1. Manuals
  2. Brands
  3. AirMagnet Manuals
  4. Laptop
  5. PRG-Laptop 7.0
  6. Reference manual

AirMagnet PRG-Laptop 7.0 Reference Manual

Laptop wireless lan
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
AirMagnet
Laptop
®
Wireless LAN Policy Reference Guide

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the PRG-Laptop 7.0 and is the answer not in the manual?

Questions and answers

Summary of Contents for AirMagnet PRG-Laptop 7.0

  • Page 1 AirMagnet Laptop ® Wireless LAN Policy Reference Guide...
  • Page 2 Security, Inc. All rights reserved. ® AirMagnet and AirWISE® are registered trademarks, and the AirMagnet logo is a trademark, of AirMagnet, Inc. All the other product names mentioned herein may be trademarks or registered trademarks of their respective companies. AirMagnet, Inc.

  • Page 3: Table Of Contents

    DoS Attack: CTS Flood ............... 32 DoS Attack: Queensland University of Technology Exploit ....34 DoS Attack: RF Jamming Attack............36 DoS Attack: Virtual Carrier Attack............38 DoS Attack Against Client Station ..............40 AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 4 Soft AP or Host AP Detected ................81 Spoofed MAC Address Detected................ 82 Suspicious After-Hour Traffic Detected............. 83 Unauthorized Association Detected ..............84 Wellenreiter Detected ..................87 Chapter 4: Rogue AP and Station ..........89 Rogue AP......................90 AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 5 Device Unprotected by IEEE 802.11i/AES ........116 Device Unprotected by 802.11x............120 Device Unproetected by EAP-FAST ..........122 Device Unprotected by PEAP ............123 Device Unprotected by TKIP ............. 124 WPA or 802.11i Pre-Shared Key Used..........126 AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 6 Device Thrashing Between 802.11g and 802.11b......151 Chapter 8: IEEE 802.11e & VoWLAN Issues......153 AP Overloaded by Voice Traffic..............155 Voice Quality Degradation Caused by Interfering APs ........157 Channel Overloaded by Voice Traffic.............. 159 AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 7 Channel with High Noise Level ............... 180 Channel with Overloaded APs................181 Hidden Station Detected ................... 183 Insufficient RF Coverage.................. 185 Interfering APs Detected .................. 187 Non-802.11 Interfering Source Detected............188 RF Regulatory Rule Violation ................192 AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 8 Table of Contents AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 9: Part One: Security Ids/Ips

    AP, unconfigured AP, and Denial-of-Service attacks. Figure 1-1: Wireless Security Approaches The AirMagnet product is designed to help manage against security threats by validating proper security configurations and detecting possible intrusions. With the comprehensive suite of security...
  • Page 10 Part One: Security IDS/IPS To maximize the power of AirMagnet Mobile, security alarms can be customized to best match your security deployment policy. For example, if your WLAN deployment includes Access Points made by a specific vendor, the product can be customized to generate the rogue AP alarm when an AP made by another vendor is detected by AirMagnet Mobile.

  • Page 11: Chapter 1:Configuration Vulnerabilities

    For example, AirMagnet Mobile generates a warning alarm when it detects an AP broadcasting its SSID. The AirMagnet Mobile alarm description in this case will recommend that the wireless administrator turn off the SSID broadcast as a good security practice.

  • Page 12: Ap Broadcasting Ssid

    (such as Denial-of-service). • Your WLAN and APs with GPS information on your geographical location may be collected in a global database and published on the Internet. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 13: Ap Configuration Changed

    Chapter 1: Configuration Vulnerabilities AirMagnet Mobile detects an AP broadcasting its SSID and triggers alarms (it is also able to discover SSIDs that are not broadcast). In the Start page, APs are listed with their SSIDs in red to indicate a non- broadcast SSID.
  • Page 14 — 5260 — — 5280 — — 5300 — — 5320 — — 5740 — — — — 5765 — — — — 5785 — — — — 5805 — — — — AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 15 This means that channel 1, 6 and 11 are the three non-overlapping channels in the frequency spectrum. See sample channel allocation and AP deployment below. Figure 1-6: Allocating Adjacent APs to Non-overlapping Channels AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 16: Ap Operating In Bridged Mode Detected

    APs and has made those changes. AirMagnet Mobile also alerts the user for any sudden changes in the SSID of the access point. This may indicate that an intruder has control over the access point and has modified the SSID configuration.
  • Page 17 Detection of such wireless bridge devices indicates that something is wrong and the security of the corporate network could be compromised. Figure 1-7: Rogue Bridged AP/wireless bridge conneted to a corporate network AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 18: Ap Using Default Configuration

    AirMagnet , the WLAN administrator may use the FIND tool to locate the rogue device. Figure 1-8: Locating a device with AirMagnet Mobile’s FIND tool AP Using Default Configuration Access Points shipped by wireless equipment vendors usually come with a set of default configuration parameters.

  • Page 19: Device Vulnerable To Hotspot Attack Tools

    So, the criterion for entry is dependent only on whether the subscriber has paid the subscription fees or not. In a AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 20 • Authentication Server: This server contains the login credentials for the subscribers. The Hotspot controller will, in most cases, verify the credential for the subscriber with the authentication server after it is received. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 21 Fake AP. Once the client gets associated, the attack tool can be configured to run a command, possibly a script to kick off a DHCP daemon and other scanning against the new victim. Hotspotter is one such tool. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 22 The only case where it could have lesser impact is if the hotspot user is connected using a pay-per-minute usage scheme. The AirSnarf tool can be downloaded by hackers from http:// airsnarf.shmoo.com/ AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 23: Potential Pre-802.11N Device Detected

    SSIDs Mobile configured for use in the Hotspot environment. AirMagnet suggests that the administrator use the AirMagnet Find tool to locate the clients and take appropriate steps to avoid probing using the Hotspot SSID.
  • Page 24 Some tests have proved that if there are 802.11g devices operating in channels adjacent to pre-n devices, the performance of both products is severely affected. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 25: Exposed Wireless Station Detected

    Chapter 1: Configuration Vulnerabilities AirMagnet alerts the WLAN administrator if it detects a Pre-11n device in the wireless environment. The presence of such devices may cause severe performance degradation issues to the current wireless setup due to inter-operability problems between various standards.
  • Page 26 Figure 1-13: Laptop with an open WLAN connection risks exposing data on the laptop and the corporate wired network AirMagnet Mobile detects client stations that constantly search for association, thus leaving thesmelves vulnerable. Typically, they are client stations mis-configured manually or automatically by the vendor profile selector.

  • Page 27: Leap Vulnerability Detected

    Figure 1-14: Locating a device with AirMagnet Mobile FIND tool LEAP Vulnerability Detected It is well publicized that WLAN devices using static WEP key for...
  • Page 28 Cisco Systems has developed the Extensible Authentication Protocol- Flexible Authentication via Secure Tunneling (EAP-FAST) protocol which will stop these dictionary attacks. EAP-FAST helps prevent Man-in-the-middle attacks, dictionary attacks, packet and authentication forgery attacks. In EAP-FAST, a tunnel is created AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 29 LEAP and are vulnerable to the ASLEAP attack and are under the risk of exposing their user-name and password information. It is recommended that EAP-FAST be implemented in the wireless environment. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 30 Chapter 1: Configuration Vulnerabilities AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 31: Chapter 2:Ids-Denial Of Service Attack

    Fortunately, WLAN vendors are now aware of some of the attacks and are developing new standards like 802.11i to tackle some of these issues. AirMagnet Mobile contributes to this solution by providing an early detection system where the attack signatures are matched.

  • Page 32: Dos Attack: Association Flood

    DoS attack signatures against the AP. Incomplete authentication and association transactions trigger the AirMagnet Mobile attack detection and statistical signature matching process. Detected DoS attacks result in AirMagnet Mobile alarms that include a detailed description of the alarm and target device information. DoS Attack: Association Flood...
  • Page 33 802.1x actions and data communication after a successful client association to detect this form of DoS attack. After this attack is reported by AirMagnet Mobile, you may use the AirMagnet active tools (survey, performance, DHCP) to check if the AP is still functioning properly.

  • Page 34: Dos Attack: Association Table Overflow

    AP - thus emulating a denial of service attack. AirMagnet Mobile tracks the client authentication process and identifies a DoS attack signature against an AP. Incomplete authentication and association transactions trigger the AirMagnet Mobile attack detection and statistical signature matching process.
  • Page 35 1 or state 2, filling up the AP association table. When the table reaches its limit, legitimate clients will not be able to authenticate and associate with this AP, thus DoS attack is committed. Attack tool: Void11 AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 36: Dos Attack: Eapol-Start Attack

    AP under attack will be identified. The WLAN security analyst can log on to the AP to check the current association table status or use the AirMagnet active tool (DHCP, ping) to test the wireless service provided by this AP.

  • Page 37: Dos Attack: Ps Poll Flood Attack

    The WLAN security officer can log on to the AP to check the current association table status or use AirMagnet active tools (Diagnostics, DHCP, Ping) to test the wireless service provided by this AP. DoS Attack: PS Poll Flood Attack Power Management is probably one of the most critical features of wireless LAN devices.

  • Page 38: Dos Attack: Unauthenticated Association

    Chapter 2: IDS—Denial of Service Attack AirMagnet Mobile can detect this Denial of Service attack that can cause the wireless client to lose legitimate data. You can use the Find tool to locate the source device and take appropriate steps to remove it from the wireless environment.
  • Page 39 802.1x actions and data communication after a successful client association to detect this form of DoS attack. After this attack is reported by AirMagnet Mobile, you may use the AirMagnet active tools (survey, performance, DHCP) to check if the AP is still functioning properly.

  • Page 40: Dos Attack Against Infrastructure

    While this method helps reduce network traffic, it leaves your network vulnerable to a particular DoS attack in which a hacker spoofs repeated CTS frames. These frames inform other devices that the AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 41 RF medium to hold back their transmission until the attacker stops transmitting the CTS frames. AirMagnet Mobile detects the abuse of CTS frames for a denial-of- service attack. Similar to an RF jamming attack, security personnel can use the AirMagnet Mobile product's FIND tool to locate the source of the excess CTS frames.

  • Page 42: Dos Attack: Queensland University Of Technology Exploit

    Chapter 2: IDS—Denial of Service Attack Figure 2-7: Locating intruders using AirMagnet Mobile FIND tool DoS Attack: Queensland University of Technology Exploit Denial of Service Vulnerability in IEEE 802.11 Wireless Devices: US- CERT VU#106678 & Aus-CERT AA-2004.02 802.11 WLAN devices use Carrier Sense Multiple Access with...
  • Page 43 SOHO and enterprise WLANs. The only solution or known protection against such an attack is switching to the 802.11a protocol. For more information on this DoS attack please refer to: • www.isi.qut.edu.au/ • http://www.auscert.org.au/render.html?it=4091 • http://www.kb.cert.org/vuls/id/106678 AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 44: Dos Attack: Rf Jamming Attack

    Chapter 2: IDS—Denial of Service Attack AirMagnet Mobile detects this specific DoS attack and sets off the alarm. Please use the Find tool to locate the responsible device and take appropriate steps to remove it from the wireless environment. Figure 2-8: Locating a device using AirMagnet Mobile FIND tool...
  • Page 45 RF jamming attack. A reported RF jamming attack can be further investigated by tracking down the noise source using the AirMagnet Find tool with an external directional antenna. Figure 2-9: Tracking down RF jamming attack using AirMagnet...

  • Page 46: Dos Attack: Virtual Carrier Attack

    Chapter 2: IDS—Denial of Service Attack Figure 2-10: Tracking signal and noise levels using AirMagnet Find tool DoS Attack: Virtual Carrier Attack The virtual carrier-sense attack is implemented by modifying the 802.11 MAC layer implementation to allow random duration values to be sent periodically.
  • Page 47 Mobile AirMagnet detects this Denial of Service attack. Locate the device and take appropriate steps to remove it from the wireless environment. Figure 2-11: Locating a device using AirMagnet Mobile FIND tool AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 48: Dos Attack Against Client Station

    802.1x EAP-Failure or EAP-logoff messages are not encrypted and can be spoofed to disrupt the 802.1x authenticated state, thus disrupting wireless service. See the diagram below for 802.1x authentication and key exchange state change. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 49: Dos Attack: Authentication-Failure Attack

    DoS attack signatures. Incomplete authentication and association transactions trigger the AirMagnet Mobile attack detection and statistical signature matching process. Detected DoS attacks result in AirMagnet Mobile alarms that include a detailed description of the alarm and target device information. DoS Attack: Authentication-Failure Attack IEEE 802.11 defines a client state machine for tracking station...
  • Page 50 AP updates the client to State 1, which disconnects its wireless service. AirMagnet Mobile detects this form of a DoS attack by monitoring on spoofed MAC addresses and authentication failures. This alarm may also indicate an intrusion attempt. When a wireless client fails too...

  • Page 51: Dos Attack: De-Authentication Broadcast

    State 1 and State 2 can not participate in WLAN data communication until it is authenticated and associated to State 3. Figure 2-15: Attacker spoofs 802.11 de-authentication frames from AP to client station to bring client to state 1. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 52: Dos Attack: De-Authentication Flood

    When the alarm is triggered, the AP under attack will be identified. The WLAN security analyst can log on to the AP to check the current association table status or use AirMagnet Mobile active tools (Diagnostics, DHCP, Ping) to test the wireless service provided by this AP.
  • Page 53 Typically, client stations would re-associate and re-authenticate to regain service until the attacker sends another de-authentication frame. An attacker would repeatedly spoof the de-authentication frames to keep all clients out of service. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 54: Dos Attack: Disassociation Broadcast

    State 2 can not participate in WLAN data communication until it is authenticated and associated to State 3. Figure 2-17: Attacker spoofs 802.11 disassociation frames from AP to broadcast address to force all clients to state 2. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 55: Dos Attack: Disassociation Flood

    When the alarm is triggered, the AP under attack will be identified. The WLAN security officer can log on to the AP to check the current association table status or use the AirMagnet Mobile active Tools (Diagnostics, DHCP, Ping) to test the wireless service provided by this AP.
  • Page 56 Typically, client stations would re-associate to regain service until the attacker sends another disassociation frame. An attacker would repeatedly spoof the disassociation frames to keep the client out of service. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 57: Dos Attack: Eapol-Logoff Attack

    When the alarm is triggered, the AP under attack will be identified. The WLAN security officer can log on to the AP to check the current association table status or use the AirMagnet Mobile active Tools (Diagnostics, DHCP, Ping) to test the wireless service provided by this AP.

  • Page 58: Dos Attack: Fata-Jack Tool Detected

    The WLAN security officer can log on to the AP to check the current association table status or use AirMagnet active tools (Diagnostics, DHCP, Ping) to test the wireless service provided by this AP. DoS Attack: FATA-Jack Tool Detected IEEE 802.11 defines a client state machine for tracking station...
  • Page 59 It does this after it spoofs the MAC address of the Access point. FATA-jack closes most active connections and at times forces the user to reboot the station to continue normal activities. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 60: Dos Attack: Premature Eap-Failure Attack

    MAC addresses and authentication failures. This alarm may also indicate an intrusion attempt. When a wireless client fails too Mobile many times in authenticating with an AP, AirMagnet raises this alarm to indicate a potential intruder's attempt to breach security by brute force computer power.
  • Page 61 EAP-Failure frames and the 802.1x authentication states for each client station and AP. Locate the device and take appropriate steps to remove it from the wireless environment. Figure 2-22: Locating a device using AirMagnet Mobile FIND tool AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 62: Dos Attack: Premature Eap-Success Attack

    An attacker could keep the client interface from coming up (therefore DoS) by continuously spoofing pre-mature EAP-Success frames from the AP to the client to disrupt the authentication state on the client as explained in the previous paragraph. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 63 Chapter 2: IDS—Denial of Service Attack AirMagnet Enterprise detects this form of DoS attack by tracking spoofed pre-mature EAP-Success frames and the 802.1x authentication states for each client station and AP. Locate the device and take appropriate steps to remove it from the wireless environment.
  • Page 64 Chapter 2: IDS—Denial of Service Attack AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 65: Chapter 3:Ids-Security Penetration

    These security threats can be prevented if mutual authentication and strong encryption techniques are used. AirMagnet Mobile looks for weak security deployment practices as well as any penetration attack attempts. AirMagnet Mobile ensures a strong wireless security umbrella by validating the best security policy implementation as well as detecting intrusion attempts.
  • Page 66 Airsnarf is a wireless access point setup utility to show how a hacker can steal username and password credentials from public wireless hotspots. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 67 Airsnarf AP. The AirSnarf tool can be downloaded by hackers from http://airsnarf.shmoo.com/ AirMagnet Mobile will detect the wireless device running the AirSnarf tool. Appropriate action must be taken by the administrator to locate remove the AirSnarf tool from the WLAN environment. The Find tool can be used for this purpose.

  • Page 68: Fast Wep Crack (Arp Replay) Detected

    Chapter 3: IDS—Security Penetration Figure 3-2: Locating a device AirMagnet Mobile FIND tool Fast WEP Crack (ARP Replay) Detected It is well publicized that WLAN devices using static WEP key for encryption are vulnerable to WEP key cracking attack (Refer to Weaknesses in the Key Scheduling Algorithm of RC4 - I by Scott Fluhrer, Itsik Mantin, and Adi Shamir).

  • Page 69: Device Probing For Aps

    PrismStumbler, dStumbler, iStumbler, Aerosol, Boingo™ Scans, WiNc™, AP Hopper, NetChaser, Microsoft Windows XP scans AirMagnet Mobile detect wireless devices probing the WLAN and attempting association (i.e., association request for an AP with any SSID). Such devices could pose potential security threats in one of the following two ways: •...
  • Page 70 Figure 3-4: War-chalker publishes a discovered WLAN and its configuration at the WLAN location with these universal symbols. The first potential security threat as indicated by this AirMagnet Mobile alarm is the presence of WLAN war-driving, war-chalking, war-walking, and war-flying activities with tools mentioned above.
  • Page 71 To be secure, all client stations should be configured with specific SSID(s) to avoid associating with an unintended AP. Mutual authentication such as 802.1x and various EAP methods should also be considered to tackle such an issue. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 72: Dictionary Attack On Eap Methods

    Chapter 3: IDS—Security Penetration AirMagnet Mobile also detects a wireless client station probing the WLAN for an anonymous association (i.e., association request for an AP with any SSID) using the NetStumbler tool. The Device probing for AP alarm is generated when hackers use latest versions of the NetStumbler tool.

  • Page 73: Eap Attack Against 802.1X Authentication Type

    802.1x authentication protocol exchange and the user identifier Mobile usages. Upon detection of a dictionary attack, the AirMagnet alarm message identifies the user name and attacking station's MAC address. AirMagnet advises switching user name and password-...

  • Page 74: Fake Aps Detected

    Please take appropriate steps to locate the device and remove it from the wireless environment. Use the FIND tool for this purpose. Figure 3-6: The AirMagnet Mobile FIND tool locates devices by tracking down the signal level. Fake APs Detected...

  • Page 75: Fake Dhcp Server Detected

    WLAN management tools, etc. AirMagnet Mobile does not recommend running the Fake AP tool in your WLAN. AirMagnet recommends that the administrator locate the device running the Fake AP tool and take appropriate steps to remove it from the wireless environment.

  • Page 76: Hotspotter Tool Detected

    IP addresses to unaware users. Once the client is identified and reported by AirMagnet Mobile, the WLAN administrator may use the FIND tool to locate the device. Figure 3-7: The AirMagnet Mobile FIND tool locates devices by tracking down the signal level Hotspotter Tool Detected A hotspot is any location where Wi-Fi network access is made available for the general public.
  • Page 77 • Authentication Server: This server contains the login credentials for the subscribers. The Hotspot controller will, in most cases, verify the credential for the subscriber with the authentication server after it is received. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 78 (home and office) when they are still configured to include the hotspot SSID in the Windows XP wireless connection settings. The clients will send out probe requests using that SSID and will make themselves vulnerable to the tool. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 79: Illegal 802.11 Packets Detected

    These ill-formed frames can be broadcasted to cause multiple wireless clients to crash. AirMagnet Mobile can detect these illegal packets and raise an alarm when they appear. Wireless clients experiencing blue screen or lock- up problems during the attack period should consider upgrading the WLAN NIC driver or the firmware.

  • Page 80: Man-In-The-Middle Attack Detected

    Chapter 3: IDS—Security Penetration Once the client is identified and reported by AirMagnet Mobile, the WLAN administrator may use the FIND tool to locate it. Figure 3-10: Locating a device using AirMagnet Mobile FIND tool Man-in-the-Middle Attack Detected Man-in-the-Middle (MITM) attack is one of the most common 802.11attacks that can lead to confidential corporate and private...
  • Page 81 One of the most commonly used Man-in-the-Middle attack tool is Monkey-Jack. AirMagnet Mobile recommends the use of strong encryption and authentication mechanisms to thwart any Man-in-the-middle attacks by hackers. Ways to avoid such an attack is preventing MAC spoofing by using MAC address exclusion lists and monitoring the RF channel environment.

  • Page 82: Monitored Device Detected

    Infrastructure page on the AirMagnet Enterprise Console. Once the monitored node is identified and reported by AirMagnet Enterprise, the WLAN administrator may use the triangulation feature (available on the IDS/Rogue page) provided on the AirMagnet Enterprise Console to locate the device.

  • Page 83: Netstumbler Detected

    Chapter 3: IDS—Security Penetration NetStumbler Detected AirMagnet Enterprise detects a wireless client station probing the WLAN for an anonymous association (i.e. association request for an AP with any SSID) using the NetStumbler tool. The Device probing for AP alarm is generated when hackers use latest versions of the NetStumbler tool.

  • Page 84: Potential Asleap Attack Detected

    Joshua Wright, a network engineer at Johnson & Wales University in Providence, Rhode Island has written a hacking tool that compromises wireless LAN networks running LEAP by using off- line dictionary attacks to break LEAP passwords The tool after AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 85 In EAP-FAST, a tunnel is created between the client and the server using a PAC (Protected Access Credential) to authenticate each other. After the tunnel establishment process, the client is then authenticated using the user-name and password credentials. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 86: Potential Honey Pot Ap Detected

    Honey pot AP. Once a Honeypot AP is identified and reported by AirMagnet Mobile , the WLAN administrator may use the FIND tool to locate the rogue device.
  • Page 87 Chapter 3: IDS—Security Penetration Figure 3-13: Locating a device using AirMagnet Mobile FIND tool AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 88: Publicly Secure Packet Forwarding (Pspf) Violation

    APs. The PSPF feature prevents client devices from inadvertently sharing files with other client devices on the wireless network. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 89: Soft Ap Or Host Ap Detected

    Chapter 3: IDS—Security Penetration AirMagnet Mobile detects PSPF violations. That is, if a wireless client attempts to communicate with another wireless client, AirMagnet Mobile raises an alarm for a potential intrusion attack. This alarm does not apply if your WLAN deploys wireless printers or VoWLAN applications because these applications rely on wireless client-to- client communication.

  • Page 90: Spoofed Mac Address Detected

    Chapter 3: IDS—Security Penetration Any soft AP detected by AirMagnet Mobile should be treated as a rogue AP as well as a potential intrusion attempt. Once the soft AP is identified and reported by AirMagnet Mobile, the WLAN administrator may use the FIND tool to locate the rogue device.

  • Page 91: Suspicious After-Hour Traffic Detected

    One way to detect a wireless security penetration attempt is to analyze wireless usage during a time in which there is not supposed to be any wireless traffic (such as after business hours). AirMagnet Mobile monitors traffic patterns against the office-hours configured for this alarm to generate alerts when an abnormality is found.

  • Page 92: Unauthorized Association Detected

    AP, whose MAC address does not fall within the pre-configured address list. The authorized MAC address list can be imported to AirMagnet Mobile from a file. It can also be auto-generated by requesting AirMagnet Enterprise to accept all or a specific subset of existing APs or STAs discovered by AirMagnet SmartEdge sensors.
  • Page 93 Chapter 3: IDS—Security Penetration • Use the AirMagnet Enterprise wired trace and block rogue device feature provided by the AirMagnet Enterprise Console on the IDS/Rogue page to track down the wired- side IP address of the rogue AP and manually block it. The results will include the switch IP address and the port to which the rogue AP is connected.
  • Page 94 Chapter 3: IDS—Security Penetration Figure 3-17: AirMagnet Enterprise wired trace and block Rogue feature suspends rogue APs AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 95: Wellenreiter Detected

    Chapter 3: IDS—Security Penetration Wellenreiter Detected AirMagnet Enterprise detects a wireless client station probing the WLAN for an anonymous association (i.e. association request for an Wellenreiter AP with any SSID) using the tool. Figure 3-18: War-chalker publishes a discovered WLAN and its...
  • Page 96 To prevent your APs from being discovered by these hacking tools, you can configure your APs to not broadcast their SSIDs. You can use AirMagnet Mobile to see which of your APs are broadcasting (announcing) their SSIDs in the beacons.

  • Page 97: Chapter 4:Rogue Ap And Station

    APs made from Cisco operating in the 802.11b mode, you may enter that information in the AirMagnet rogue device alarm configuration. AirMagnet Mobile will then generate rogue device alarms if a non- Cisco AP or an 802.11g AP is detected in the wireless environment.

  • Page 98: Rogue Ap

    SSID, radio media type, and RF channels. For AirMagnet Enterprise, the AirMagnet sensor can be configured to auto-respond to detected rogue APs. In such a case, the AirMagnet Smartedge Sensor emulates a wireless client using the rogue AP's announced SSID to associate with the AP.

  • Page 99: Rogue Ap By Channel

    Chapter 4: Rogue AP and Station Rogue AP by Channel AirMagnet Mobile alerts the WLAN administrator on rogue APs by checking against enterprise standardized operating radio channel assignments for the 802.11a, 802.11b, or 802.11g standards. When an AP operating in a non-enterprise standardized radio channel is discovered by AirMagnet Mobile, a rogue AP alarm will be generated.

  • Page 100: Rogue Ap By Ieee Id (Oui)

    Chapter 4: Rogue AP and Station Rogue AP by IEEE ID (OUI) AirMagnet Mobile alerts the WLAN administrator of a rogue AP by checking against a pre-configured authorized AP equipment vendor list. For example, if your enterprise has deployed only Cisco Aironet or Symbol Technologies APs, you would then include Cisco and Symbol in the authorized vendor list.

  • Page 101: Rogue Ap By Mac Address (Acl)

    AirMagnet Mobile discovered rogue devices should be investigated carefully. Once a Rogue AP is identified and reported by AirMagnet Mobile, the WLAN administrator may use the FIND tool to locate the rogue device.

  • Page 102: Rogue Ap By Ssid

    MyOfficeWlan and MyVoIPWlan, you would then include these two SSIDs in the authorized SSID list. After this list is imported, AirMagnet Mobile raises a rogue AP alarm when an AP operating in a different SSID is discovered. Rogue APs installed by unauthorized employees usually do not follow enterprise standard deployment practices, and can thus compromise security on the wireless and wired networks.

  • Page 103: Rogue Ap By Wireless Media Type

    Chapter 4: Rogue AP and Station Rogue AP by Wireless Media Type AirMagnet Mobile alerts the WLAN administrator of a rogue AP by checking against enterprise standardized operating radio frequencies and media such as 802.11a, 802.11b, or 802.11g. Whenever an AP...

  • Page 104: Rogue Ap Traced On Enterprise Wired Network

    Chapter 4: Rogue AP and Station Rogue AP Traced on Enterprise Wired Network AirMagnet Mobile can detect rogue APs that are connected to the corporate wired network. Rogue APs installed by unauthorized employees may not follow enterprise standard deployment procedures thus compromising security on the wireless and wired network.

  • Page 105: Rogue Station

    802.11a, 802.11b, or 802.11g standards. When a station operating in a non-enterprise standardized radio channel is discovered by AirMagnet Mobile, a rogue station alarm will be generated. Rogue stations installed by unauthorized employees may not follow enterprise standard deployment procedures, and may thus compromise security on the wireless and wired network.

  • Page 106: Rogue Station By Ieee Id (Oui)

    Chapter 4: Rogue AP and Station Figure 4-8: Locating a device using The AirMagnet Mobile FIND tool Rogue Station by IEEE ID (OUI) AirMagnet Mobile alerts the WLAN administrator of a rogue station by checking against a pre-configured authorized station equipment vendor list.

  • Page 107: Rogue Station By Mac Address (Acl)

    (rogue stations) whose MAC address falls out of the pre-configured address list. The authorized MAC address list can be imported to AirMagnet Enterprise from a file (AccessControl.txt). This file is common for APs, Infrastructure stations and Ad-hoc stations. It can also be auto-generated by...

  • Page 108: Rogue Station By Ssid

    WLAN is configured only with MyOfficeWlan and MyVoIPWlan, you would then include these two SSIDs in the SSID list. AirMagnet Mobile raises a rogue station alarm when a station operating in a different SSID is discovered.

  • Page 109: Rogue Station By Wireless Media Type

    Chapter 4: Rogue AP and Station Once a Rogue station is identified and reported by AirMagnet Mobile , the WLAN administrator may use the FIND tool to locate the rogue device. Figure 4-11: Locating a device using AirMagnet Mobile FIND tool...
  • Page 110 Chapter 4: Rogue AP and Station Once a Rogue station is identified and reported by AirMagnet Mobile , the WLAN administrator may use the FIND tool to locate the rogue device. Figure 4-12: Locating a device using AirMagnet Mobile FIND tool...

  • Page 111: Chapter 5:Authentication And Encryption

    AirMagnet Mobile learns from the AirMagnet policy configuration. For example, AirMagnet generates the Device unprotected by PEAP alarm if the 802.1x EAP type-PEAP is your enterprise standardized authentication protocol. Common security violations in this category...

  • Page 112: Other Encryption And Authentication Methods

    Chapter 5: Authentication and Encryption (authentication and encryption) include mis-configurations, out-of- date software/firmware, and suboptimal choice of corporate security policy. AirMagnet Mobile alerts the administrator on these issues and provides countermeasures. Other Encryption and Authentication Methods AirMagnet Mobile security offerings cover most standard technologies such as WEP, 802.1x, TKIP, and VPN.

  • Page 113: Device Unprotected By Fortress Encryption

    Cranite administrators to see external wireless threats. The integration of the AirMagnet alerts into WirelessWall will enable Cranite users to have a better view of the overall performance of their network, and be able to identify external threats, such as DoS attacks.

  • Page 114: Static Wep Encryption

    Shamir) have been published on the vulnerabilities of this algorithm (WEP using RC4 with static key). †For security-sensitive WLAN deployments, other alternatives such as WPA (Wireless Protected Access - TKIP and 802.1x) and 802.11i exist to address the encryption tasks. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 115: Ap With Encryption Disabled

    WEP, it is still safer than no encryption at all. If you decide to use static WEP, there are ways to keep it as secure as WEP can be. AirMagnet Mobile assists you in accomplishing that goal by monitoring on static WEP usage and...

  • Page 116: Crackable Wep Iv Key Used

    These clients can then act as an entry point into the corporate network for intruders. AirMagnet Laptop Analyzer detects devices that are not using any encryption and recommends that the user use higher encryption mechanisms.

  • Page 117: Device Using Open Authentication

    EAP framework or VPN. In case your deployment chooses to use Shared-key Authentication or something other than Open Authentication, you can enable this alarm to have AirMagnet Mobile alert you whenever it detects any device that violates your deployment policy of not using Open Authentication.
  • Page 118 Many enterprises today deploy 802.11 WLANs using Open Authentication instead of Shared Key Authentication with a higher level authentication mechanism provided by 802.1x and EAP methods such as LEAP, PEAP, TLS, etc. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 119: Wep Iv Key Reused

    AirMagnet Mobile alerts on weak WEP implementations and recommends a device firmware upgrade (if available) from the device vendor to correct the IV usage problem. Ideally, enterprise...

  • Page 120: Device Unprotected By Vpn

    PPTP, L2TP, and SSH as the tunneling protocols. Alarms are triggered when devices communicate with each other without any VPN protection. Please note that AirMagnet Mobile will not be able to trigger this alarm if 802.11 encryption such as 802.1x or TKIP is also deployed on your WLAN.

  • Page 121: Wpa And 802.11I

    TKIP (Temporal Key Integrity Protocol) enhances industrial strength encryption with dynamic keying. • PMK (Pre-shared Master Key) allows small- and medium- sized deployments to use 802.1x and TKIP without complex infrastructure back-end servers (such as RADIUS). AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 122: 802.11X Rekey Timeout Too Long

    This AirMagnet Mobile alarm assists you in enforcing the rekey mechanism for all data streams. Take appropriate steps (such as checking the AP configuration for this setting) to resolve this issue.
  • Page 123 Internet but not the corporate wired network. An AP supporting multiple SSIDs transmits broadcast and multicast frames thus making the encryption option selection (802.1x or no encryption), an implementation challenge. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 124: Device Unprotected By Ieee 802.11I/Aes

    AirMagnet Mobile detects unencrypted multicast and broadcast frames caused by mis-configuration or vendor implementation errors. AirMagnet recommends that the user use APs that implement the encryption of multicast and broadcast frames in a proper manner. Device Unprotected by IEEE 802.11i/AES The new 802.11i standard provides the much necessary two of the...
  • Page 125 802.11i defined 4-way handshake is used for encryption key management, with no EAP exchange. As there is no RADIUS server and no EAP methods (EAP-TLS, LEAP) involved, the PSK mode is less secure. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 126 Along with MIC, TKIP also provides per packet key mixing which helps prevent many keystream attacks. Figure 5-9: TKIP and MIC encryption algorithm addresses the weakness of static WEP as well as defeating packet forgery and replay attack. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 127 IEEE 802.11 WEP mechanism provided no protection to the MPDU header. Second, both CCMP encryption and decryption use only the forward AES block cipher function leading to significant savings in code and hardware size. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 128: Device Unprotected By 802.11X

    Chapter 5: Authentication and Encryption Figure 5-11: CCMP MPDU AirMagnet Mobile alerts on detecting devices that are not using the IEEE 802.11i standard and possibly compromising the security of the wireless network. AirMagnet Mobile recommends that the user take the appropriate steps to avoid any security holes in the network and upgrade the wireless network infrastructure and devices to use the more secure IEEE 802.11i standard.
  • Page 129 AP. Mobile AirMagnet recognizes all 802.1x EAP types including PEAP, Mobile TLS, TTLS, LEAP, EAP-FAST, etc. AirMagnet detects APs and client stations unprotected by 802.1x by observing rejected 802.1x authentication challenges. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 130: Device Unproetected By Eap-Fast

    This makes the capture of LEAP pass- words very fast. • Only de-authenticating users who have not already been seen, doesn't waste time on users who are not running LEAP. • Reading from stored libpcap files. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 131: Device Unprotected By Peap

    EAP-FAST protocol. It is recommended that EAP-FAST be implemented in the wireless environment. Device Unprotected by PEAP AirMagnet Mobile monitors on 802.1x transactions and their specific EAP (Extensible Authentication Protocol) types. Among all EAP types (such as PEAP, TLS, TTLS, LEAP, OTP, etc.), PEAP (Protected EAP) is especially noteworthy.

  • Page 132: Device Unprotected By Tkip

    Many WLAN equipment vendors (including Cisco) have recently added support for PEAP with a firmware upgrade. You can rely on this AirMagnet Mobile alarm to alert you of devices that are not using PEAP. Please ensure that the PEAP authentication method is implemented on all devices in the wireless environment.
  • Page 133 Cisco) have added TKIP and MIC support in their latest firmware and drivers. AirMagnet Mobile detects WLAN traffic that is not protected by TKIP encryption and raises an alarm for attention. AirMagnet Mobile advises updating these devices to their latest firmware and re- configuring them to include TKIP encryption.

  • Page 134: Wpa Or 802.11I Pre-Shared Key Used

    20-character passphrases. Refer to article Weakness in Passphrase Choice in WPA Interface By Robert Moskowitz, November 4, 2003. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 135 Chapter 5: Authentication and Encryption AirMagnet Mobile detects the use of the PSK mode and recommends switching to the more secure 802.1x-EAP based key management and authentication system. If you decide to stay with PSK mode key management, please make sure your choice of the passphrase is longer than 20 characters and does not contain any words from a dictionary, thus preventing possible attacks.
  • Page 136 Chapter 5: Authentication and Encryption AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 137: Part Two: Performance Violation

    Deployment and operation error • IEEE 802.11e & VoWLAN issues To maximize the power of AirMagnet, performance alarms can be customized to best match your WLAN deployment specification. For example, if your WLAN is designed for all users to use 5.5 and 11 mbps speed only, you can customize the threshold for performance alarm 'Low speed tx rate exceeded' to reflect such an expectation.
  • Page 138 Part Two: Performance Intrusion AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 139: Chapter 6:Channel Or Device Overload

    Be it channel bandwidth limitation or the WLAN device resource capacity, AirMagnet Mobile monitors and tracks the load to ensure smooth operation. In the event of the WLAN not performing satisfactorily due to under-provisioning or over-growth, AirMagnet Mobile raises alarms and offers specific details.

  • Page 140: Ap Association Capacity Full

    AirMagnet Mobile monitors rejected association requests and responses to determine the cause of failed associations. When AirMagnet Mobile concludes that they are due to an AP association capacity overflow problem, this alarm is generated. This alarm indicates under-provisioning or failed load balancing for the WLAN deployment.

  • Page 141: Ap Overloaded By Utilization

    WLAN provisioning for all client devices. Please note that high bandwidth consumption does not mean high WLAN throughput. The sample AirMagnet Mobile AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 142: Excessive Multicast/Broadcast

    Figure 6-3: AirMagnet tracks WLAN bandwidth utilization on a per channel and per device basis. AirMagnet Mobile tracks AP bandwidth utilization (the sum of outgoing and incoming traffic combined) and raises an alarm when the sustained utilization exceeds the user-configured threshold. To...
  • Page 143 1 Mbps, which is a considerable delay for a voice application. AirMagnet Mobile tracks multicast and broadcast frame usage on a per channel and per device basis to report abuse. The alarm threshold is the percentage of multicast and broadcast frames to total frames by the device or channel.
  • Page 144 Chapter 6: Channel or Device Overload AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 145: Chapter 7:Deployment And Operation Error

    Figure 7-1: WLAN Deployment Involves Configuration for Access Points, Wireless Bridges, and Back-end Distribution Service AirMagnet Mobile monitors these configuration parameters and their mutual interactions for potential errors. In addition, AirMagnet Enterprise monitors the RF environment to ensure reliable wireless...

  • Page 146: Configuration Error

    WLAN environment. In addition, inconsistent configurations between devices using the same SSID triggers AirMagnet Mobile alarms; for example, when within the same SSID, an AP uses short RF preamble while another uses long RF preamble.

  • Page 147: Ad-Hoc Node Using Ap's Ssid

    Oftentimes, when an SSID is used by both infrastructure mode and ad-hoc mode devices, it is caused by a mis-configuration. Such a mis- configuration may cause connection problems not only for the mis- configured device but also for all clients in the area. AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 148: Conflicting Ap Configuration

    Once the ad-hoc device is identified and reported by AirMagnet Mobile, the WLAN administrator may use the FIND tool to locate it. Figure 7-2: Locating a device using AirMagnet Mobile FIND tool Conflicting AP Configuration Mobile...

  • Page 149: Higher Speed Not Supported

    WLAN site survey and deployment process. It is typically impacted by signal quality and distance. See the table below for all the supported speeds and what AirMagnet Enterprise considers to be high speed for the selected standard.

  • Page 150: Missing Performance Options

    APs and access cards from a specific vendor. • Channel agility: This setting on your AP allows the device to scan for the least-congested channel during its initial AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 151: Simultaneous Pcf And Dcf Operation

    During the WLAN design and deployment process, you may decide to take advantage of and rely on these optional capabilities. If you enable this alarm, AirMagnet Mobile monitors on them and raises alarms if any wireless devices do not support these options.

  • Page 152: Unassociated Station Detected

    • A user is out of wireless service and is in need of help. • If multiple users are reported by AirMagnet to be in the unassociated mode, then the wireless infrastructure (AP or back-end authentication server) may be down.

  • Page 153: Ap System Or Firmware Reset

    AirMagnet Mobile can accurately detect an AP system reset regardless of the cause. With this AirMagnet Mobile alarm, linkage can be drawn between interrupted service and its root cause in such a scenario.

  • Page 154: Ieee 802.11G Issues

    This may be prohibitive, resulting in retransmission, long delays, and degraded performance. AirMagnet Mobile detects APs with flawed 802.11 power-save implementations similar to the two defects mentioned above. This problem generally does not cause any wireless connection issues but causes severe quality of service degradation.
  • Page 155 802.11b devices could be reduced as well. For more details, please refer to the AirMagnet web site (http://www.airmagnet.com) to download the AirMagnet white paper "802.11g - the need for speed." AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 156: 802.11G Ap Beacons Wrong Protection

    When the protection mechanism is turned off by an AP for a b/g mixed mode deployment, it raises an alarm for further investigation. You can use the AirMagnet Channel screen to profile your 802.11g and 802.11b traffic load to decide on a protection mechanism configuration.

  • Page 157: 802.11G Device Using Non-Standard Data Rate

    AirMagnet Mobile tracks WLAN devices in their ability to support the short-time-slot mechanism. Once it detects an AP advertising for short-time-slot operation despite the existence of devices incapable of supporting it, an 802.11g performance alarm is raised to alert the...

  • Page 158: 802.11G Protection Mechanism Not Implemented

    If they violate the advisory from their AP by not using the protection mechanism in a mixed 802.11b and 802.11g WLAN environment, AirMagnet raises this alarm to alert the WLAN administrator for correction. The impact of such a violation may be uncoordinated and potentially overlapping transmissions from 802.11b devices resulting in WLAN (.11b and .11g) frame...

  • Page 159: Device Thrashing Between 802.11G And 802.11B

    802.11g implementation that is too sensitive to the dynamic mix of traffic and devices between 802.11b and 11g. Client station mode switching may also be caused by mode switches on the APs. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 160 APs. You may also monitor on the client RF mode switch in real time by observing the transmit speeds used by the client in the AirMagnet Infrastructure page after selecting the target client station.

  • Page 161: Chapter 8:Ieee 802.11E & Vowlan Issues

    Enhanced Distributed Channel Access (EDCA): This mechanism delivers traffic based on the different user priorities associated with every MSDU (MAC Service Data Unit) assigned at layers above the MAC layer. Different user priorities can be obtained by modifying: AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 162 (or the communication could be through the Internet). The two most important issues that need to considered in a VoWLAN deployment are: • capacity: number of phones or concurrent calls per cell AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 163: Ap Overloaded By Voice Traffic

    AP supporting VoWLAN traffic is used to provide voice services for 6 to 8 phones and that the issues with voice are drastically different than those that arise with AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 164 VoWLAN calls may be choppy and experience degraded performance. AirMagnet Mobile monitors on the AP work load by tracking its active VoWLAN clients. You can configure the system to generate an alarm based on the number of phones supported by each AP on your network.

  • Page 165: Voice Quality Degradation Caused By Interfering Aps

    VoWLAN clients to drop their connection with the AP, thus disconnecting the voice call. Now, the clients may have to re- associate and re-authenticate to continue the ability to make the voice calls. This process gets tougher in an environment where higher AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 166 APs with overlapping frequency usage. Most experts advise the use of channels 1, 6 and 11, while some recommend the use of only channels 1 and 11. The user can use the AirMagnet Infrastructure view to further investigate current channel usage and take counter measures.

  • Page 167: Channel Overloaded By Voice Traffic

    Chapter 8: IEEE 802.11e and VoWLAN Issues Also, the AirMagnet Jitter tool allows the user to effectively measure RF signal jitter in both incoming and outgoing WLAN traffic between an access point and a station. Based on this information, the user can make the appropriate changes to the configuration or the placement of the APs to reduce the interference.
  • Page 168 Chapter 8: IEEE 802.11e and VoWLAN Issues Beacon frame format as suggested by IEEE Figure 8-8: 802.11e AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 169 QBSS. Figure 8-10: Load Element Format The Channel utilization field indicates the portion of available wireless medium bandwidth currently used to transport traffic within this QBSS. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 170 APs are installed densely all over the company premises. Though APs are getting cheaper, the overall architecture deployment price is still high. AirMagnet Survey, part of the AirMagnet Mobile Family can help the users implement such a dense deployment. With AirMagnet Survey, networking professionals can: •...

  • Page 171: Excessive Roaming Detected On Wireless Phones

    802.11r working group is still being developed to improve VoWLAN roaming. Its focus is to reduce the time required to authenticate when AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 172 AirMagnet Mobile monitors for excessive VoWLAN re-associations by tracking association counts and APs. Once detected and reported by AirMagnet Mobile, this problem can be further investigated by using the station-list to display APs and session characteristics involved (see sample below).
  • Page 173 Chapter 8: IEEE 802.11e and VoWLAN Issues Figure 8-13: Using the Infrastructure Page station-List to investigate excessive roaming problem AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 174 Figure 8-14: AirMagnet Roaming tool to measure roaming delays Also, the AirMagnet Jitter tool allows the user to effectively measure RF signal jitter in both incoming and outgoing WLAN traffic between an access point and a station. Based on this information, the user can make the appropriate changes to the configuration or the placement of the APs to reduce the interference.

  • Page 175: Power Save Dtim Not Optimized For Voice Traffic

    300msec. Each vendor has their own suggested DTIM value for their APs. AirMagnet Mobile alerts the WLAN administrator if it sees the DTIM value to be different than the one specified in the alert threshold. Please refer to your AP's documentation to specify a value.
  • Page 176 AirMagnet Mobile detects APs sending out multicast traffic. AirMagnet recommends avoiding use of multicast traffic for voice applications such as Music on Hold (MoH: A Music on Hold system plays a pre-recorded program for callers to listen to while they are on hold.

  • Page 177: Chapter 9:Problematic Traffic Pattern

    By tracking and analyzing the wireless traffic, AirMagnet Mobile is able to spot performance inefficiencies and degradations early on. In many cases, AirMagnet Mobile can even determine the cause of the detected performance problem and suggest countermeasures. AirMagnet Mobile tracks MAC layer protocol characteristics, including the following: •...

  • Page 178: Excessive Fragmentation Degrading Performance

    AirMagnet Mobile tracks the fragmentation statistics on the network and alerts on abused fragmentation usage that could lead to degraded WLAN performance. The fragmentation threshold needs to be carefully set to balance the benefit and overhead.

  • Page 179: Excessive Frame Retries

    Figure 9-3: 802.11 Frame Header includes the Retry field to indicate frame re-transmission AirMagnet Mobile detects these retry frames and tracks them on a per device and per channel orientation. See illustration below: Figure 9-4: AirMagnet Mobile Retry frame error tracking display for a...

  • Page 180: Excessive Low Speed Transmission

    The administrator can then take appropriate steps to avoid such problems. For example, if the problem stems from noise or interference, AirMagnet's Find tool can be used to help track down and remedy the root cause. Excessive Low Speed Transmission 802.11a, 11b or 11g devices use several different transmit speeds from...
  • Page 181 Chapter 9: Problematic Traffic Pattern Figure 9-6: 802.11b Speed and Coverage correlation See the table below for all the supported speeds and what AirMagnet Mobile considers to be a low speed for the selected standard. Speed 802.11b (mbps) 802.11g (mbps) 802.11a (mbps)

  • Page 182: Excessive Missed Ap Beacons

    Figure 9-8: AirMagnet Mobile Channel screen shot on Bandwidth Utilization, Throughput, and Transmit Speed Relationship AirMagnet will alert the administrator if it sees a high amount traffic at lower speeds that may lead to excessive bandwidth usage and lower throughput. The administrator must take appropriate steps to ensure better signal quality to get higher speeds.

  • Page 183: Excessive Packet Errors

    Frame Header and Frame Body Respectively Figure 9-10: HEC (Header Error Checksum) defined in PLCP Header 802.11 MAC layer protocol also defines the FCS (Frame Checksum) field at the end of a packet for error detection. See illustration AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 184 AirMagnet Mobile detects these error frames and tracks them based on per device and per channel orientation. See illustration below: Figure 9-12: AirMagnet Mobile CRC frame error tracking display for a channel or a device When the CRC error frame to total frame ratio exceeds a user- definable threshold, AirMagnet Mobile alerts the administrator to indicate a possible WLAN performance problem.

  • Page 185: Excessive Roaming Or Reassociation

    RF environment: • AP load balancing and bandwidth allocation • Dynamic channel selection to avoid RF interference and dedicated channel bandwidth • Automatic AP output power adjustment for optimized coverage and capacity AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 186 APs. Once detected and reported by AirMagnet Mobile, this problem can be further investigated by using the station list on the Infrastructure page to display APs and session characteristics involved (see sample below).

  • Page 187: High Management Traffic Overhead

    They are considered to be the necessary overhead of WLAN operation. Figure 9-15: 802.11 Frame Types for Management, Control, and Data Frames AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 188: Channel With High Noise Level

    To further pin down the cause of the high management overhead problem, the WLAN administrator may investigate the problem by using the AirMagnet Channel or Charts view. See sample screen shots below: Figure 9-16: Channel page displays the management frame statistics...

  • Page 189: Streaming Traffic From Wireless Device

    WLAN provisioning for all client devices. This makes it very important for administrators to ensure that a single client station should not use up the entire bandwidth. For example, enterprise networks could have a problem AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 190 Once the streaming client is identified and reported by AirMagnet Mobile , the WLAN administrator may use the FIND tool to locate the streaming device.
  • Page 191 Chapter 9: Problematic Traffic Pattern Figure 9-19: The AirMagnet Mobile FIND tool locates devices by tracking down the signal level AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 192 Chapter 9: Problematic Traffic Pattern AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 193 Chapter 10: RF Management Chapter 10:RF Management AirMagnet Mobile monitors the physical RF environment, which is dynamic and very often the source of WLAN performance problems. Through this, the AirWISE technology characterizes the following WLAN fundamentals and reports problems accordingly: •...
  • Page 194 (without additional assistance; see below) as Bluetooth, microwave, phones, etc., and their presence appear in the form of RF channel noise to AirMagnet Mobile. By tracking the noise level for each channel, AirMagnet Mobile raises this alarm against the channel that has a sustained high noise level.
  • Page 195 Chapter 10: RF Management If you purchase AirMagnet Spectrum Analyzer and integrate it with AirMagnet Mobile, you now have a more powerful tool that can identify these additional sources of interference. By enabling the Spectrum Analyzer integration function, you can use the RF Interference page to identify which channels are experiencing interference from non-802.11 sources.
  • Page 196 Figure 10-4: Site Survey Allocate Non-overlapping Channels to Physically Adjacent APs AirMagnet Mobile monitors channel allocation and usage and raises this alarm when a channel is populated by more than the pre-defined maximum number of APs (the configurable alarm threshold is 3).

  • Page 197: Hidden Station Detected

    AirMagnet Mobile detects a hidden node problem by identifying a hidden station from the location. For example, if you placed an AirMagnet Analyzer at the location of Station A above, it would passively listen and analyze the traffic received at that location and...
  • Page 198 Chapter 10: RF Management Analyzer is located). Once hidden stations are detected, AirMagnet Mobile would suggest countermeasures, typically turning on the RTS/CTS (Request-to-send/Clear-to-send) mechanism to coordinate media access. In the above example, one would re-configure Station A and Station B to have a very low threshold (packet size) to trigger the use of RTS and CTS.

  • Page 199: Insufficient Rf Coverage

    For example, if walls or partitions (which could cause interference) are rearranged, or if new devices that also operate on the 2.4 GHz spectrum (cordless phones, microwaves, etc.) AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 200 Figure 10-10: AirMagnet Enterprise tracks RF coverage from multiple WLANs by their SSIDs AirMagnet Mobile tracks multiple WLANs by their SSIDs to make sure each SSID is covered sufficiently by at least one AP at the location. When AirMagnet Mobile discovers any SSID not meeting the user-specified minimum AP signal strength, it generates an RF coverage compromised alarm.

  • Page 201: Interfering Aps Detected

    (the user configurable alarm threshold) of APs. For example, if AirMagnet AirMagnet Laptop Wireless LAN Policy Reference Guide...

  • Page 202: Non-802.11 Interfering Source Detected

    Most experts advise the use of channels 1, 6 and 11, while some recommend the use of only channels 1 and 11. The user can use the AirMagnet Infrastructure view to further investigate current channel usage and take counter measures.
  • Page 203 Lacking full RF spectrum awareness, existing WLANs cannot apply appropriate, adaptive responses to improve performance in the face of interferers and competing networks. See Figure 10-14. Figure 10-14: Sources of Interference AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 204 Of course, when the gaps between pulses become longer, the packet size can be increased again, resulting in higher transmission speeds. AirMagnet Spectrum Sensor can identify the types of devices which are introducing RF interference (such as microwave ovens or Bluetooth devices).
  • Page 205 Chapter 10: RF Management AirMagnet Mobile integrated with AirMagnet Spectrum Analyzer offers six different types of plots: Figure 10-16: AirMagnet Spectrum Sensor: FFT, Power vs. Frequency, FFT Duty Cycle, and Swept Spectrogram plots • Real-Time FFT Plot: An FFT Plot displays RF power as a function of frequency.

  • Page 206: Rf Regulatory Rule Violation

    The IEEE 802.11 standard mandates the use of 802.11b/g devices only in the 2.4 GHz ISM (Industrial, Scientific, and Medical) band, while the 802.11a devices operate in the 5Ghz UNII (Unlicensed National Information Infrastructure) band. 802.11a devices cannot interoperate AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 207 Figure 10-17: Channel assignment for 802.11a devices. All the channels are for indoor usage except channels 52 to 64 in Americas which can be used for indoor and outdoor usage. AirMagnet Laptop Wireless LAN Policy Reference Guide...
  • Page 208 AirMagnet Mobile detects 802.11 devices operating in channels that are not authorized for use by the local geographic regulating body. For example, AirMagnet Mobile can detect an AP operating in channel 14 in the United States, which is a violation as this channel is not authorized for use by the FCC.
  • Page 209 Chapter 10: RF Management Once the violating AP is identified and reported by AirMagnet Mobile , the WLAN administrator may use the FIND tool to locate the device. Figure 10-19: The AirMagnet Mobile FIND tool locates devices by tracking down the signal level...
  • Page 210 Chapter 10: RF Management AirMagnet Laptop Wireless LAN Policy Reference Guide...

Table of Contents