Руководство По Проектированию для Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter
4-30
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 4 Cisco Unified Wireless Network Architecture—Base Security Features
Cisco Unified Wireless Security Features
•
Rogue Location Discovery Protocol (RLDP)
If an AP is configured as a rogue detector, its radio is turned off and its role is to listen on the wired
network for MAC addresses of clients associated to rogue APs; that is, rogue clients. The rogue detector
listens for ARP packets that include these rogue client MAC addresses. When it detects one of these
ARPs, it reports this to the WLC, providing verification that the rogue AP is attached to the same
network as the Cisco Unified Wireless Network. To be effective at capturing ARP information, the rogue
AP detector should be connected to all available broadcast domains using a Switched Port Analyzer
(SPAN) port because this maximizes the likelihood of detection. Multiple rogue AP detector APs may
be deployed to capture the various aggregated broadcast domains that exist on a typical network.
network for MAC addresses of clients associated to rogue APs; that is, rogue clients. The rogue detector
listens for ARP packets that include these rogue client MAC addresses. When it detects one of these
ARPs, it reports this to the WLC, providing verification that the rogue AP is attached to the same
network as the Cisco Unified Wireless Network. To be effective at capturing ARP information, the rogue
AP detector should be connected to all available broadcast domains using a Switched Port Analyzer
(SPAN) port because this maximizes the likelihood of detection. Multiple rogue AP detector APs may
be deployed to capture the various aggregated broadcast domains that exist on a typical network.
If a rogue client resides behind a wireless router (a common home WLAN device), their ARP requests
are not seen on the wired network, so an alternative to the rogue detector AP method is needed.
Additionally, rogue detector APs may not be practical for some deployments because of the large
number of broadcast domains to be monitored (such as in the main campus network).
are not seen on the wired network, so an alternative to the rogue detector AP method is needed.
Additionally, rogue detector APs may not be practical for some deployments because of the large
number of broadcast domains to be monitored (such as in the main campus network).
The RLDP option can aid in these situations. In this case, a standard LAP, upon detecting a rogue AP,
can attempt to associate with the rogue AP as a client and send a test packet to the controller, which
requires the AP to stop behaving as a standard AP and temporarily go into client mode. This action
confirms that the rogue AP in question is actually on the network, and provides IP address information
that indicates its logical location in the network. Given the difficulties in deriving location information
in branch offices coupled with the likelihood of a rogue being located in multi-tenant buildings, rogue
AP detector and RLDP are useful tools that augment location-based rogue AP detection.
can attempt to associate with the rogue AP as a client and send a test packet to the controller, which
requires the AP to stop behaving as a standard AP and temporarily go into client mode. This action
confirms that the rogue AP in question is actually on the network, and provides IP address information
that indicates its logical location in the network. Given the difficulties in deriving location information
in branch offices coupled with the likelihood of a rogue being located in multi-tenant buildings, rogue
AP detector and RLDP are useful tools that augment location-based rogue AP detection.
Rogue AP Containment
Rogue AP- connected clients, or rogue ad-hoc connected clients, may be contained by sending 802.11
de-authentication packets from nearby LAPs. This should be done only after steps have been taken to
ensure that the AP is truly a rogue AP, because it is illegal to do this to a legitimate AP in a neighboring
WLAN. This is the reason why Cisco removed the automatic rogue AP containment feature from the
solution.
de-authentication packets from nearby LAPs. This should be done only after steps have been taken to
ensure that the AP is truly a rogue AP, because it is illegal to do this to a legitimate AP in a neighboring
WLAN. This is the reason why Cisco removed the automatic rogue AP containment feature from the
solution.
To determine whether rogue AP clients are also clients on the enterprise WLAN, the client MAC address
can be compared with MAC addresses collected by the AAA during 802.1X authentication. This allows
for the identification of potential WLAN clients that may have been compromised or users who are not
following security policies.
can be compared with MAC addresses collected by the AAA during 802.1X authentication. This allows
for the identification of potential WLAN clients that may have been compromised or users who are not
following security policies.
Management Frame Protection
One of the challenges in 802.11 has been that management frames are sent in the clear with no encryption
or message integrity checking and are therefore vulnerable to spoofing attacks. WLAN management
frame spoofing can be used to attack a WLAN network. To address this, Cisco created a digital signature
mechanism to insert a message integrity check (MIC) into 802.11 management frames. This allows
legitimate members of a WLAN deployment to be identified, as well being able identify rogue
infrastructure devices, and spoofed frames through their lack of valid MICs.
or message integrity checking and are therefore vulnerable to spoofing attacks. WLAN management
frame spoofing can be used to attack a WLAN network. To address this, Cisco created a digital signature
mechanism to insert a message integrity check (MIC) into 802.11 management frames. This allows
legitimate members of a WLAN deployment to be identified, as well being able identify rogue
infrastructure devices, and spoofed frames through their lack of valid MICs.
The MIC used in management frame protection (MFP) is not a simple CRC hashing of the message, but
also includes a digital signature component. The MIC component of MFP ensures that a frame has not
been tampered with, and the digital signature component ensures that the MIC could have only been
produced by a valid member of the WLAN domain. The digital signature key used in MFP is shared
among all controllers in a mobility group; different mobility groups have different keys. This allows the
validation of all WLAN management frames processed by the WLCs in that mobility group. (See
also includes a digital signature component. The MIC component of MFP ensures that a frame has not
been tampered with, and the digital signature component ensures that the MIC could have only been
produced by a valid member of the WLAN domain. The digital signature key used in MFP is shared
among all controllers in a mobility group; different mobility groups have different keys. This allows the
validation of all WLAN management frames processed by the WLCs in that mobility group. (See