cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4670
Views
35
Helpful
21
Replies

Ask the Experts: Configuring, Troubleshooting and Monitoring Wireless Security Policies with Saravanan Lakshmanan

ciscomoderator
Community Manager
Community Manager

Configuring, Troubleshooting and Monitoring Wireless Security Policies with Saravanan LakshmananWith Saravanan Lakshmanan

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  how to monitor, troubleshoot and configure Wireless Networks using Security Protection Policies. It includes Rogue Detection, Rogue Location Discovery Protocol (RLDP), Rogue Detector, Rogue Rules, wireless intrusion detection services  (wIDS), Rogue Containment, AP Authentication, client exclusion features that touches Mobility, RF grouping from wireless LAN controller.


Saravanan Lakshmanan
is a Customer Support Engineer in Cisco's Technical Assistance Center (TAC) specializing in Wireless Technologies.  He is an expert in debugging and troubleshooting Cisco Wireless LAN Controllers (WLANs), wireless LAN services, unified access points, wireless LAN security, autonomous APs, VoWifi, authentication authorization accounting (AAA), and radio frequency (RF). Lakshmanan helps solve high severity and critical wireless issues for Cisco's customers and partners.

Remember to use the rating system to let Saravanan know if you have received an adequate response.  

Saravanan might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Wireless sub-community Security and Network Management  shortly after the event. This event lasts through Friday April 19, 2013. Visit this forum often to view responses to your questions and the questions of other community members.

21 Replies 21

Saravanan Lakshmanan
Cisco Employee
Cisco Employee

Adding doc link for reference:

Rogue AP:

Rogue Management in a Unified Wireless Network

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080b40901.shtml

Rogue Detection under Unified Wireless Networks

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080722d8c.shtml

Rule Based Rogue Classification in Wireless LAN Controllers (WLC) and Wireless Control System (WCS)

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080ad6b8d.shtml

Classifying Rogue Access Points

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/security_solution/config_security_chapter_010100.html

Managing Rogue Devices

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/security_solution/config_security_chapter_010011.html

Trusted AP Policies on a Wireless LAN Controller

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080921cc2.shtml

wIDS:

Configuring IDS Signatures

http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_0110.html#d115989e11090a1635

AP Authentication:

Infrastructure Management Frame Protection (MFP) with WLC and LAP Configuration Example

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008080dc8c.shtml

Configuring Management Frame Protection

http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_0110.html#d115989e7135a1635

Configuring Client Exclusion Policies

http://www.cisco.com/en/US/docs/wireless/controller/7.3/configuration/guide/b_wlc-cg_chapter_0110.html#d115989e7541a1635

Hello Saravanan

trying to find rogue on wire using rldp technique but unable to find so far. how long does it take the trigger to detect, using linksys ap as rogue. just like the doc mentioned having similar setup. enabled those rldp debugs but no glimpse of the wlc finding rogue on wire.

Thanks

Hi Robert, what's the wlc code, AP model used, if possible share the debug output.

5500 running 7.0.240.0, 3500 on local. linksys using open auth, getting debug

unsure if debug not showing anything or getting debug output with no reference to find rogue on wire.

be sure to run this on wlc.

(Cisco Controller) > debug dot11 rldp enable

what's the config on security>> wps>> general>> Rogue Location Discovery Protocol >> drop down. Since you're using local mode ap for rldp, it should be selected as "All APs" option. there is no option to say local mode/monitor/mesh/hreap mode AP only. it has to be either monitor for monitor mode only and AllAPs for the rest of the AP modes or it can be disabled.

wow!! thanks started working when set to all

would like to excercise rogue detector feature

3500 as RD and monitor ap, been long enough and couldn't find wire rogue flag enabled on controller

this time guess got everything right. debug showing got wired mac and sure cisco seeing the linksys. power cycling linksys to force arp

Well, unfortunatlely there are two bugs with Rogue Detector feature, use the code that has fix on it.

Rogue AP detection on wire fails if radio mac is +/- 1 of ethernet mac

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCub75472

Fixed-In 7.4(100.0).

Cant find rogue on wire, if rogue ap on non native vlan of RD's trunk

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCue09354

Fixed-In 7.4MR(yet to release).

Thank you.

are rldp scalable to work across mobility tunnel. both wlc1 & 2 added as mobility member with tunnels up, wired mac found on wlc1 and wireless mac identified by wlc2, with rldp enabled on both wlc.

black.robber
Level 1
Level 1

hi everyone is there any one would like to help me

i got following situation

how to share router one fastethernet port (e.g fa0/0) with different network addresses(e.g 192.168.1.1 and 192.168.2.1 and 192.168.3.1) when using them as a gateway using RIP or static routing?

any one please help me..

Hi Muhammad

Please post your question to LAN - Switching, Routing section.

https://supportforums.cisco.com/community/netpro/network-infrastructure/switching?view=discussions

Thanks

Saravanan

jmprats
Level 4
Level 4

Hello,

What am I supposed to do with unclassified rogue AP?

I understand that if they don't look a thread I can mark them as "Friendly External" to no receive more alarms about them. Is it ok?

The problem is what happens  if this external Friendly AP change the SSID for a Managed SSID (an SSID is using our controller). Then, this AP is a threat, but is not longer detected for the controller as Malicious

Is it a bug?

or am I not managing unclassified Rogue correctly?

Thanks

Hi there,

I have installed about 2 days ago one Cisco WCS 2504 and 11 APs. Everything is doing well regarding to WPA authentication. But I have a Radius Server that is also running with some issues on wireless:

- Unless I open network settings and click connect on that config I cannot obtain a valid IP Address;

- Roaming is not working also;

I'm still getting issues regarding Radius;

  - WPA2 Wlan still ok (144Mbit), but dont know when roaming works (how can I know/change these settings?);

  - Radius autenticated with 802.11 Data Encryption on 40 bits Key size connects always at 54Mbps (g) and auto authenticate but dont know when roaming works (how can I know/change these settings?);

  - Radius with 802.11 Data Encryption with none key size, doesnt authenticate connects 144Mbit but doesnt acquire IP Address

TY

Get debug client output when the wireless client seeing the issue.

WLC>debug client

If the client doesn't get an ip then it can't join wlc and success roaming is not possible.

To achieve N datarate using N AP and Client follow this doc:

Configure 802.11n on the WLC

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a3443f.shtml

802.11n requires AES encryption to be enabled on WLANs used by 802.11n clients. You can use a WLAN with NONE as Layer 2 Security. However, if you configure any Layer 2 security, 802.11n requires WPA2 AES enabled to operate at 11n rates. Ensure that WMM is set to Allowed on the WLAN profile in order to achieve 802.11n rates.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: