Alcatel-Lucent omniaccess User Manual
OmniAccess RN: User Guide
166
Part 031650-00
May 2005
z
Misconfigured AP detection: If desired, a list of parameters can be config-
ured that defines the characteristics of a valid AP. This is primarily used
when non-Alcatel APs are being used in the network, since the Alcatel
Mobility Controller cannot configure the 3
ured that defines the characteristics of a valid AP. This is primarily used
when non-Alcatel APs are being used in the network, since the Alcatel
Mobility Controller cannot configure the 3
rd
-party APs. These parameters
can include preamble type, WEP configuration, OUI of valid MAC
addresses, valid channels, DCF/PCF configuration, and ESSID. The system
can also be configured to detect an AP using a weak WEP key. If a valid AP
is detected as misconfigured, the system will deny access to the miscon-
figured AP. In cases where someone gains configuration access to a
3
addresses, valid channels, DCF/PCF configuration, and ESSID. The system
can also be configured to detect an AP using a weak WEP key. If a valid AP
is detected as misconfigured, the system will deny access to the miscon-
figured AP. In cases where someone gains configuration access to a
3
rd
-party AP and changes the configuration, this policy is useful in blocking
access to that AP until the configuration can be fixed.
z
Weak WEP detection: The primary means of cracking WEP keys is by cap-
turing 802.11 frames over an extended period of time and searching for
patterns of WEP initialization vectors (IVs) that are known to be weak. The
Alcatel system will monitor for devices using weak WEP implementations
and generate reports for the administrator of which devices require
upgrades.
turing 802.11 frames over an extended period of time and searching for
patterns of WEP initialization vectors (IVs) that are known to be weak. The
Alcatel system will monitor for devices using weak WEP implementations
and generate reports for the administrator of which devices require
upgrades.
z
Multi Tenancy: The Alcatel system provides the ability to configure
reserved channel and SSID lists, and disable unrecognized APs using these
reserved resources. This feature can be used in a multi-tenant building
where different enterprises must share the RF environment. This feature
can also be used to defend against “honeypot” APs. A “honeypot” AP is an
attacker’s AP that is set up in close proximity to an enterprise, advertising
the ESSID of the enterprise. The goal of such an attack is to lure valid cli-
ents to associate to the honeypot AP. From that point, a MITM attack can
be mounted, or an attempt can be made to learn the client’s authentication
credentials. Most client devices have no way of distinguishing between a
valid AP and an invalid one – the devices only look for a particular ESSID
and will associate to the nearest AP advertising that ESSID.
reserved channel and SSID lists, and disable unrecognized APs using these
reserved resources. This feature can be used in a multi-tenant building
where different enterprises must share the RF environment. This feature
can also be used to defend against “honeypot” APs. A “honeypot” AP is an
attacker’s AP that is set up in close proximity to an enterprise, advertising
the ESSID of the enterprise. The goal of such an attack is to lure valid cli-
ents to associate to the honeypot AP. From that point, a MITM attack can
be mounted, or an attempt can be made to learn the client’s authentication
credentials. Most client devices have no way of distinguishing between a
valid AP and an invalid one – the devices only look for a particular ESSID
and will associate to the nearest AP advertising that ESSID.
z
MAC OUI: The Alcatel system provides the ability to match MAC addresses
seen in the air with known manufacturers. The first three bytes of a MAC
address are known as the MAC OUI (Organizationally Unique Identifier) and
are assigned by the IEEE. Often, clients using a spoofed MAC address will
not use a valid OUI, and instead use a randomly generated MAC address.
By enabling MAC OUI checking, administrators will be notified if an unrec-
ognized MAC address is in use.
seen in the air with known manufacturers. The first three bytes of a MAC
address are known as the MAC OUI (Organizationally Unique Identifier) and
are assigned by the IEEE. Often, clients using a spoofed MAC address will
not use a valid OUI, and instead use a randomly generated MAC address.
By enabling MAC OUI checking, administrators will be notified if an unrec-
ognized MAC address is in use.
Configuring Rogue AP Detection
Follow the steps below to configure the Alcatel network to detect insecure APs
and classify them as rogue and interfering respectively as defined in the section
above.
and classify them as rogue and interfering respectively as defined in the section
above.
1. Navigate to the
Configuration > Wireless LAN Intrusion Detection > Rogue AP
page on the WebUI of the Master switch.