarms.
Note
All Alarm Details page fields (except No. of Rogue Clients) are populated through polling and are updated every two hours.
The number of rogue clients is a real-time number and is updated each time you access the Alarm Details page for a rogue access point alarm.
When a controller (version 7.4 or 7.5) sends custom rogue AP alarm, the Prime Infrastructure shows it as unclassified rogue alarm. This is because the Prime Infrastructure does not support custom rogue AP alarm.
Note
When the Prime Infrastructure polls, some data might change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue.
The Alarm Details page displays the following information:
–
Rogue MAC Address—MAC address of the rogue access points.
–
Vendor—Rogue access point vendor name or Unknown.
Note When a rogue access point alarm displays for Airlink, the vendor displays as Alpha instead of Airlink.
–
Rogue Type—Indicates the rogue type such as AP.
–
On Network—Indicates how the rogue detection occurred.
Controller—The controller detected the rogue (Yes or No).
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
–
Owner—Indicates the owner or is left blank.
–
Acknowledged—Indicates whether or not the alarm is acknowledged by the user.
You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality. See the “Acknowledging Alarms” section for more information.
–
Classification Type—Malicious, Friendly, or Unclassified.
–
State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point.
–
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
–
Channel Number—Indicates the channel of the rogue access point.
–
Containment Level—Indicates the containment level of the rogue access point or Unassigned (not contained).
–
Radio Type—Lists all radio types applicable to this rogue access point.
–
Strongest AP RSSI—Displays the strongest AP RSSI for this rogue access point across the life of the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest distance that existed between the rogue access point and your building or location. The higher the RSSI, the closer the location.
–
No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point.
Note The number of rogue clients is the only real-time field in the Monitor > Alarm > Alarm Details page. It updates each time you open the Alarm Details page for this rogue access point.
All other fields on the Alarm Details page are populated through polling and are updated every two hours.
–
First Seen Time—Indicates the date and time when the rogue access point was first detected. This information is populated from the controller.
–
Last Seen Time—Indicates the date and time when the rogue access point was last detected. This information is populated from the controller.
–
Modified—Indicates when the alarm event was modified.
–
Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
NMS (Network Management System - Prime Infrastructure)—Generated through polling. Prime Infrastructure periodically polls the controllers and generates events. Prime Infrastructure generates events when the traps are disabled or when the traps are lost for those events. In this case, “Generated by” is NMS.
Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them. In this case, “Generated by” is Controller.
–
Severity—The severity of the alarm. See Table 5-63 for the list of alarm severity indicator icons.
You can use the Severity Configuration feature to determine the level of severity for rogue access points. See the “Alarm and Event Dictionary” section for more information.
–
Previous Severity—The previous severity of the alarm: Critical, Major, Minor, Clear.
–
Event Details—Click the Event History link to view the event details.
–
Rogue AP History—Click the Rogue AP History link to view the Rogue Alarm details.
–
Switch Port Trace Status—Indicates the switch port trace status. Switch port trace status might include: Traced, but not found, Traced and found, Not traced, Failed.
- Switch Port Tracing Details—Provides the most recent switch port tracing details. To view additional trace details, click the Click here for more details link.
- Rogue Clients—Lists rogue clients for this access point including the client MAC address, the last date and time the client was heard, and the current client status. See the “Viewing Rogue Client Details” section for more information.
Note
The number of rogue clients is the only real-time field in the Monitor > Alarm > Alarm Details page. It updates each time you open the Alarm Details page for this rogue access point.
All other fields in the Alarm Details page are populated through polling and are updated every two hours.
- Message—Displays the most recent message regarding this rogue access point. A message is sent for the following: When the rogue access point is first detected, for any trap sent, and for any changed state.
- Annotations—Lists current notes regarding this rogue access point. To add a new note, click New Annotation. Type the note and click Post to save and display the note or Cancel to close the page without saving the note.
- Location Notifications—Displays the number of location notifications logged against the client. Clicking a link displays the notifications.
- Location—Provides location information, if available.
Note
The switch port tracing does not update any of the rogue attributes such as severity, state, and so on. As the rogue attributes are not updated by switch port tracing, alarms would not be triggered if a rogue is discovered to be 'on network' using switch port tracing.
Select a command Menu
The Select a command drop-down list located in the Rogue AP Alarm Details page provides the following options. Choose an option from the drop-down list, and click Go.
- Assign to me—Assign the selected alarm(s) to the current user.
- Unassign—Unassign the selected alarm(s).
- Delete—Delete the selected alarm(s).
- Clear—Clear the selected alarm(s).
- Acknowledge Alarm—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page. See the “Acknowledging Alarms” section for more information.
Note
The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality.
- Unacknowledge—Unacknowledge an already acknowledged alarm.
- Trace Switch Port—Click to run a switch port trace for this rogue access point.
- Event History—Click to view a list of events for this rogue access point. See the “Monitoring Rogue Alarm Events” section for more information.
- Refresh from Network—Click to sync up the rogue APs from the network.
- View Detecting AP on Network—View the Cisco 1000 Series lightweight access points that are currently detecting the rogue access point. See the “Detecting Access Points” section for more information.
Note
Detecting AP Name, Radio, SSID information might be empty as the information is not available on controller. Refresh the page after the rogue AP task is completed to see the AP details.
- View Details by Controller—View the classification type and state of the rogue APs reported by the controller.
- Map (High Resolution)—Click to display a high-resolution map of the rogue access point location.
- Rogue Clients—Click to view a list of rogue clients associated with this rogue access point. The Rogue Clients page displays the Client MAC address, when it was last heard, its current status, its controller, and the Rogue access point. See the “Viewing Rogue Client Details” section for more information. This information can also be accessed by using the Prime Infrastructure Search feature.
- Set State to ‘Unclassified - Alert’—Choose this command to tag the rogue access point as the lowest threat, continue monitoring the rogue access point, and to turn off Containment. See the “Unclassified Rogue APs” section for more information on Unclassified rogues.
- Set State to ‘Malicious - Alert’—Choose this command to tag the rogue access point as ‘Malicious’. See the “Malicious Rogue APs” section for more information on Malicious rogues.
- Set State to ‘Friendly - Internal’—Choose this command to tag the rogue access point as internal, add it to the Known Rogue APs list, and to turn off Containment. See the “Friendly Rogue APs” section for more information on Friendly rogues.
- Set State to ‘Friendly - External’—Choose this command to tag the rogue access point as external, add it to the Known Rogue APs list, and to turn off Containment. See the “Friendly Rogue APs” section for more information on Friendly rogues.
- 1 AP Containment—Target the rogue access point for containment by one access point. (Lowest containment level.)
- 2 AP Containment—Target the rogue access point for containment by two Cisco 1000 series lightweight access points.
- 3 AP Containment—Target the rogue access point for containment by three Cisco 1000 series lightweight access points.
- 4 AP Containment—Target the rogue access point for containment by four Cisco 1000 series lightweight access points. (Highest containment level.)
Note
The higher the threat of the rogue access point, the higher the containment required.
Viewing Rogue Client Details
You can view a list of rogue clients in several ways:
- Perform a search for rogue clients using the Prime Infrastructure Search feature.
- View the list of rogue clients for a specific rogue access point from the Alarm Details page for the applicable rogue access point. Click the Rogue MAC address for the applicable rogue client to view the Rogue Client details page.
- In the Alarms Details page of a rogue access point, choose Rogue Clients from the Select a command drop-down list.
The Rogue Clients page displays the Client MAC address, when it was last heard, its current status, its controller, and the associated rogue access point.
Note
Rogue client statuses include: Contained (the controller contains the offending device so that its signals no longer interfere with authorized clients); Alert (the controller forwards an immediate alert to the system administrator for further action); and Threat (the rogue is a known threat).
Click the Client MAC Address for the rogue client to view the Rogue Client details page. The Rogue Client details page displays the following information:
- General—Information includes: client MAC address, number of access points that detected this client, when the client was first and last heard, the rogue access point MAC address, and the client current status.
- Location Notifications—Indicates the number of notifications for this rogue client including: absence, containment, distance, and all. Click the notification number to open the applicable Monitor > Alarms page.
- APs that detected the rogue client—Provides the following information for all access points that detected this rogue client: base radio MAC address, access point name, channel number, radio type, RSSI, SNR, and the date/time that the rogue client was last heard.
- Location—Provides location information, if available.
Note
The higher the threat of the rogue access point, the higher the containment required.
Select a command
The Select a command drop-down list in the Rogue Client details page includes the following options:
- Set State to ‘Unknown - Alert’—Choose this command to tag the rogue client as the lowest threat, continue monitoring the rogue client, and to turn off Containment.
- 1 AP Containment—Target the rogue client for containment by one access point. (Lowest containment level.)
- 2 AP Containment—Target the rogue client for containment by two access points.
- 3 AP Containment—Target the rogue client for containment by three access points.
- 4 AP Containment—Target the rogue client for containment by four access points. (Highest containment level.)
- Map (High Resolution)—Click to display a high-resolution map of the rogue client location.
- Location History—Click to display the history of the rogue client location based on RF fingerprinting.
Viewing Rogue AP History Details
To view the history of a rogue AP alarms, click the Rogue AP History link in the Rogue AP Alarm page.
The Rogue AP History page displays the following information:
- Severity—The severity of the alarm.
- Rogue MAC Address—MAC address of the rogue access points.
- Classification Type—Malicious, Friendly, or Unclassified.
- Radio Type—Lists all radio types applicable to this rogue access point.
- Strongest AP RSSI—Displays the strongest AP RSSI for this rogue access point across the life of the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest distance that existed between the rogue access point and your building or location. The higher the RSSI, the closer the location.
- No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point.
Note
The number of rogue clients is the only real-time field in the Monitor > Alarm > Alarm Details page. It updates each time you open the Alarm Details page for this rogue access point. All other fields on the Alarm Details page are populated through polling and are updated every two hours.
- First Seen Time—Indicates the date and time when the rogue access point was first detected. This information is populated from the controller.
- Last Seen Time—Indicates the date and time when the rogue access point was last detected. This information is populated from the controller.
- State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point.
- SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
- Category—Indicates the category of this alarm such as Security or Prime Infrastructure.
- On Network—Indicates how the rogue detection occurred.
–
Controller—The controller detected the rogue (Yes or No).
–
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
- Channel Number—Indicates the channel of the ad hoc rogue.
- Containment Level—Indicates the containment level of the ad hoc rogue or Unassigned.
- Switch Port Trace Status—Indicates the switch port trace status. Switch port trace status might include: Traced, but not found, Traced and found, Not traced, Failed.
Click the Rogue MAC address to view the specific rogue AP history details page. The rogue AP history details page displays the above details and also displays the actual alarm message.
Viewing Rogue AP Event History Details
To view the event details of a rogue AP, click the Event History link in the Rogue AP Alarm page.
The Rogue AP Event History page displays the following information:
- Severity—The severity of the alarm.
- Rogue MAC Address—MAC address of the rogue access points.
- Vendor—Rogue access point vendor name or Unknown.
- Classification Type—Malicious, Friendly, or Unclassified.
- On Network—Indicates whether the rogue detection occurred.The controller detected the rogue (Yes or No).
- Date/Time—The date and time that the event was generated.
- Radio Type—Lists all radio types applicable to this rogue access point.
- State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point.
- SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
Monitoring Ad hoc Rogues
If the MAC address of a mobile client operating in a ad hoc network is not in the authorized MAC address list, then it is identified as an ad hoc rogue.
Monitoring Ad hoc Rogue Alarms
The Adhoc Rogue Alarms page displays alarm events for ad hoc rogues.To access the Adhoc Rogue Alarms page, do one of the following:
- Perform a search for ad hoc rogue alarms.
- From the Prime Infrastructure home page, click the Security dashboard. This page displays all the ad hoc rogues detected in the past hour and the past 24 hours. Click the ad hoc rogue number to view the ad hoc rogue alarms.
If there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use this to view additional alarms.
The Adhoc Rogue Alarms page contains the following fields:
Note
When the Prime Infrastructure polls, some data might change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue.
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
You can use the Severity Configuration feature to determine the level of severity for the following ad hoc rogue alarm types:
–
Adhoc Rogue auto contained
–
Adhoc Rogue detected
–
Adhoc Rogue detected on network
–
Adhoc Rogue detected on network
See the “Alarm and Event Dictionary” section for more information.
- Rogue MAC Address—Indicates the MAC address of the rogue. See the “Viewing Ad hoc Rogue Alarm Details” section for more information.
- Vendor—Indicates the ad hoc rogue vendor name, or Unknown.
- Radio Type—Lists all radio types applicable to this rogue access point.
- Strongest AP RSSI—Displays the strongest AP RSSI for this rogue across the life of the rogue. The strongest AP RSSI over the life of the rogue displays to indicate the nearest distance that existed between the rogue and your building or location. The higher the RSSI, the closer the location.
No. of Rogue Clients—Indicates the number of rogue clients associated to this rogue access point.
Note
The number of rogue clients is the only real-time field in the Monitor > Alarm > Alarm Details page. It updates each time you open the Alarm Details page for this rogue access point.
All other fields in the Alarm Details page are populated through polling and are updated every two hours.
- Owner—Indicates the owner or is left blank.
- Last Seen Time—Indicates the date and time that the alarm was last viewed.
- State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed.
- SSID—The Service Set Identifier that is being broadcast by the rogue ad hoc radio. It is blank if there is no broadcast.
- Map Location—Indicates the map location for this ad hoc rogue.
- Acknowledged—Displays whether or not the alarm is acknowledged by the user.
You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality. See the “Acknowledging Alarms” section for more information.
Select a command Menu
Select one or more alarms by selecting their respective check boxes, choose one of the following commands from the Select a command drop-down list, and click Go.
- Assign to me—Assign the selected alarm(s) to the current user.
- Unassign—Unassign the selected alarm(s).
- Delete—Delete the selected alarm(s).
- Clear—Clear the selected alarm(s).
- Acknowledge—Acknowledge the alarm to prevent it from showing up in the Alarm Summary page. See the “Acknowledging Alarms” section for more information.
Note
The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality.
- Unacknowledge—Unacknowledge an already acknowledged alarm.
- Email Notification—Takes you to the All Alarms > Email Notification page to view and configure email notifications. See the “Monitoring RFID Tags” section for more information.
- Detecting APs—View the access points that are currently detecting the rogue ad hoc. See the Detecting Access Points, page 108 for more information.
- Map (High Resolution)—Click to display a high-resolution map of the ad hoc rogue location.
- Rogue Clients—Click to view a list of rogue clients associated with this ad hoc rogue. The Rogue Clients page displays the Client MAC Address, when it was last heard, its current status, its controller, and the ad hoc rogue.
- Set State to ‘Alert’—Choose this command to tag the ad hoc rogue as the lowest threat, continue monitoring the rogue access point, and to turn off Containment.
- Set State to ‘Internal’—Choose this command to tag the ad hoc rogue as internal, add it to the Known Rogue APs list, and to turn off Containment.
- Set State to ‘External’—Choose this command to tag the ad hoc rogue as external, add it to the Known Rogue APs list, and to turn off Containment.
- 1 AP Containment—Target the ad hoc rogue for containment by one access point. (Lowest containment level.)
- 2 AP Containment—Target the ad hoc rogue for containment by two access points.
- 3 AP Containment—Target the ad hoc rogue for containment by three access points.
- 4 AP Containment—Target the ad hoc rogue for containment by four access points. (Highest containment level.)
Caution
Attempting to contain an ad hoc rogue might lead to legal consequences. When you select any of the AP Containment commands and click
Go, a message “Containing a Rogue AP may have legal consequences. Do you want to continue?” appears. Click
OK if you are sure, or click
Cancel if you do not want to contain any access points.
Viewing Ad hoc Rogue Alarm Details
Alarm event details for each ad hoc rogue are available from the Adhoc Rogue Alarms page.
To view alarm events for an ad hoc rogue radio, click the applicable Rogue MAC address in the Adhoc Rogue Alarms page.
This page displays alarm events for a rogue access point radio. Rogue access point radios are unauthorized access points detected by Cisco 1000 Series lightweight access points.
Note
When the Prime Infrastructure polls, some data might change or get updated. Because of this, some of the displayed rogue data (including Strongest AP RSSI, No. of Rogue Clients, Channel, SSID, and Radio Types) can change during the life of the rogue.
–
Rogue MAC Address—Media Access Control address of the ad hoc rogue.
–
Vendor—Ad hoc rogue vendor name or Unknown.
–
On Network—Indicates how the rogue detection occurred.
Controller—The controller detected the rogue (Yes or No).
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
–
Owner—Indicates the owner or left blank.
–
Acknowledged—Indicates whether or not the alarm is acknowledged by the user.
You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality. See the “Acknowledging Alarms” section for more information.
–
State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed.
–
SSID—Service Set Identifier being broadcast by the ad hoc rogue radio. (Blank if SSID is not broadcast.)
–
Channel Number—Indicates the channel of the ad hoc rogue.
–
Containment Level—Indicates the containment level of the ad hoc rogue or Unassigned.
–
Radio Type—Lists all radio types applicable to this ad hoc rogue.
–
Strongest AP RSSI—Indicates the strongest received signal strength indicator for this Prime Infrastructure (including all detecting access points for all controllers and across all detection times).
–
No. of Rogue Clients—Indicates the number of rogue clients associated to this ad hoc.
Note This number comes from the Prime Infrastructure database. It is updated every two hours. In the Monitor > Alarms > Alarm Details page, this number is a real-time number. It is updated each time you open the Alarm Details page for this rogue access point.
–
Created—Indicates when the alarm event was created.
–
Modified—Indicates when the alarm event was modified.
–
Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
NMS (Network Management System - Prime Infrastructure)—Generated through polling. Prime Infrastructure periodically polls the controllers and generates events. Prime Infrastructure generates events when the traps are disabled or when the traps are lost for those events. In this case, “Generated by” is NMS.
Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them. In this case, “Generated by” is Controller.
–
Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
–
Previous Severity—The previous severity of the alarm: Critical, Major, Minor, Clear. Color coded.
- Annotations—Enter any new notes in this box and click Add to update the alarm.
- Message—Displays descriptive information about the alarm.
- Help—Displays the latest information about the alarm.
- Event History—Click to access the Monitor > Events page. See the “Monitoring Events” section for more information.
- Annotations—Lists existing notes for this alarm.
Searching Rogue Clients Using Advanced Search
When the access points on your wireless LAN are powered up and associated with controllers, the Prime Infrastructure immediately starts listening for rogue access points. When a controller detects a rogue access point, it immediately notifies the Prime Infrastructure, which creates a rogue access point alarm.
To find rogue access point alarms using Advanced Search, follow these steps:
Step 1
Click Advanced Search in the top right-hand corner of the Prime Infrastructure main page.
Step 2
Choose Rogue Client from the Search Category drop-down list.
Step 3
(Optional) You can filter the search even further with the other search criteria if desired.
Step 4
Click Search. The list of rogue clients appears.
Step 5
Choose a rogue client by clicking a client MAC address. The Rogue Client detail page appears.
Step 6
To modify the alarm, choose one of these commands from the Select a command drop-down list, and click Go.
- Set State to ‘Unknown-Alert’—Tags the ad hoc rogue as the lowest threat, continues to monitor the ad hoc rogue, and turns off containment.
- 1 AP Containment through 4 AP Containment—Indicates the number of access points (1-4) in the vicinity of the rogue unit that send dauthenticate and disassociate messages to the client devices that are associated to the rogue unit.
- Map (High Resolution)—Displays the current calculated rogue location in the Maps > Building Name > Floor Name page.
- Location History—Displays the history of the rogue client location based on RF fingerprinting.
Note
The client must be detected by an MSE for the location history to appear.
Monitoring Rogue Access Point Location, Tagging, and Containment
When the Cisco Unified Network Solution is monitored using the Prime Infrastructure, the Prime Infrastructure generates the flags as rogue access point traps and displays the known rogue access points by MAC address. The operator can then display a map showing the location of the access points closest to each rogue access point. The next step is to mark them as Known or Acknowledged rogue access points (no further action), Alert rogue access points (watch for and notify when active), or Contained rogue access points (have between one and four access points discourage rogue access point clients by sending the clients deauthenticate and disassociate messages whenever they associate with the rogue access point).
This built-in detection, tagging, monitoring, and containment capability enables system administrators to take appropriate action:
- Locate rogue access points
- Receive new rogue access point notifications, eliminating hallway scans
- Monitor unknown rogue access points until they are eliminated or acknowledged
- Determine the closest authorized access point, making directed scans faster and more effective
- Contain rogue access points by sending their clients deauthenticate and disassociate messages from one to four access points. This containment can be done for individual rogue access points by MAC address or can be mandated for all rogue access points connected to the enterprise subnet.
- Tag rogue access points:
–
Acknowledge rogue access points when they are outside of the LAN and do not compromise the LAN or wireless LAN security
–
Accept rogue access points when they do not compromise the LAN or wireless LAN security
–
Tag rogue access points as unknown until they are eliminated or acknowledged
- Tag rogue access points as contained and discourage clients from associating with the rogue access points by having between one and four access points transmit deauthenticate and disassociate messages to all rogue access point clients. This function applies to all active channels on the same rogue access point.
Detecting Access Points
Use the Detecting Access Points feature to view information about the Cisco lightweight access points that are detecting a rogue access point.
To access the Rogue AP Alarms details page, follow these steps:
Step 1
To display the Rogue AP Alarms page, do one of the following:
- Perform a search for rogue APs.
- In the Prime Infrastructure home page, click the Security dashboard. This dashboard displays all the rogue access points detected in the past hour and the past 24 hours. Click the rogue access point number to view the rogue access point alarms.
- Click the Malicious AP number link in the Alarm Summary box.
Step 2
In the Rogue AP Alarms page, click the Rogue MAC Address for the applicable rogue access point. The Rogue AP Alarms details page appears.
Step 3
From the Select a command drop-down list, choose Detecting APs.
Step 4
Click Go.
Click a list item to display data about that item:
- AP Name
- Radio
- Map Location
- SSID—Service Set Identifier being broadcast by the rogue access point radio.
- Channel Number—Which channel the rogue access point is broadcasting on.
- WEP—Enabled or disabled.
- WPA—Enabled or disabled.
- Pre-Amble—Long or short.
- RSSI—Received signal strength indicator in dBm.
- SNR—Signal-to-noise ratio.
- Containment Type—Type of containment applied from this access point.
- Containment Channels—Channels that this access point is currently containing.
Monitoring Rogue Alarm Events
The Events page enables you to review information about rogue alarm events. the Prime Infrastructure generates an event when a rogue access point is detected or if you make manual changes to a rogue access point (such as changing its state). The Rogue AP Events list page displays all rogue access point events.
To access the Rogue AP Events list page, follow these steps:
Step 1
Do one of the following:
- Perform a search for rogue access point events using the Advanced Search feature of the Prime Infrastructure.
- In the Rogue AP Alarms details page, click Event History from the Select a command drop-down list. See the “Viewing Rogue AP Alarm Details” section for more information.
Step 2
The Rogue AP Events list page displays the following event information.
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
- Rogue MAC Address—Click the rogue MAC address to view the Rogue AP Event Details page. See the “Viewing Rogue AP Event Details” section for more information.
- Vendor—Rogue access point vendor name or Unknown.
- Classification Type—Malicious, Friendly, or Unclassified.
- On Network—Indicates how the rogue detection occurred.
–
Controller—The controller detected the rogue (Yes or No).
–
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
- Radio Type—Lists all radio types applicable to this rogue access point.
- Date/Time—The date and time that the event was generated.
- State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point.
- SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
Viewing Rogue AP Event Details
To view rogue access point event details, follow these steps:
Step 1
In the Rogue AP Events list page, click the Rogue MAC Address link.
Step 2
The Rogue AP Events Details page displays the following information:
- Rogue MAC address
- Vendor—Rogue access point vendor name or Unknown.
- On Network—Indicates how the rogue detection occurred.
–
Controller—The controller detected the rogue (Yes or No).
–
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
- Classification Type—Malicious, Friendly, or Unclassified.
- State—Indicates the state of the alarm. Possible states vary depending on the classification type of rogue access point.
- SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
- Channel Number—The channel on which the rogue access point is broadcasting.
- Containment Level—Indicates the containment level of the rogue access point or Unassigned.
- Radio Type—Lists all radio types applicable to this rogue access point.
- Created—The date and time that the event was generated.
- Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
–
NMS (Network Management System - Prime Infrastructure)—Generated through polling. Prime Infrastructure periodically polls the controllers and generates events. Prime Infrastructure generates events when the traps are disabled or when the traps are lost for those events. In this case, “Generated by” is NMS.
–
Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them. In this case, “Generated by” is Controller.
- Device IP Address
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
- Message—Provides details of the current event.
Monitoring Ad hoc Rogue Events
The Events page enables you to review information about ad hoc rogue events. Prime Infrastructure generates an event when an ad hoc rogue is detected or if you make manual changes to an ad hoc rogue (such as changing its state). The Adhoc Rogue Events list page displays all ad hoc rogue events.
To access the Rogue AP Events list page, follow these steps:
Step 1
Do one of the following:
- Perform a search for ad hoc rogues events using the Advanced Search feature of the Prime Infrastructure.
- In the Adhoc Rogue Alarms details page, click Event History from the Select a command drop-down list. See the “Viewing Ad hoc Rogue Alarm Details” section for more information.
Step 2
The Rogue AP Events list page displays the following event information.
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
- Rogue MAC Address—Click the rogue MAC address to view the Rogue AP Event Details page. See the “Viewing Ad hoc Rogue Event Details” section for more information.
- Vendor—Rogue access point vendor name or Unknown.
- On Network—Indicates how the rogue detection occurred.
–
Controller—The controller detected the rogue (Yes or No).
–
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
- Radio Type—Lists all radio types applicable to this rogue access point.
- Date/Time—The date and time that the event was generated.
- State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed.
- SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
Viewing Ad hoc Rogue Event Details
To view rogue access point event details, follow these steps:
Step 1
In the Rogue AP Events list page, click the Rogue MAC Address link.
Step 2
The Rogue AP Events Details page displays the following information:
- Rogue MAC Address
- Vendor—Rogue access point vendor name or Unknown.
- On Network—Indicates how the rogue detection occurred.
–
Controller—The controller detected the rogue (Yes or No).
–
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
- State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed.
- SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
- Channel Number—The channel on which the rogue access point is broadcasting.
- Containment Level—Indicates the containment level of the rogue access point or Unassigned.
- Radio Type—Lists all radio types applicable to this rogue access point.
- Created—The date and time that the event was generated.
- Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
–
NMS (Network Management System - Prime Infrastructure)—Generated through polling. Prime Infrastructure periodically polls the controllers and generates events. Prime Infrastructure generates events when the traps are disabled or when the traps are lost for those events. In this case, “Generated by” is NMS.
–
Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them. In this case, “Generated by” is Controller.
- Device IP Address
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
- Message—Provides details of the current event.
Troubleshooting Unjoined Access Points
When a lightweight access point initially starts up, it attempts to discover and join a wireless LAN controller. After joining the wireless controller, the access point updates its software image if needed and receives all the configuration details for the device and network. After successfully joining the wireless controller, the access point can be discovered and managed by Prime Infrastructure. Until the access point successfully joins a wireless controller the access point cannot be managed by Prime Infrastructure and does not contain the proper configuration settings to allow client access.
Prime Infrastructure provides you with a tool that diagnoses why an access point cannot join a controller and lists corrective actions.
The Unjoined AP page displays a list of access points that have not joined any wireless controllers. All gathered information about the unjoined access point is included in the page. This includes name, MAC address, IP address, controller name and IP address, switch and port that the access point is attached to, and any join failure reason if known.
To troubleshoot unjoined access points, do the following:
Step 1
Choose Monitor > Unjoined APs. The Unjoined APs page appears containing a list of access points that have not been able to join a wireless controller.
Step 2
Select the access point that you wish to diagnose, then click Troubleshoot. An analysis is run on the access point to determine the reason why the access point was not able to join a wireless controller. After performing the analysis, the Unjoined APs page displays the results.
Step 3
If the access point has tried to join multiple wireless controllers and has been unsuccessful, the controllers are listed in the left pane. Select a controller.
Step 4
In the middle pane, you can view what the problem is. It will also list error messages and controller log information.
Step 5
In the right pane, recommendations for solving the problems are listed. Perform the recommended action.
Step 6
If you need to further diagnose a problem, you can run RTTS through the Unjoined AP page. This allows you to see the debug messages from all the wireless controllers that the access point tried to join at one time.
To run RTTS, click the RTTS icon (
) located to the right of the table. The debug messages appear in the table. You can then examine the messages to see if you can determine a cause for the access point not being able to join the controllers.
Monitoring Alarms
Alarms and Events Overview
An event is an occurrence or detection of some condition in and around the network. For example, it can be a report about radio interference crossing a threshold, the detection of a new rogue access point, or a controller rebooting.
Events are not generated by a controller for each and every occurrence of a pattern match. Some pattern matches must occur a certain number of times per reporting interval before they are considered a potential attack. The threshold of these pattern matches is set in the signature file. Events can then generate alarms which further can generate e-mail notifications if configured as such.
An alarm is a Prime Infrastructure response to one or more related events. If an event is considered of high enough severity (critical, major, minor, or warning), the Prime Infrastructure raises an alarm until the resulting condition no longer occurs. For example, an alarm might be raised while a rogue access point is detected, but the alarm terminates after the rogue has not been detected for several hours.
One or more events can result in a single alarm being raised. The mapping of events to alarms is their correlation function. For example, some IDS events are considered to be network wide so all events of that type (regardless of which access point the event is reported from) map to a single alarm. On the other hand, other IDS events are client-specific. For these, all events of that type for a specific client MAC address map to an alarm which is also specific for that client MAC address, regardless of whether multiple access points report the same IDS violation. If the same kind of IDS violation takes place for a different client, then a different alarm is raised.
A Prime Infrastructure administrator currently has no control over which events generate alarms or when they time out. On the controller, individual types of events can be enabled or disabled (such as management, SNMP, trap controls, and so on).
Viewing List of Alarms
Choose Monitor > Alarms to access the Alarm Browser page which provides a list of alarms. You can also hover your mouse cursor over Alarm Browser on the toolbar at the bottom of the Prime Infrastructure page to view the Alarm Browser page.
The Alarm Browser lists the following information for each alarm:
- Severity—Severity of the alarm which can be:
–
Critical
–
Major
–
Minor
–
Warning
–
Informational
- Status—Status of the alarm.
- Timestamp—Date and time that the alarm occurred.
- Category—Category assigned to the alarm such as rogue AP, controller, switch, and security.
- Condition—Condition that caused the alarm.
- Owner—Name of the person to whom this alarm is assigned, if one was entered.
- Message—Messages about the alarm.
- Failure Source—Indicates the source of the event (including name and/or MAC address).
Note
By default, acknowledged alarms are not shown in the Alarm Browser page. To change this, choose Administration > Settings > Alarms, then unselect the Hide Acknowledged Alarms check box. You must unselect the preference of hiding acknowledged alarms if you want acknowledged alarms to show in the Prime Infrastructure Alarm Summary and alarms lists page.
Use the check box to select one or more alarms. To select all alarms displayed in the Alarm Browser, click the topmost box. See the “Modifying Alarms” section for more information.
Filtering Alarms
In the Monitor > Alarms page, you can filter the alarms that are displayed in the Alarm Browser.
Choose Monitor > Alarms, then from the Show drop-down list, select one of the following filters:
- Quick Filter —Enter text in any of the boxes to display alarms that contain the text you enter. For example, if you enter AP in the Category field, AP and Rogue AP alarms are displayed. It provides an optional filtered view of alarms for wired and wireless alarms.
- Advance Filter —This filter provides an advanced alarm search capability. It provides ability to search on specific fields with various conditions like contains, does not contain, starts with, ends with and so on. Additionally advanced filters allows nesting of AND/OR conditions. Select the category and operator, enter criteria in the text field to compare against, then do the following:
–
Click + to add an additional filter or - to remove a filter you specified.
–
Click Go to apply your filter.
–
Click Clear Filter to clear the entries you entered.
–
Click the disc icon to save your filter. Enter a name for the filter you want to save, then click Save.
Note
When you select a preset filter and click the filter button, the filter criteria is dimmed. You can only see the filter criteria but you can not change it. When All is selected to view all the entries, clicking the filter button shows the Quick Filter options, where you can filter the data using the filterable fields. You can also use the free-form box to enter text to filter the table.
- All—Displays all alarms.
- Manage Preset Filter—Displays any previously saved filters and allows you to edit and delete previously saved filters.
- Assigned to Me—Displays all alarms assigned to you.
- Unassigned Alarms—Displays all unassigned alarms.
- Alarms in Last 5 Minutes
- Alarms in Last 15 Minutes
- Alarms in Last 30 Minutes
- Alarms in the last hour
- Alarms in the last 8 hours
- Alarms in the last 24 hours
- Alarms in last 7 days
- All wired alarms—Displays all alarms for wired devices.
- All wireless alarms—Displays all alarms for wireless devices.
Viewing Alarm Details
You can view alarm details in the Monitor > Alarms page by clicking the expand icon to the far left of the Monitor > Alarms page for the alarm for which you want to see details. The details that are displayed depend on the alarm type you selected (see Table 5-64 ).
Table 5-64 Viewing Alarm Details
|
|
|
|
Failure Source |
Indicates the source of the event (including name and/or MAC address). |
Owner |
Name of person to which this alarm is assigned, or blank. |
Acknowledged |
Displays whether or not the alarm is acknowledged by the user. |
Category |
The category of the alarm (for example, AP, Rogue AP, or Security). |
Created |
Month, day, year, hour, minute, second, AM or PM alarm created. |
Modified |
Month, day, year, hour, minute, second, AM or PM alarm last modified. |
Generated By |
Device that generated the alarm. |
Severity |
Level of security: Critical, Major, Minor, Warning, Clear, Info. |
Previous Severity |
The severity of the alarm the after the most recent polling cycle. |
|
Device Name |
Name of the device. |
Device Address |
IP address of the device. |
Device Contact |
Contact information for the device. |
Device Location |
Location of the device. |
Device Status |
Status of the device. |
|
Device information retrieved from log messages. |
|
Lists current notes regarding this rogue access point. To add a new note, click New Annotation. Type the note and click Post to save and display the note or Cancel to close the page without saving the note. |
In the Alarms list page, you can also view the events for the alarm you selected as explained in the “Viewing Events Related to Alarms” section.
Viewing Events Related to Alarms
When you select Monitor > Alarms page, you can view alarm summary information by hovering your mouse cursor over an alarm severity in the Severity column and clicking the icon that appears.
A dialog appears displaying the top 5 events related to the alarm you selected.
Click Events to display all events associated with the selected alarm.
Modifying Alarms
In the Monitor > Alarms page, you can modify the alarms by selecting the check box next to an alarm and then clicking one of the tasks at the top of the Alarm Browser page:
Note
The alarms that appear in the Monitor > Alarms page depend on the settings you specify on the Administration > Settings page. See the “Modifying Alarm Settings” section for more information.
- Change Status—Change the alarm status to one of the following:
–
Acknowledge—You can acknowledge the alarm. By default, acknowledged alarms are not displayed in the Alarm Browser page. Acknowledged alarms remain in the Prime Infrastructure and you can search for all acknowledged alarms using the alarm search functionality. See the “Acknowledging Alarms” section for more information.
–
Unacknowledge—You can choose to unacknowledge an already acknowledged alarm.
–
Clear—Clear the selected alarm(s). The alarm is removed from the Alarm Browser. Cleared alarms remain in the Prime Infrastructure and you can search for all cleared alarms using the alarm search functionality
Note
Once the severity is Clear, the alarm is deleted from the Prime Infrastructure after 30 days by default. You can modify this setting in the Administration > Settings page.
- Assign—For the selected alarm, you can do the following:
–
Assign to me—Assigns the alarm to the specified user.
–
Unassign—Removes the specified owner from the alarm.
- Annotation—Enter an annotation for the selected alarm, then click Post. The annotation you entered appears when you view the alarm details.
- Delete—Delete the selected alarm(s). Indicates that the alarm is no longer detected by any device.
Specifying Email Notifications for Alarms
In the Monitor > Alarms page, you can set up e-mail notifications for alarms based on the alarm category and severity level.
Step 1
Choose Monitor > Alarms, then click Email Notification.
Step 2
Select the Enable check box next to the alarm category for which you want to set up e-mail notifications, then click Save.
Prime Infrastructure sends e-mail notifications when alarms for the categories you specified occur.
Modifying the Alarm Browser
Choose Monitor > Alarms to view a list of alarms. You can also click Alarm Browser on the toolbar at the bottom of the Prime Infrastructure home page. You can modify the following information displayed in the Alarm Browser:
- To reorder the columns, drag and drop the column headings into any position.
- Click a column heading to sort the information by that column. By default, the column is sorted in descending order. Click the column heading again to change the sort the column in ascending order.
Note
Not every column is sortable. Hover your mouse cursor over a column heading, and the Prime Infrastructure displays whether the column is sortable.
- To customize which columns are displayed, click the Settings icon, then click Columns. Select the check box next to columns you want to appear, and unselect the boxes for the columns you do not want to appear in the Alarm Browser page.
Viewing the Alarm Summary
When the Prime Infrastructure receives an alarm message from a controller, switch, or Prime Infrastructure, it displays an alarm indicator in the Alarm Summary. The Alarm Summary is at the bottom of the Prime Infrastructure home page and displays the total count of critical, major, and minor alarms currently detected by the Prime Infrastructure. Hover your mouse cursor over the Alarm Summary, and the alarm details are displayed.
Note
The alarms that appear in the Alarm Summary and Monitor > Alarms pages depend on the settings you specify in the Administration > Settings page. By default, acknowledged alarms are not shown. See the “Modifying Alarm Settings” section for more information.
Alarms are color coded as follows:
- Red—Critical Alarm
- Orange—Major Alarm
- Yellow—Minor Alarm
Alarms indicate the current fault or state of an element, and alarms are usually generated by one or more events. The alarm can be cleared but the event remains. See the “Alarms and Events Overview” section for more information about alarms.
Note
By default, alarm counts refresh every minute. You can modify when alarms are refreshed in the Administration > User Preferences page.
When you hover your mouse cursor over the Alarm Summary, a pop-up page appears listing the number of critical, major, and minor alarms for each of alarm category. You can specify which alarm categories are displayed in the Alarm Summary on the Administration > User Preferences page. By default, all categories are displayed:
- Alarm Summary—Displays a summary of the total alarms for all alarm categories.
- AP—Display counts for AP alarms such as AP Disassociated from controller, Thresholds violation for Load, Noise or Interference, AP Contained as Rogue, AP Authorization Failure, AP regulatory domain mismatch, or Radio card Failure.
- Context Aware Notifications
- Controller—Displays counts for controller alarms, such as reachability problems from the Prime Infrastructure and other controller failures (fan failure, POE controller failure, AP license expired, link down, temperature sensor failure, and low temperature sensed).
- Coverage Hole—Displays counts for coverage hole alarms generated for access points whose clients are not having enough coverage set by thresholds. See the “Monitoring Maps” section for more information.
- Mesh Links—Displays counts for mesh link alarms, such as poor SNR, console login, excessive parent change, authorization failure, or excessive association failure.
- Mobility Services—Displays counts for location alarms such as reachability problems from the Prime Infrastructure and location notifications (In/Out Area, Movement from Marker, or Battery Level).
- Prime Infrastructure—Displays counts for the Prime Infrastructure alarms.
- Performance—Displays counts for performance alarms.
- Rogue AP—Displays counts for malicious rogue access points alarms.
- Rogue Adhoc—Displays counts for unclassified rogue access point alarms.
- Security—Displays counts for security alarms such as Signature Attacks, AP Threats/Attacks, and Client Security Events.
- Switch—Displays counts for switch alarms such as authentication errors.
Modifying Alarm Settings
You can modify the following settings for alarms:
Modifying Alarm Count Refresh Rate
By default, alarm counts refresh every minute. You can modify the refresh rate by selecting Administration > User Preferences, and then choosing a new value for the Refresh Alarm Count from the Alarm Summary Every menu.
Configuring Alarm Severity Levels
The Administration > Settings > Severity Configuration page allows you to change the severity level for newly generated alarms.
Note
Existing alarms remain unchanged.
To reconfigure the severity level for a newly generated alarm, follow these steps:
Step 1
Choose Administration > Settings.
Step 2
From the left sidebar menu, choose Severity Configuration.
Step 3
Select the check box of the alarm condition whose severity level you want to change.
Step 4
From the Configure Security Level drop-down list, choose from the following severity levels:
- Critical
- Major
- Minor
- Warning
- Informational
- Reset to Default
Step 5
Click Go.
Step 6
Click OK to confirm the change or Cancel to leave the security level unchanged.
Working with Alarms
You can view, assign, and clear alarms and events on access points and mobility services engine using the Prime Infrastructure.
This section also describes how to have e-mail notifications of alarms sent to you and contains the following topics:
Assigning and Unassigning Alarms
To assign and unassign an alarm to yourself, follow these steps:
Step 1
Perform an advanced search for access point alarms.
Step 2
Select the alarms that you want to assign to yourself by selecting their corresponding check boxes.
Note
To unassign an alarm assigned to you, Unselect the check box next to the appropriate alarm. You cannot unassign alarms assigned to others.
Step 3
From the Select a command drop-down list, choose (or ), and click Go.
If you choose , your username appears in the Owner column. If you choose , the username column is empty.
Deleting and Clearing Alarms
To delete or clear an alarm from a mobility services engine, follow these steps:
Step 1
In the Monitor > Alarms page, select the alarms that you want to delete or clear by selecting their corresponding check boxes.
Note
If you delete an alarm, the Prime Infrastructure removes it from its database. If you clear an alarm, it remains in the Prime Infrastructure database, but in the Clear state. You clear an alarm when the condition that caused it no longer exists.
Step 2
From the Select a command drop-down list, choose Delete or Clear, and click Go.
Note
To set up cleanup of old alarms and cleared alarms, choose Administration > Settings > Alarms. See the “Alarm and Event Dictionary” section for more information.
Acknowledging Alarms
You might want certain alarms to be removed from the Alarms List. For example, if you are continuously receiving an interference alarm from a certain access point on the 802.11g interface, you might want to stop that access point from being counted as an active alarm on the Alarm Summary page or any alarms list. In this scenario, you can find the alarm for the 802.11g interface in the Alarms list, select the check box, and choose Acknowledge from the Select a command drop-down list.
Now if the access point generates a new violation on the same interface, the Prime Infrastructure does not create a new alarm, and the Alarm Summary page shows no new alarms. However, if the interference violation is created on another interface, such as 802.11a, a new alarm is created.
By default, acknowledged alarms are not displayed in either the Alarm Summary page or any alarm list page. Also, no e-mail messages generated for these alarms after you have marked them as acknowledged. By default, acknowledged alarms are not included for any search criteria. To change this default, choose to the Administration > Settings > Alarms page and unselect the Hide Acknowledged Alarms check box.
When you acknowledge an alarm, the following warning appears as a reminder that a recurrence of the problem does not generate another alarm unless this functionality is disabled.
Note
When you acknowledge an alarm, a warning displays as a reminder that a recurrence of the problem does not generate another alarm unless this functionality is disabled. Choose Administration > User Preferences page to disable this warning message.
You can also search for all previously acknowledged alarms to reveal the alarms that were acknowledged during the last seven days. Prime Infrastructure automatically deletes cleared alerts that are more than seven days old so your results can only show activity for the last seven days. Until an existing alarm is deleted, a new alarm cannot be generated for any managed entity for which the Prime Infrastructure has already generated an alarm.
Monitoring Access Point Alarms
The Access Point Alarms page displays the access point based alarms on your network.
To access the AP alarms page, do one of the following:
- Perform a search for AP alarms.
- Click the Access Point number link in the Alarm Summary box.
The Monitor AP Alarms page contains the following fields:
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
- Failure Source—Device that generated the alarm.
- Owner—Name of the person to which this alarm is assigned, or blank.
- Date/Time—The time at which the alarm was generated.
- Message—The associated message displayed in the Prime Infrastructure alarm browser.
- Category—Indicates the category assigned to the alarm such as rogue AP, controller, switch, and security.
- Condition—Condition that caused the alarm.
- Acknowledged—Displays whether or not the alarm is acknowledged by the user. See the “Acknowledging Alarms” section for more information.
Monitoring Air Quality Alarms
The Air Quality Alarms page displays air quality alarms on your network.
To access the air quality alarms page, do one of the following:
- Perform a search for Performance alarms.
- Click the Performance number link in the Alarm Summary box.
The Monitor Air Quality Alarms page contains the following fields:
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
- Failure Source—Device that generated the alarm.
- Owner—Name of the person to which this alarm is assigned, or blank.
- Date/Time—The time at which the alarm was generated.
- Message—The associated message displayed in the Prime Infrastructure alarm browser.
- Acknowledged—Displays whether or not the alarm is acknowledged by the user. See the “Acknowledging Alarms” section for more information.
Select a command Menu
Select one or more alarms by selecting their respective check boxes, choose one of the following commands from the Select a command drop-down list, and click Go.
- Assign to me —Assign the selected alarm(s) to the current user.
- Unassign —Unassign the selected alarm(s).
- Clear —Clear the selected alarm(s).
- Delete —Delete the selected alarm(s).
- Acknowledge —Acknowledge the alarm to prevent it from showing up in the Alarm Summary page. See the “Acknowledging Alarms” section for more information.
Note
The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality.
- Unacknowledge —Unacknowledge an already acknowledged alarm.
- Email Notification —Takes you to the All Alarms > Email Notification page to view and configure e-mail notifications. See the “Monitoring RFID Tags” section for more information.
Monitoring CleanAir Security Alarms
The CleanAir Security Alarms page displays security alarms on your network.
To access the security alarms page, do one of the following:
- Perform a search for Security alarms.
- Click the Security number link in the Alarm Summary box.
The Monitor CleanAir Security Alarms page contains the following fields:
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
- Failure Source—Device that generated the alarm.
- Owner—Name of the person to which this alarm is assigned, or blank.
- Date/Time—The time at which the alarm was generated.
- Message—The associated message displayed in the Prime Infrastructure alarm browser.
- Acknowledged—Displays whether or not the alarm is acknowledged by the user. See the “Acknowledging Alarms” section for more information.
Select a command Menu
Select one or more alarms by selecting their respective check boxes, choose one of the following commands from the Select a command drop-down list, and click Go.
- Assign to me —Assign the selected alarm(s) to the current user.
- Unassign —Unassign the selected alarm(s).
- Clear —Clear the selected alarm(s).
- Delete —Delete the selected alarm(s).
- Acknowledge —Acknowledge the alarm to prevent it from showing up in the Alarm Summary page. See the “Acknowledging Alarms” section for more information.
Note
The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality.
- Unacknowledge —Unacknowledge an already acknowledged alarm.
- Email Notification —Takes you to the All Alarms > Email Notification page to view and configure e-mail notifications. See the “Monitoring RFID Tags” section for more information.
Monitoring Email Notifications
Prime Infrastructure includes a built-in e-mail notification function which can notify the network operator when critical alarms occur.
The Email Notification page allows you to add a filter for each alert category. The severity level is set to critical by default when the alert category is enabled, but you can choose a different severity level for different categories. E-mail notifications are generated only for the severity levels that are configured.
To configure e-mail notifications, follow these steps:
Step 1
Choose Monitor > Alarms from Classic View.
or
Choose Operate > Alarms & Events from Life Cycle View.
Step 2
From the Select a command drop-down list, choose Email Notification.
Step 3
Click Go.
Step 4
Click an Alarm Category to edit severity level and e-mail recipients for its e-mail notifications.
Step 5
Select the severity level check box(es) (Critical, Major, Minor, or Warning) for which you want a notification sent.
Step 6
Enter the notification recipient e-mail addresses in the To text box.
Note
Separate multiple e-mail addresses with a comma.
Step 7
Click OK.
Step 8
Select the Enabled check box for applicable alarm categories to activate the delivery of e-mail notifications.
Step 9
Click OK.
Monitoring Severity Configurations
You can change the severity level for newly generated alarms.
Note
Existing alarms remain unchanged.
To change the severity level of newly-generated alarms, follow these steps:
Step 1
Choose Administration > Setting.
Step 2
Choose Severity Configuration from the left sidebar menu.
Step 3
Select the check box of the alarm condition for which you want to change the severity level.
Step 4
From the Configure Severity Level drop-down list, choose the new severity level (Critical, Major, Minor, Warning, Informational, Reset to Default).
Step 5
Click Go.
Step 6
Click OK to confirm the change.
Monitoring Cisco Adaptive wIPS Alarms
Alarms from Cisco Adaptive wIPS DoS (denial of service) and security penetration attacks are classified as security alarms. You can view these wIPS alarms and their details in the Monitor > Alarms page.
To view a list of wIPS DoS and security penetration attack alarms, follow these steps:
Step 1
Perform a search for Security alarms using the Advanced Search feature.
The following information is provided for wIPS alarms:
- Severity—Severity levels include critical, major, info, warning, and clear.
- Failure Object—Displays the name and IP or MAC address of the object for which the alarm was generated. Click the Failure Object to view alarm details. See the “Monitoring Cisco Adaptive wIPS Alarm Details” section for more information on viewing wIPS alarm details.
- Date/Time—Displays the date and time that the alarm occurred.
- Message—Displays a message explaining why the alarm occurred (such as the applicable wIPS policy).
- Acknowledged—Displays whether or not the alarm is acknowledged by the user.
- Category—Indicates the category of this alarm such as Security.
- Condition—Displays a description of what caused this alarm to be triggered.
When there are multiple alarm pages, the page numbers are displayed at the top of the page with a scroll arrow on each side. Use this to view additional alarms.
To add, remove, or reorder columns in the table, click the Edit View link to go to the Edit View page.
Select a command
Using the Select a command drop-down list, you can perform the following actions on the selected alarms:
- Assign to me —Assign the selected alarm(s) to the current user.
- Unassign —Unassign the selected alarm(s).
- Delete —Delete the selected alarm(s).
- Clear —Clear the selected alarm(s).
- Acknowledge —You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality.
- Unacknowledge —You can choose to unacknowledge an already acknowledged alarm.
- Email Notification —Takes you to the All Alarms > Email Notification page to view and configure e-mail notifications.
To perform an action on the selected alarm, follow these steps:
Step 1
Select an alarm by selecting its check box.
Step 2
From the Select a command drop-down list, select the applicable command.
Step 3
Click Go.
Monitoring Cisco Adaptive wIPS Alarm Details
Choose Monitor > Alarms > failure object to view details of the selected Cisco wIPS alarm. The following Alarm details are provided for Cisco Adaptive wIPS alarms:
–
Detected By wIPS AP—The access point that detected the alarm.
–
wIPS AP IP Address—The IP address of the wIPS access point.
–
Owner—Name of person to which this alarm is assigned or left blank.
–
Acknowledged—Displays whether or not the alarm is acknowledged by the user.
–
Category—For wIPS, the alarm category is Security.
–
Created—Month, day, year, hour, minute, second, AM or PM that the alarm was created.
–
Modified—Month, day, year, hour, minute, second, AM or PM that the alarm was last modified.
–
Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
NMS (Network Management System - Prime Infrastructure)—Generated through polling. Prime Infrastructure periodically polls the controllers and generates events. Prime Infrastructure generates events when the traps are disabled or when the traps are lost for those events. In this case, “Generated by” is NMS.
Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them. In this case, “Generated by” is Controller.
–
Severity—Level of severity including critical, major, info, warning, and clear.
–
Last Disappeared—The date and time that the potential attack last disappeared.
–
Channel—The channel on which the potential attack occurred.
–
Attacker Client/AP MAC—The MAC address of the client or access point that initiated the attack.
–
Attacker Client/AP IP Address—The IP address of the client or access point that initiated the attack.
–
Target Client/AP IP Address—The IP address of the client or access point targeted by the attacker.
–
Controller IP Address—The IP address of the controller to which the access point is associated.
–
MSE—The IP address of the associated mobility services engine.
–
Controller MAC address—The MAC address of the controller to which the access point is associated.
–
wIPS access point MAC address
–
Forensic File
–
Event History—Takes you to the “Monitoring Alarms” page to view all events for this alarm.
- Annotations—Enter any new notes in this text box, and click Add to update the alarm. Notes are displayed in the “Annotations” display area.
- Messages—Displays information about the alarm.
- Audit Report—Click to view config audit alarms details. This report is only available for Config Audit alarms.
Configuration audit alarms are generated when audit discrepancies are enforced on config groups.
Note
If enforcement fails, a critical alarm is generated on the config group. If enforcement succeeds, a minor alarm is generated on the config group.
The alarms have links to the audit report where you can view a list of discrepancies for each controller.
- Rogue Clients—If the failure object is a rogue access point, information about rogue clients is displayed.
Select a command
Select one or more alarms by selecting their respective check boxes, and click Go.
- Assign to me —Assign the selected alarm(s) to the current user.
- Unassign —Unassign the selected alarm(s).
- Delete —Delete the selected alarm(s).
- Clear —Clear the selected alarm(s).
- Acknowledge —You can acknowledge the alarm to prevent it from showing up in the Alarm Summary page. The alarm remains in the Prime Infrastructure and you can search for all Acknowledged alarms using the alarm search functionality.
- Unacknowledge —You can choose to unacknowledge an already acknowledged alarm.
- Email Notification —Takes you to the All Alarms > Email Notification page to view and configure e-mail notifications.
- Event History —Takes you to the Monitor Alarms > Events page to view events for Rogue Alarms.
Monitoring Events
One or more events might generate an abnormal state or alarm. The alarm can be cleared, but the event remains. Choose Monitor > Events to access the Events page, which displays the following information:
- Description—Describes the event details.
- Time—Indicates the date and time the event was generated.
- Severity—Event severities include: Critical, Major, Minor, Warning, Cleared, or Information.
- Failure Source—Indicates the source of the event (including name and/or MAC address).
- Category—Type of event such as Rogue AP, Security, or AP.
Click any column heading to sort by that column.
Use the quickview icon to disclose more information on the event. The additional information for the event is divided into general information and the message. In the general information, the failure source, the category, severity, generated time and IP address. The message of the event is also displayed.
Note
Events also has preset, quick and advanced filters similar to alarms. These filters work in same way as the filters in alarms.
When you filter the table using the Search feature, the Events page might display the additional information. The additional information includes the following:
–
Access Point Name
–
Failed Clients—Number of clients that failed due to the coverage hole.
–
Total Clients—Total number of clients affected by the coverage hole.
–
Radio Type—The radio type (802.11b/g or 802.11a) of the applicable access point.
–
Coverage Threshold
–
Vendor—Rogue access point vendor name or Unknown.
–
Classification Type—Indicates the type of rogue access point including Malicious, Friendly, or Unclassified.
–
On Network—Indicates how the rogue detection occurred.
–
Controller—The controller detected the rogue (Yes or No).
–
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
–
Radio Type—Lists all radio types applicable to this rogue access point.
–
State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed.
–
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
Note
See the “Monitoring Rogue Alarm Events” section or the “Viewing Rogue AP Event Details” section for more information on rogue access points events.
–
Vendor—Rogue access point vendor name or Unknown.
–
On Network—Indicates how the rogue detection occurred.
–
Controller—The controller detected the rogue (Yes or No).
–
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
–
Radio Type—Lists all radio types applicable to this rogue access point.
–
State—Indicates the state of the alarm. Possible states for ad hoc rogues include Threat, Alert, Internal, External, Contained, Contained Pending, and Removed.
–
SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
–
Detected By—IP address of the device that detected the interference.
–
ID—ID of the device that detected the interference.
- Mesh Links
- Client
- Context Aware Notification
- Pre Coverage Hole
–
Client MAC Address—MAC address of the client affected by the Pre Coverage Hole.
–
AP MAC Address—MAC address of the applicable access point.
–
Radio Type—The radio type (802.11b/g or 802.11a) of the applicable access point.
–
Power Level—Access Point transmit power level (1 = Maximum power allowed per Country Code setting, 2 = 50% power, 3 = 25% power, 4 = 6.25 to 12.5% power, 5 = 0.195 to 6.25% power).
–
Client Type—Client type can be laptop(0), pc(1), pda(2), dot11mobilephone(3), dualmodephone(4), wgb(5), scanner(6), tabletpc(7), printer(8), projector(9), videoconfsystem(10), camera(11), gamingsystem(12), dot11deskphone(13), cashregister(14), radiotag(15), rfidsensor(16), server(17)
–
WLAN Coverage Hole Status
If there is more than one page of events, the number of pages is displayed with a scroll arrow on each side. Use this to view additional events.
Searching Events
Use the Prime Infrastructure Search feature to find specific events or to create and save custom searches. See the Search Methods section in the Cisco Prime Infrastructure 2.0 User Guide for additional information.
Monitoring Failure Objects
Note
The event categories Location Servers and Location Notifications appear only in the Cisco NCS Location version.
Choose Monitor > Events, then click the expand icon to the far left of the Monitor > Events page for the event for which you want to see details. Details about the event are displayed. Depending on the type of event you selected, the associated details vary.
–
Failure Source—Indicates the source of the event (including name and/or MAC address).
–
Category—Type of alarm such as Security or AP.
–
Generated—Date and time that the event was generated.
–
Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
NMS (Network Management System - Prime Infrastructure)—Generated through polling. Prime Infrastructure periodically polls the controllers and generates events. Prime Infrastructure generates events when the traps are disabled or when the traps are lost for those events. In this case, “Generated by” is NMS.
Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them. In this case, “Generated by” is Controller.
–
Device IP Address—IP address of the alarm-generating device.
–
Severity—Level of severity including critical, major, info, warning, and clear.
- Messages—Message explaining why the event occurred.
Monitoring Events for Rogue APs
Choose Monitor > Events. Click an item in the Description column to display the alarm events for a rogue access point radio. Rogue access point radios are unauthorized access points detected by controllers. The following fields appear:
General
- Rogue MAC Address
- Vendor
- On Network—Indicates how the rogue detection occurred.
–
Controller—The controller detected the rogue (Yes or No).
–
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
- Owner—Name of person to which this alarm is assigned, or (blank).
- State—State of this radio relative to the network or Port. Rogue access point radios appear as “Alert” when first scanned by the Port, or as “Pending” when operating system identification is still underway.
- SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
- Containment Level—An access point which is being contained is either unable to provide service at all, or provides exceedingly slow service. There is a level associated with the containment activity which indicates how many Cisco 1000 series lightweight access points to use in containing the threat. This service must be initiated and halted by the administrator. Containment Type - Contained if the rogue access point clients have been contained at Level 1 through Level 4 under Update Status, otherwise Unassigned.
- Channel—Indicates the band at which the ad hoc rogue is broadcasting.
- Radio Type—Lists all radio types applicable to this rogue access point.
- Created—Date and time that the event occurred.
- Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
–
NMS (Network Management System - Prime Infrastructure)—Generated through polling. Prime Infrastructure periodically polls the controllers and generates events. Prime Infrastructure generates events when the traps are disabled or when the traps are lost for those events. In this case, “Generated by” is NMS.
–
Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them. In this case, “Generated by” is Controller.
- Device IP Address—IP address of the alarm-generating device.
- Severity—Level of severity, Critical, Major, Minor, Warning, Clear, Info. Color coded.
Message—Displays descriptive information about the alarm.
Help—Displays information about the alarm.
Note
Use the Advance Search feature to find specific events. See the Search Methods section in the Cisco Prime Infrastructure 2.0 User Guide for more information.
Monitoring Events for Ad hoc Rogues
Choose Monitor > Events. Click an item in the Description column to display ad hoc rogue event details.
General
- Rogue MAC Address
- Vendor
- On Network—Indicates how the rogue detection occurred.
–
Controller—The controller detected the rogue (Yes or No).
–
Switch Port Trace—The rogue was detected by a switch port trace. Indicated by one of the following: Traced but not found, Traced and found, Not traced.
- Owner—Name of person to which this alarm is assigned, or (blank).
- State—State of this radio relative to the network or Port. Rogue access point radios appear as “Alert” when first scanned by the Port, or as “Pending” when operating system identification is still underway.
- SSID—Service Set Identifier being broadcast by the rogue access point radio. (Blank if SSID is not broadcast.)
- Containment Level—An access point which is being contained is either unable to provide service at all, or provides exceedingly slow service. There is a level associated with the containment activity which indicates how many Cisco 1000 series lightweight access points to use in containing the threat. This service must be initiated and halted by the administrator. Containment Type - Contained if the rogue access point clients have been contained at Level 1 through Level 4 under Update Status, otherwise Unassigned.
- Channel—Indicates the band at which the ad hoc rogue is broadcasting.
- Created—Date and time that the event occurred.
- Generated By—Indicates how the alarm event was generated (either NMS or from a trap).
–
NMS (Network Management System - Prime Infrastructure)—Generated through polling. Prime Infrastructure periodically polls the controllers and generates events. Prime Infrastructure generates events when the traps are disabled or when the traps are lost for those events. In this case, “Generated by” is NMS.
–
Trap—Generated by the controller. Prime Infrastructure process these traps and raises corresponding events for them. In this case, “Generated by” is Controller.
- Device IP Address—IP address of the alarm-generating device.
- Severity—Level of severity, Critical, Major, Minor, Warning, Clear, Info. Color coded.
Message—Displays descriptive information about the alarm.
Help—Displays information about the alarm.
Monitoring Cisco Adaptive wIPS Events
Choose Monitor > Events to view wIPS events. One or more events might generate an abnormal state or alarm. The alarm can be cleared, but the event remains. For more information regarding monitoring events, see the “Monitoring Events” section.
The following sections provide additional information regarding Cisco Adaptive wIPS:
Perform an events search to narrow the results to mobility services engine or Security events only. To view mobility services engine or Security events, choose Monitor > Events.
Note
If there is more than one page of events, the number of pages is displayed with a scroll arrow on each side. Use this to view additional events.
Monitoring CleanAir Air Quality Events
You can use the Prime Infrastructure to view the events generated on the air quality of the wireless network.
To view air quality events, follow these steps:
Step 1
Click Advanced Search in the Prime Infrastructure.
The New Search page appears.
Step 2
In the New Search page, choose Events from the Search Category drop-down list.
Step 3
From the Severity drop-down list, choose the type of severity you want to search the air quality events.
Step 4
From the Event Category drop-down list, choose Performance.
Step 5
Click Go.
The air quality events page displays the following information:
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
- Failure Source—Device that generated the alarm.
- Date/Time—The time at which the alarm was generated.
Viewing Air Quality Event Details
To view air quality event details, follow these steps:
Step 1
From the Air Quality Events page, click an item under Failure Source to access the alarm details page. See the “Monitoring CleanAir Air Quality Events” section.
Step 2
The air quality event page displays the following information:
- Failure Source—Device that generated the alarm.
- Category—The category this event comes under. In this case, Performance.
- Created—The time stamp at which the event was generated.
- Generated by—The device that generated the event.
- Device IP Address—The IP address of the device that generated the event.
- Severity—The severity of the event.
- Alarm Details—A link to the related alarms associated with this event. Click the link to learn more about the alarm details.
- Message—Describes the air quality index on this access point.
Monitoring Interferer Security Risk Events
You can use the Prime Infrastructure to view the security events generated on your wireless network.
To view interferer security events, follow these steps:
Step 1
Click Advanced Search in the Prime Infrastructure.
The New Search page appears.
Step 2
In the New Search page, choose Events from the Search Category drop-down list.
Step 3
From the Severity drop-down list, choose the type of severity you want to search the air quality events.
Step 4
From the Event Category drop-down list, choose Security.
Step 5
Click Go.
The interferer security events page displays the following information:
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
- Failure Source—Device that generated the alarm.
- Date/Time—The time at which the alarm was generated.
Viewing Interferer Security Risk Event Details
To view interferer security event details, follow these steps:
Step 1
In the Interferer Security Event details page, click an item under Failure Source to access the alarm details page. See the “Monitoring Interferer Security Risk Events” section.
Step 2
The air quality event page displays the following information:
- Failure Source—Device that generated the alarm.
- Category—The category this event comes under. In this case, Security.
- Created—The time stamp at which the event was generated.
- Generated by—The device that generated the event.
- Device IP Address—The IP address of the device that generated the event.
- Severity—The severity of the event.
- Alarm Details—A link to the related alarms associated with this event. Click the link to know more about the alarm details.
- Message—Describes the interferer device affecting the access point.
Monitoring Health Monitor Events
You can use the Prime Infrastructure to view the events generated by the Health Monitor.
To view the health monitor events, follow these steps:
Step 1
Click Advanced Search in the Prime Infrastructure.
The New Search page appears.
Step 2
In the New Search page, choose Events from the Search Category drop-down list.
Step 3
From the Severity drop-down list, choose the type of severity you want to search the health monitor events.
Step 4
From the Event Category drop-down list, choose the Prime Infrastructure.
Step 5
Click Go.
The Health Monitor Events page displays the following information:
- Severity—Indicates the severity of the alarm. See Table 5-63 for a list of severity indicator icons.
- Failure Source—Device that generated the alarm.
- Date/Time—The time at which the alarm was generated.
- Message—Describes the health details.
Viewing Health Monitor Event Details
To view health monitor event details, follow these steps:
Step 1
In the Health Monitor Events page, click an item under Failure Source to access the alarm details page. See the “Monitoring Health Monitor Events” section.
Step 2
The Health Monitor Events page displays the following information:
- Failure Source—Device that generated the alarm.
- Category—The category this event comes under. In this case, Prime Infrastructure.
- Created—The time stamp at which the event was generated.
- Generated by—The device that generated the event.
- Device IP Address—The IP address of the device that generated the event.
- Severity—The severity of the event.
- Alarm Details—A link to the related alarms associated with this event. Click the link to know more about the alarm details.
- Message—Describes the event through a message.
Working with Events
You can use the Prime Infrastructure to view mobility services engine and access point events. You can search and display events based on their severity (critical, major, minor, warning, clear, info) and event category or you can search for a mobility services engine and access point by its IP address, MAC address or name.
A successful event search displays the event severity, failure object, date and time of the event, and any messages for each event.
To display events, follow these steps:
Step 1
In the Prime Infrastructure, click Monitor > Events.
Step 2
In the Events page:
- If you want to display the events for a specific element and you know its IP address, MAC address, or Name, enter that value in the Quick Search text box (left pane). Click Go.
- To display events by severity and category, choose the appropriate options from the Severity and Event Category drop-down lists (left pane). Click Search.
Step 3
If the Prime Infrastructure finds events that match the search criteria, it displays a list of these events.
Note
For more information about an event, click the failure object associated with the event. Additionally, you can sort the events summary by each of the column headings.