Monitoring Wireless LANs
This chapter describes how to use WCS to monitor your wireless LANs. It contains these sections:
•Monitoring Rogue Access Points
•Finding Coverage Holes
•Pinging a Network Device from a Controller
•Viewing Controller Status and Configurations
•Viewing WCS Statistics Reports
Monitoring Rogue Access Points
Because unauthorized rogue access points are inexpensive and readily available, employees sometimes plug them into existing LANs and build ad hoc wireless networks without IT department knowledge or consent. These rogue access points can be a serious breach of network security because they can be plugged into a network port behind the corporate firewall. Because employees generally do not enable any security settings on the rogue access point, it is easy for unauthorized users to use the access point to intercept network traffic and hijack client sessions. Even more alarming, wireless users frequently publish unsecure access point locations, increasing the odds of having the enterprise security breached.
Rather than having a person with a scanner manually detect rogue access points, the Cisco Wireless LAN Solution automatically collects information on rogue access points detected by its managed access points (by MAC and IP address) and allows the system operator to locate, tag, and contain them. It can also be used to discourage rogue access point clients by sending them deauthenticate and disassociate messages from one to four access points.
Rogue Access Point Location, Tagging, and Containment
This built-in detection, tagging, monitoring, and containment capability enables system administrators to take appropriate action:
•Locate rogue access points
•Receive new rogue access point notifications, eliminating hallway scans
•Monitor unknown rogue access points until they are eliminated or acknowledged
•Determine the closest authorized access point, making directed scans faster and more effective
•Contain rogue access points by sending their clients deauthenticate and disassociate messages from one to four access points. This containment can be done for individual rogue access points by MAC address or can be mandated for all rogue access points connected to the enterprise subnet.
•Tag rogue access points:
–Acknowledge rogue access points when they are outside of the LAN and do not compromise the LAN or wireless LAN security
–Accept rogue access points when they do not compromise the LAN or wireless LAN security
–Tag rogue access points as unknown until they are eliminated or acknowledged
–Tag rogue access points as contained and discourage clients from associating with the rogue access points by having between one and four access points transmit deauthenticate and disassociate messages to all rogue access point clients. This function applies to all active channels on the same rogue access point.
Detecting and Locating Rogue Access Points
When the access points on your wireless LAN are powered up and associated with controllers, WCS immediately starts listening for rogue access points. When a controller detects a rogue access point, it immediately notifies WCS, which creates a rogue access point alarm.
When WCS receives a rogue access point message from a controller, an alarm monitor appears in the lower left corner of all WCS user interface pages. The alarm monitor in Figure 6-1 shows 93 rogue access point alarms.
Figure 6-1 Alarm Monitor for Rogue Access Points
Follow these steps to detect and locate rogue access points.
Step 1 Click the Rogues indicator to display the Rogue AP Alarms page. This page lists the severity of the alarms, the rogue access point MAC addresses, the rogue access point types, the date and time when the rogue access points were first detected, and their SSIDs.
Step 2 Click any Rogue MAC Address link to display the associated Alarms > Rogue - AP MAC Address page. This page shows detailed information about the rogue access point alarm.
Step 3 To modify the alarm, choose one of these commands from the Select a Command drop-down menu and click GO.
•Assign to me—Assigns the selected alarm to the current user.
•Unassign—Unassigns the selected alarm.
•Delete—Deletes the selected alarm.
•Clear—Clears the selected alarm.
•Event History—Enables you to view events for rogue alarms.
•Detecting APs (with radio band, location, SSID, channel number, WEP state, short or long preamble, RSSI, and SNR)—Enables you to view the access points that are currently detecting the rogue access point.
•Trend—Shows a trend of recent RSSI signal strength.
•Rogue Clients—Enables you to view the clients associated with this rogue access point.
•Set State to `Unknown - Alert'—Tags the rogue access point as the lowest threat, continues to monitor the rogue access point, and turns off containment.
Set State to `Known - Internal'—Tags the rogue access point as internal, adds it to the known rogue access points list, and turns off containment.
Set State to `Known - External'—Tags the rogue access point as external, adds it to the known rogue access points list, and turns off containment.
•1 AP Containment through 4 AP Containment—When you select level 1 containment, one access point in the vicinity of the rogue unit sends deauthenticate and disassociate messages to the client devices that are associated to the rogue unit. When you select level 2 containment, two access points in the vicinity of the rogue unit send deauthenticate and disassociate messages to the rogue's clients and so on up to level 4.
Step 4 From the Select a Command drop-down menu, choose Map (High Resolution) and click GO to display the current calculated rogue access point location on the Maps > Building Name > Floor Name page.
If you are using WCS Location, WCS compares RSSI signal strength from two or more access points to find the most probable location of the rogue access point and places a small skull-and-crossbones indicator at its most likely location. If you are using WCS Base, WCS relies on RSSI signal strength from the rogue access point and places a small skull-and-crossbones indicator next to the access point receiving the strongest RSSI signal from the rogue unit. Figure 6-2 shows a map that indicates that location of a rogue unit.
Figure 6-2 Map Indicating Location of Rogue Unit
Acknowledging Rogue Access Points
Follow these steps to acknowledge rogue access points.
Step 1 Navigate to the Rogue AP Alarms page.
Step 2 Check the check box of the rogue access point to be acknowledged.
Step 3 From the Select a Command drop-down menu, choose Set State to `Known - Internal' or Set State to `Known - External'. In either case, WCS removes the rogue access point entry from the Rogue AP Alarms page.
Follow these steps to use WCS to find clients on your wireless LAN.
Step 1 Click Monitor > Devices > Clients to navigate to the Clients Summary page.
Step 2 In the sidebar, choose All Clients in the Search For Clients By drop-down menu and click Search to display the Clients page.
Note You can search for clients under WCS Controllers or Location Servers.
Step 3 Click the username of the client that you want to locate. WCS displays the corresponding Clients Client Name page.
Step 4 To find the client, choose one of these options from the Select a Command drop-down menu and click GO:
•Recent Map (High Resolution)—Finds the client without disassociating it.
•Present Map (High Resolution)—Disassociates the client and then finds it after reassociation. When you choose this method, WCS displays a warning message and asks you to confirm that you want to continue.
If you are using WCS Location, WCS compares the RSSI signal strength from two or more access points to find the most probable location of the client and places a small laptop icon at its most likely location. If you are using WCS Base, WCS relies on the RSSI signal strength from the client and places a small laptop icon next to the access point that receives the strongest RSSI signal from the client. Figure 6-3 shows a heat map that includes a client location.
Figure 6-3 Map with Client Location
Finding Coverage Holes
Coverage holes are areas where clients cannot receive a signal from the wireless network. The Cisco Wireless LAN Solution radio resource management (RRM) identifies these coverage hole areas and reports them to WCS, enabling the IT manager to fill holes based on user demand. Follow these steps to find coverage holes on your wireless LAN.
Step 1 Click the Coverage indicator on the bottom left of the WCS user interface page (or click Monitor > Alarms and search for Coverage under Alarm Category) to display the Coverage Hole Alarms page.
Step 2 Click Monitor > Maps and search for access points by name (this search tool is case sensitive). WCS displays the Maps > Search Results page, which lists the floor or outdoor area where the access point is located.
Step 3 Click the floor or outdoor area link to display the related Maps > Building Name > Floor Name page.
Step 4 Look for areas of low signal strength near the access point that reported the coverage hole. These areas are the most likely locations of coverage holes. If there does not appear to be any areas of weak signal strength, make sure that the floor plan map is accurate.
Pinging a Network Device from a Controller
Follow these steps to ping network devices from a controller.
Step 1 Click Configure > Controllers to navigate to the All Controllers page.
Step 2 Click the desired IP address to display the IP Address > Controller Properties page.
Step 3 In the sidebar, choose System > Commands to display the IP Address > Controller Commands page.
Step 4 Choose Ping From Controller from the Administrative Commands drop-down menu and click GO.
Step 5 In the Enter an IP Address (x.x.x.x) to Ping window, enter the IP address of the network device that you want the controller to ping and click OK.
WCS displays the Ping Results window, which shows the packets that have been sent and received. Click Restart to ping the network device again or click Close to stop pinging the network device and exit the Ping Results window.
Viewing Controller Status and Configurations
After you add controllers and access points to the WCS database, you can view the status of the Cisco Wireless LAN Solution. To view the system status, click Monitor > Network Summary to display the Network Summary page (see Figure 6-4).
Figure 6-4 Network Summary Page
Viewing WCS Statistics Reports
WCS periodically collects statistics such as client counts, radio utilization, transmit power and channel information, and profile status and organizes them into reports. To view these reports, click Monitor > Reports.