5-3
Cisco Wireless LAN Controller Configuration Guide
OL-9141-03
Chapter 5 Configuring Security Solutions
Cisco UWN Solution Security
Layer 3 Solutions
The WEP problem can be further solved using industry-standard Layer 3 security solutions such as
passthrough VPNs (virtual private networks).
The Cisco UWN Solution supports local and RADIUS MAC (media access control) filtering. This
filtering is best suited to smaller client groups with a known list of 802.11 access card MAC addresses.
Finally, the Cisco UWN Solution supports local and RADIUS user/password authentication. This
authentication is best suited to small to medium client groups.
Rogue Access Point Solutions
This section describes security solutions for rogue access points.
Rogue Access Point Challenges
Rogue access points can disrupt WLAN operations by hijacking legitimate clients and using plaintext or
other denial-of-service or man-in-the-middle attacks. That is, a hacker can use a rogue access point to
capture sensitive information, such as passwords and username. The hacker can then transmit a series of
clear-to-send (CTS) frames, which mimics an access point informing a particular NIC to transmit and
instructing all others to wait, which results in legitimate clients being unable to access the WLAN
resources. WLAN service providers thus have a strong interest in banning rogue access points from the
air space.
The operating system security solution uses the radio resource management (RRM) function to
continuously monitor all nearby access points, automatically discover rogue access points, and locate
them as described in the “Tagging and Containing Rogue Access Points” section on page 5-3.
Tagging and Containing Rogue Access Points
When the Cisco UWN Solution is monitored using WCS. WCS generates the flags as rogue access point
traps, and displays the known rogue access points by MAC address. The operator can then display a map
showing the location of the lightweight access points closest to each rogue access point, allowing Known
or Acknowledged rogue access points (no further action), marking them as Alert rogue access points
(watch for and notify when active), or marking them as contained rogue access points. Between one and
four lightweight access points discourage rogue access point clients by sending the clients
deauthenticate and disassociate messages whenever they associate with the rogue access point.
When the Cisco UWN Solution is monitored using a GUI or a CLI, the interface displays the known
rogue access points by MAC address. The operator then has the option of marking them as Known or
Acknowledged rogue access points (no further action), marking them as Alert rogue access points (watch
for and notify when active), or marking them as Contained rogue access points (have between one and
four lightweight access points discourage rogue access point clients by sending the clients
deauthenticate and disassociate messages whenever they associate with the rogue access point).
To Next Page
Loading...
Need help?
General
