Installation guide
D-94 Motorola RF Switch System Reference Guide
D.7.2 Unauthorized Access Point Containment
APs categorized as unapproved represent a potential threat to the network. Unauthorized AP containment
can provide temporary mitigation against unauthorized APs by attempting to disrupt communications with
any associated MUs as well as attempting to prevent new MUs from associating with the AP.
Unauthorized AP containment can be performed by adding APs in the unauthorized AP list to a containment
list. Once added the RF Switch will co-ordinate mitigation using AP300s by sending broadcast 802.11 de-
authentication frames to each MU spoofing the unauthorized APs MAC address. Depending on the site, one
or more AP300 can be used to perform containment and the results will vary depending on the MU driver.
D.7.3 Wireless Intrusion Detection
A Motorola RF Switch can also be configured to monitor and alert administers about unauthorized attempts
to access the WLAN. Unauthorized attempts are generally accompanied by malicious MUs attempting to
identify network vulnerabilities.
Integrated intrusion detection can be enabled on the RF Switch to provide monitoring for basic attacks
without the need of dedicated IPS system or monitoring APs. When intrusion violations occur and a
configured threshold is exceeded, the RF Switch generates an alarm and mitigates by blacklisting the MU
for a definable length of time.
Excessive Probes TKIP Countermeasures
Excessive Association Invalid Frame Length
Excessive Disassociation Excessive EAP NAKS
Excessive Authentication Failure Invalid 802.1x Frames
Excessive Crypto Replays Invalid Frame Type
Excessive 802.11 Replays Beacon with Broadcast ESSID
Excessive Decryption Failures Frames with Known Bad ESSID
Excessive Unassociated Frames Unencrypted Traffic