Manualshelf

Specifications

ManualsBrandsExtreme Networks ManualsComputer equipmentAltitude 4000 Series
21222324252627282930
Summit WM Series WLAN Switch and Altitude Access Point Software Version 4.1 Technical Reference Guide
23
2 Rogue Access Point Detection
The Rogue AP detection feature provides capabilities to Summit WM series switches that allow Altitude
APs to periodically scan the RF space and report suspect devices. With this capability, Altitude APs can
multitask as scan devices as well as access points. This allows rogue detection to occur without
installing expensive overlay sensor networks. The Summit WM series switch Rogue detection system is
comprised of two major components; the Data Collector and the Analysis Engine.
The Data Collector runs on every Summit WM series switch and is responsible for initiating the rogue
scans and compiling information received from all Altitude APs under its control.
The Analysis Engine is the brains of this function and runs on one Summit WM series switch in the
network. It polls all Data Collectors periodically (default is every 5 seconds) and analyzes the polled
data to identify new devices. It also uses the polled data to build a table of known “friendly” Altitude
APs and 3rd Party Access Points. On subsequent scans, new devices are identified and compared to the
“friendly” list and differences are flagged as potential Rogues. The Analysis Engine also includes a GUI
to allow users to manually add or remove devices from the system or redefine a device identified as a
potential rogue into a “friendly” if the proper designation of a device is determined.
An Altitude AP is assigned to a “scan group” that has a particular set of “scan parameters. Different
groups can be defined so that the administrator can assign Altitude APs to logical groups to address
either different geographic needs (that is, only scan certain buildings at certain times) or coverage issues
(only scan with half of the Altitude APs in a given area at a given time). The algorithms and
mechanisms for RF scanning have been designed to minimize the impact on user data. Also, a GUI is
provided that provides the ability for an administrator to configure the frequency at which the Altitude
APs within a scan group will initiate a scan (minimum 1 minute, and maximum 120 minutes)
Upon completion of the scan, the Altitude AP will send back the results to the Summit WM series
switch and then wait for the next “scan interval” to repeat the process.
If a problem is found, an event is logged and an SNMP trap is generated indicating one of the following
conditions has been identified:
1 Unknown AP with an invalid SSID – Critical Alarm
a A new device has been identified
2 Unknown AP with a valid SSID – Critical Alarm
a Someone may be trying to attract users by broadcasting a known SSID.
3 Known AP with an invalid SSID – Critical Alarm
a A Rogue may be spoofing a know MAC address.
4 Known Altitude AP with an invalid SSID– Major Alarm
a A Rogue may be spoofing a Altitude AP using a known MAC address.
5 Device that is in ad-hoc mode (IBSS) Major Alarm
a A client configured in ad-hoc mode has been identified
6 Inactive Altitude AP with known SSID – Major Alarm
a A “known” Altitude AP has been detected that the Summit WM series switch has identified as
not in service (stolen?)