Nortel 2350 参考指南
Detecting and Combatting Rogue Devices 423
Nortel WLAN—Management Software 2300 Series Reference Guide
Mobility Domain Requirement
RF Detection requires the Mobility Domain to be completely up. If a Mobility Domain is not fully operational
(not all members are up), no new RF Detection data is processed. Existing RF Detection information ages out
normally. Processing of RF Detection data is resumed only when all members of the Mobility Domain are up.
If a seed switch in the Mobility Domain cannot resume full operation, you can restore the Mobility Domain to
full operation, and therefore resume RF Detection data processing, by removing the inoperative switch from
the member list on the seed.
(not all members are up), no new RF Detection data is processed. Existing RF Detection information ages out
normally. Processing of RF Detection data is resumed only when all members of the Mobility Domain are up.
If a seed switch in the Mobility Domain cannot resume full operation, you can restore the Mobility Domain to
full operation, and therefore resume RF Detection data processing, by removing the inoperative switch from
the member list on the seed.
Rogue Detection Lists
Rogue detection lists specify the third-party devices and SSIDs that WSS Software allows on the network, and
the devices WSS Software classifies as rogues. You can configure the following rogue detection lists:
the devices WSS Software classifies as rogues. You can configure the following rogue detection lists:
•
Permitted SSID list—A list of SSIDs allowed in the Mobility Domain. WSS Software generates a
message if an SSID that is not on the list is detected.
message if an SSID that is not on the list is detected.
•
Permitted vendor list—A list of the wireless networking equipment vendors whose equipment is allowed
on the network. The vendor of a piece of equipment is identified by the Organizationally Unique
Identifier (OUI), which is the first three bytes of the equipment’s MAC address. WSS Software generates
a message if an AP or wireless client with an OUI that is not on the list is detected.
on the network. The vendor of a piece of equipment is identified by the Organizationally Unique
Identifier (OUI), which is the first three bytes of the equipment’s MAC address. WSS Software generates
a message if an AP or wireless client with an OUI that is not on the list is detected.
•
Rogue list—A list of AP MAC addresses to attack whenever they are present on the network.
•
Client black list—A list of MAC addresses of wireless clients who are not allowed on the network. WSS
Software prevents clients on the list from accessing the network through a WSS. If the client is placed on
the black list dynamically by WSS Software due to an association, reassociation or disassociation flood,
WSS Software generates a log message.
Software prevents clients on the list from accessing the network through a WSS. If the client is placed on
the black list dynamically by WSS Software due to an association, reassociation or disassociation flood,
WSS Software generates a log message.
•
Ignore list—A list of third-party devices that you want to exempt from rogue detection. WSS Software
does not count devices on the ignore list as rogues or interfering devices, and does not issue
countermeasures against them.
does not count devices on the ignore list as rogues or interfering devices, and does not issue
countermeasures against them.
An empty permitted SSID list or permitted vendor list implicitly allows all SSIDs or vendors. However, when
you add an entry to the SSID or vendor list, all SSIDs or vendors that are not in the list are implicitly disal-
you add an entry to the SSID or vendor list, all SSIDs or vendors that are not in the list are implicitly disal-
RFDetectDoS
Indicates that WSS Software has detected a
DoS attack other than an associate request
flood, reassociate request flood, or
disassociate request flood.
DoS attack other than an associate request
flood, reassociate request flood, or
disassociate request flood.
RFDetectDoSPort
Indicates that WSS Software has detected an
associate request flood, reassociate request
flood, or disassociate request flood.
associate request flood, reassociate request
flood, or disassociate request flood.
RFDetectClientViaRogueWiredAP
Indicates that WSS Software has detected,
on the wired part of the network, the MAC
address of a wireless client associated with a
third-party AP.
on the wired part of the network, the MAC
address of a wireless client associated with a
third-party AP.
Table 1: SNMP Notifications for RF Detection (continued)
Notification Type
Description