1-51
FAQ and Troubleshooting Guide for the CiscoWorks Wireless LAN Solution Engine
OL-8376-01
Chapter 1 FAQs and Troubleshooting
Intrusion Detection System FAQs and Troubleshooting
WLSE considers hardware, both client and access points, to be trusted sources, and assumes that
vendors are reporting the field correctly. WLSE expects only client machines and peripherals to emit
beacons with the IBSS flag set (it is very unlikely that an access point would emit an IBSS beacon).
In rare cases, however, a malicious station can spoof the field. If this happens, WLSE will report
whatever value the field is set to.
Q.
How often does rogue AP detection occur and can it be customized?
A.
Rogues can be detected within 90 seconds, but are not reported for another 180 seconds. This delay
allows as many APs as possible to detect the rogue, which helps pinpoint the rogue’s location.
Detection frequency cannot be customized, but rogue AP detection and the fault priority that is
assigned can be enabled and disabled for the network.
Q.
How long does it typically take for the WLSE to detect a rogue access point after it is connected to
the network?
A.
To detect a rogue AP, Radio Monitoring must be enabled. Radio monitoring gathers radio reports
every 90 seconds, so if at least one AP can hear the rogue, WLSE will detect the rogue in
approximately 360 to 450 seconds. (It takes 1 to 2 measurement intervals for Radio Monitoring to
report a rogue, and the WLSE waits for 3 measurement intervals for other surrounding APs or clients
to report the same radio.)
Q.
Can I disable transmit on an AP and yet allow it to receive signals so that it can participate in rogue
AP detection?
A.
The solution you want is called scanning-only AP mode. Scanning-Only AP mode puts a radio
interface in a dedicated mode monitoring the air space surrounding it without carrying any regular
WLAN user traffic. For more information, see the scanning-only AP mode information in the online
help or the User Guide for the CiscoWorks Wireless LAN Solution Engine, 2.13.
Q.
I want to disable Radio Monitoring and detect rogue APs only when AP Radio Scan jobs are
scheduled. Is this possible?
A.
Radio Monitoring is the preferred method for detecting rogue APs. AP Radio Scan jobs can detect
rogues, but only during the scan (approximately 3 to 4 minutes); any rogues that show up after the
scan are not detected. In addition, because the scan is so short, it is possible that some rogues will
not be detected because they do not respond with a Probe Request during the active scan. When
Radio Monitoring is enabled, the rogue will eventually be detected by the beacon frame; it is
statistically possible that a beacon will not be seen during an AP scan.
Q.
What requirements and configuration are needed before a client can participate in rogue AP
detection?
A.
Participation is automatic. Cisco and CCX clients gather radio frequency information as instructed
by the APs to which they are associated. APs gather similar information. This data is aggregated at
the WDS device and then analyzed by the WLSE.
Q.
Can the client be used to help triangulate a rogue AP?
A.
The client’s data does not get factored into location triangulation; only the AP data is used.
Q.
How can I automatically adjust the channel and power settings on my managed APs to overcome the
coverage problems introduced by rogue APs?
A.
To automatically adjust channel and power settings on managed APs after detecting rogue APs, run
RM Assisted Configuration (or Auto Site Survey from the Location Manager wizard).
