479| Wireless Intrusion Prevention AOS-W 6.5.3.x| User Guide
Classification Description
Valid Client Any client that successfully authenticates with a valid AP and passes encrypted
traffic is classified as a valid client.
Manually-contained
Client
Any clients for which DoS is enabled manually.
Interfering Client A client associated to any AP and is not valid.
Table 110: Client Classification Definitions
Understanding Classification Methodology
A discovered AP is classified as a rogue or a suspected rogue by the following methods:
n Internal heuristics
n AP classification rules
n Manually by the user
The internal heuristics works by checking if the discovered AP is communicating with a wired device on the
customer network. This is done by matching the MAC address of devices that are on the discovered AP’s
network with that of the user’s wired network. The MAC of the device on the discovered AP’s network is known
as the Match MAC. The ways in which the matching of wired MACs occurs is detailed in the sections
Understanding Match Methods on page 479 and Understanding Match Types on page 479.
Understanding Match Methods
The match methods are:
n Plus One—The match MAC matches a device whose MAC address’ last bit was one more than that of the
Match MAC.
n Minus One—The match MAC matches a device whose MAC address’ last bit was one less than that of the
Match MAC.
n Equal—The match was against the same MAC address.
n OUI—The match was against the manufacturer’s OUI of the wired device.
The classification details are available in the ‘Discovered AP table’ section of the ‘Security Summary’ page of the
WebUI. The information can be obtained by clicking on the details icon for a selected discovered AP. The
information is also available in the command show wms rogue-ap.
Understanding Match Types
n Eth-Wired-MAC: The MAC addresses of wired devices learned by an AP on its Ethernet interface.
n GW-Wired-MAC: The collection of Gateway MACs of all APs across the master and local switches.
n AP-Wired-MAC: The MAC addresses of wired devices learned by monitoring traffic out of other valid and
rogue APs.
n Config-Wired-MAC: The MAC addresses that are configured by the user, typically that of well-known
servers in the network.
n Manual: User-triggered classification.
n External-Wired-MAC: The MAC address matched a set of known wired devices that are maintained in an
external database.
n Mobility-Manager: The classification was determined by the mobility manager, AMP.
To Next Page
Loading...