Specifications
Intrusion Detection Configuration 323
Chapter 15
Enforce WEP Encryption for all Traffic – Any valid AP not using WEP will be
flagged as misconfigured.
Enforce WPA Encryption for all Traffic – Any valid AP not using WPA will be
flagged as misconfigured.
Valid Access Point Manufacturers OUI List – A list of MAC address OUIs that
define valid AP manufacturers. Any valid AP with a differing OUI will be
flagged as misconfigured.
Equivalent CLI configuration for the example above is:
wms
ap-policy protect-misconfigured-ap enable
valid-11b-channel 6 mode enable
valid-11b-channel 1 mode enable
valid-11b-channel 11 mode enable
valid-11a-channel 36 mode enable
valid-11a-channel 60 mode enable
valid-11a-channel 52 mode enable
valid-11a-channel 64 mode enable
valid-11a-channel 48 mode enable
valid-11a-channel 44 mode enable
valid-11a-channel 40 mode enable
valid-11a-channel 56 mode enable
station-policy protect-valid-sta enable
ap-config privacy enable
ap-config wpa disable
Entering New Valid OUIs
To add a new valid OUI, click the Add button. Specify all MAC OUIs in the
form:
xx:xx:xx:ff:ff:ff
where xx:xx:xx is the desired OUI.
Weak WEP Detection
The primary means of cracking WEP keys is by capturing 802.11 frames over
an extended period of time and searching for patterns of WEP initialization
vectors (IVs) that are known to be weak. Most modern 802.11 devices do not
generate such weak IVs, but many legacy devices are still in use today that do.
AOS-W will monitor for devices using weak WEP implementations and
generate reports for the administrator of which devices require upgrades. To