Radio Management and Wireless Intrusion Detection

As discussed previously, several RM functions can be enabled using the SWAN deployment modes. A key component of radio measurements is the capability of Cisco APs, in addition to Cisco and CCX (version 2.0 or above), to measure and report measured RF parameters to the WLSE. Using the Cisco SWAN solution, active APs can measure radio parameters while still servicing WLAN clients. Figure 9-4 illustrates radio monitoring using WDS client APs and Cisco CCX clients. As shown in Figure 9-4, collected RM data is sent to the WDS server, which aggregates the RM data and forwards it to the WLSE for analysis.

Figure 9-4. SWAN Radio Monitoring

An AP configured on a specific channel can measure 802.11 and non-802.11 activity on that particular channel by gathering beacons, probe responses, the amount of 802.11 activity, and non-802.11 RF energy. When the AP is not transmitting or receiving (such as when it is not servicing an WLAN client), it can jump to an adjacent channel to scan for a short duration of time. The collected RM data is periodically sent to the WDS server. In addition to AP-based scanning, clients (Cisco and CCXv2.0 or above) can be enabled to scan, collect, and report RM data to the WDS server. Using the clients to enable radio monitoring is optional, but it is recommended because it increases the level of accuracy and expands the coverage area of the radio scan. Specifically, the clients can be used to scan areas where there is no AP radio coverage, including fringes of your RF network. The WLAN clients scan and report RM data only when they are associated with the managed (that is, authorized) AP on your network.

To enable WLSE to identify rogue APs, you must discover and identify managed APs and specify their location. You can import a floor plan (GIF/JPEG/BMP format) into the WLSE, and you must identify and place the discovered (that is, managed) APs at appropriate locations on the imported floor plan. After you do this, you can execute the assisted site survey feature to fine-tune the channel and power settings of the access points. The assisted site survey consists of two phases: the AP radio scan and the client walkabout procedure. The WLSE also uses the assisted site survey process to model the RF environment. Chapter 12 discusses the configuration required on the WDS client APs, the WDS server, WLAN clients, and the WLSE to enable radio management features for both SWAN nonswitching deployment mode and the SWAN central switching deployment mode.

After you execute the assisted site survey, it is recommended that you enable radio monitoring on all APs and associated Cisco CCX clients. When the WLSE determines that there are unidentified APs from the collected RM data, it triggers rogue AP alerts. Each rogue AP alert specifies which managed APs are reporting the rogue AP (along with measured signal strength, and so on). Location Manager can be used to triangulate the location of the rogue AP. The WLSE uses the collected RM data, along with the measured signal strength of the rogue AP from the reporting managed APs, to approximate the location of the rogue AP.

Figure 9-5 illustrates two different scenarios of rogue AP detection. In the first scenario, the rogue AP overlaps in RF coverage with the deployed and managed APs; in this case, WDS client AP 1 and 2 detect and report the rogue AP. In the second scenario, a Cisco or CCX client detects and reports the second rogue AP, which is outside the RF coverage area of the managed APs.

Figure 9-5. SWAN Rogue AP Detection

After the WLSE detects the rogue AP, the administrator has three choices:

Use the WLSE to triangulate the location of the rogue AP and physically investigate it. If the rogue AP is within the customer premise and physically located, the administrator can remove it.
The second option is to trace the rogue AP over the wired network to determine where it is connected (if it connected to the customer's wired network). WLSE uses detected BSSID (that is, MAC address) information of the rogue AP to trace it within the customer's wired network. If the rogue AP is successfully traced, the administrator has the option to shut down the switch port to which the rogue AP is connected.
The last option is to identify the rogue AP as a "friendly" AP if it is determined to be a valid neighbor's AP. This can be the case in a multitenant environment.

Figure 9-6 illustrates the rogue AP alert that the WLSE generates. The detecting APs and detailed information regarding the rogue AP are displayed.

Figure 9-6. SWAN WLSE Rogue AP Detection Alert

In addition to rogue AP detection and suppression, you can use RM data and user association data to locate users throughout a WLAN network.

Finally, you can use collected RM data to identify non-802.11 RF activity in a WLAN network as well. This is useful for identifying potential denial-of-service (DoS) attacks using RF transmitters (known as RF jamming). The WLSE generates a fault notification when the measured and reported non-802.11 RF activity exceeds a prespecified threshold. In addition to triggering a fault notification, you can configure the WLSE to periodically adjust the channel configuration parameters for the APs based on the collected RM data to avoid non-802.11 RF interference.