Wireless security on Avaya WLAN 8100

Provide protection from:
• Unauthorized access points in our wireless space
• Honeypot points - issuing themselves under our “protected” SSID, while accepting any keys
• SSID masquerade - use an unknown point SSID
• Unprotected SSIDs
• Autonomous points using non-standard channels or modes

We provide detection and prevention:
• Fraudulent clients
• network intrusions
• Denial of network service
• MAC address of flooding
• Fluda messaging authentication
• Fluda messaging deauthentication
• Failed authentication attempts, cutoff
• Clients with MAC not from OUI list
• Clients not from client base (white list) or from black list
• Clients connected from suspicious points
')
Suspicious customers and points will also collect information on triangulation to determine their location on the plan.



Our arsenal includes Avaya WLAN Access Point 8120 access points, Avaya WLAN Controller 8180 controller and WMS control system.



Equipment can provide security in several modes.



• Access mode: the client is granted access, and the frequencies of only the currently used channels are scanned at the same time. In this mode, the points are the default.

• Access-WIDS mode: the client is granted access, at the same time all frequencies in the 2.4 / 5 GHz band allowed for use in the Russian Federation are scanned.



• WIDS Sentry mode: access is not available to the client, all frequencies in the 2.4 / 5 GHz range are scanned regardless of the regional reference.

• WIPS Sentry mode: access is not provided to the client, except for a full scan of all, often in the 2.4 / 5 GHz band, regardless of the regional binding, active actions are taken against unauthorized access points and clients, that is, they are neutralized.

In all modes, the scanned information is sent to the controller, which is updated at an interval of 30 seconds.

The following shows an active attack on unauthorized points.



Start the setup. Create a radio profile for Sentry mode with a scan interval of 1 millisecond.

WC8180>en WC8180#conf t WC8180(config)#wireless WC8180(config-wireless)#radio-profile 3 wids-wips both WC8180(config-radio-profile)#rf-scan band both duration 1 WC8180(config-radio-profile)#exit 

Now we will hang this profile on both radio modules of a point, using the profile of a point.
By the way, the point 8120 has two radio modules, and the Sentry can only be hung up on one.

 WC8180(config-wireless)#ap-profile 7 WC8180(config-ap-profile)#radio 1 profile-id 3 WC8180(config-ap-profile)#radio 2 profile-id 3 WC8180(config-ap-profile)#radio 1 enable WC8180(config-ap-profile)#radio 2 enable WC8180(config-ap-profile)#exit 

We apply these settings to a specific point.

 WC8180(config-wireless)#domain ap :F9:54:99:5B:20 WC8180(config-domain-ap)#profile-id 7 WC8180(config-domain-ap)#end 

Now we add friendly points on the following template. For example, I do not want to block my portable TP-LINK. For this, I will need to specify its wireless parameters in detail.

 wids known-ap <mac_address> channel <0 - 216> wids known-ap <mac_address> security {any | open | wep | wpa} wids known-ap <mac_address> ssid <ssid_string> wids known-ap <mac_address> type {known-foreign | localenterprise| other} wids known-ap <mac_address> wds-mode {any | bridge | normal} wids known-ap <mac_address> wired-mode {allowed | notallowed} 

We configure WIDS for unauthorized points.

 wids rogue-ap ack {all | rogue_mac_address} wids rogue-ap trap-interval <60 - 3600> wids rogue-ap wired-detection-interval <1 - 3600> 

We monitor security in the WMS management system.