One way we have found to mitigate rouge APs (and this only works on
newer networks) is through port security. I you are running cisco 2950s
or newer on your wired lan, you can use this method to restrict each
port on your lan to a single device and this in turn knocks off any
associated clients
Airmagnet laptop or handheld will work.
At 02:16 PM 2/4/2005, you wrote:
In an effort to better identify rogue access points, can any of you
recommend tools that would make the physical and network pinpointing of WAPs
a bit easier. We have identified a number of rogues but cannot ascertain
http://www.securew2.com
is now open-source, supporting 802.1x with EAP-TTLS for Windows
XP/2000/CE.
A good complement to the existing open-source
development from http://www.open1x.org
(supports POSIX OSes)
Philippe Hanset
University of Tennessee
On Fri, 4 Feb 2005, Michael Dickson wrote:
Philippe Hanset wrote:
Don,
A trick that I have been willing to test for a long time would be
to join the Rogue AP, send traffic to a know sniffing host
in that same layer2 network.
This will reveal the Wired MAC address of the AP.
Then search for that MAC on your wired side and disable the port.
Where can we find a good list of the MAC address ranges for wireless access
points? If I just look
by manufacturer (see http://standards.ieee.org/regauth/oui/index.shtml) I do
not see a distinction
between their access points their NICs, switches, routers, and other network
equipment?
-jcw
Sometimes that is the case and sometimes not. I think what Jeff was
saying is that they connected to the AP with a client and then pinged a
device or something along those lines to get the clients mac to show up
on a port. Then you don't have to worry about the APs mac, you just
look for your
There aren't any easy answers, but both AirTight Networks (a startup) and
AirDefense play their wireless and wireside detection and mitigation
algorithms quite strongly. In fact, all the wireless security vendors,
including Red M and AirMagnet will make some mention of 'proprietary' or
'patented'
John Watters wrote:
Where can we find a good list of the MAC address ranges for wireless access
points? If I just look
by manufacturer (see http://standards.ieee.org/regauth/oui/index.shtml) I do
not see a distinction
between their access points their NICs, switches, routers, and other network
We take a similar tact, but use the idea of tracking the IP address
reported by an internal campus web server to a specific location.
(Which we need to do for virus outbreaks anyway) Because we use VLAN's
it's a little tedious to search all networks for a similar mac address.
So we use a little
If you are looking to find Ethernet devices on your network the open source
Netdisco is good place to start:
http://netdisco.org
If you are running a homogenous network with Cisco, Foundry, or some other
vendor that has CDP, etc support, it should be easy enough to whip up a Perl
script that
Michael Dickson wrote:
Using port security tends to open a can of worms with faculty and TA's
who use hubs in overcrowded offices. Also, it does not defend against
rogue AP's or other devices doing NAT, as only a single mac is seen on
the switch.
And not running it opens a security can of worms
Yantis, Jonathan Lindsey wrote:
Sometimes that is the case and sometimes not. I think what Jeff was
saying is that they connected to the AP with a client and then pinged a
Not necessarily. You can snarf it off the beacon, even if it is closed.
device or something along those lines to get the
12 matches
Mail list logo
