CiscoWorks Wireless LAN Solution Engine 2.5

The latest version rounds up rogue APs to keep your wireless network secure.

January 16, 2004

4 Min Read
Network Computing logo

Something Old, Something New

The WLSE 2.5 software occupies a 1U Linux-based wireless management appliance and offers an effective, menu-based Web interface. As in earlier versions, the GUI pages make for easy firmware upgrades, AP (access point) configuration, device discovery and inventory, and correlations to connected switches.

Permissions can be assigned to pre-administrative roles. This means first-level support folks can find where a given client is on the wireless network, for example, but are restricted from more advanced tasks like AP firmware upgrades, typically the turf of network engineers.

Reports cover everything from the number of users associated to a given AP to utilization on radio interfaces. This trending helps with capacity and expansion planning, and WLSE 2.5 makes the collected data easy to understand.

The Wireless Clients tab is one area of the reporting interface where the WLSE is weak. It seems like Cisco engineers forgot to develop this section, which displays only a rudimentary search box. Still, any client-related data you're looking for can be found in other areas. Reports are exported or accessed as permitted, and jobs such as firmware and configuration upgrades can be automated and scheduled.As thorough as these capabilities are, however, WLAN managers need tools to detect unauthorized or rogue access points, a worry compounded by the proliferation of inexpensive consumer-class wireless gear that employees may be tempted to self-install. Rogue access points open security holes and interfere with radio transmissions of the legitimate network, and can have effects ranging from nuisance to inadvertently "giving away the store" where sensitive data is concerned.

In answer, Cisco has added its first-ever battery of airspace-management capabilities under the heading Radio Manager. Among Radio Manager's strengths is its ability to find and pinpoint rogue access points (based on BSSID) and non-802.11 noise that might be interfering with the wireless network, and to display findings in both text and graphic formats.

Another advantage to Cisco's SWAN technology is its ability to survey and map a site. Switches, together with EAP and RADIUS servers, are not only inventoried, but managed as well to round out the topology. Unfortunately, the WLSE solution is worthless against rogue wireless routers, and many of the capabilities in the Radio Manager are limited to the venerable 802.11b (11-Mbps) standard. I welcome Cisco's planned release of 802.11a and g management capabilities this year.

Good

• Automated rogue and interference detection• Excellent trending and reporting• Cost-effective solution for large Cisco WLAN environments

Bad

• Most radio-management features limited to 802.11b• Access-point firmware upgrades required to make use of new WLSE features• Documentation on Wireless Domain Services confusing

CiscoWorks Wireless LAN Solution Engine 2.5, free software upgrade to run on CiscoWorks 1130 WLSE 2.0, which costs $8,495. Cisco Systems, (800) 553-NETS. www.cisco.com

Easy Setup, Quick Payoff

I deployed the WLSE 2.5 on Syracuse University's Air Orange wireless network, and through the WLSE's browser interface, SNMP discovered our wireless access points and bridges. Cisco claims the WLSE 2.5 will manage 2,500 APs, so my 70 or so were not a challenge to the discovery and inventory process.

I built policy profiles for access points and bridges and assigned to them my mix of Aironet 350s and 1200s. At the first polling cycle, I found that a few of my devices violated various aspects of the set policies. Telnet was enabled when it shouldn't have been, and in more than one instance, broadcast in SSID was wrongly enabled. A click on the device opened the WLSE's minibrowser for fixes to the configurations, and each problem was quickly solved.

To truly leverage the new capabilities of the Radio Manager module, I needed to set up the underlying WDS (Wireless Domain Services) topology of my APs, as this is an integral part of Cisco's SWAN architecture. The access points report radio data to the WDS, which pass it on to the WLSE for analysis. Setting the WDS was time-consuming and meant upgrading the access points to the minimum firmware version required to support the capability of sampling the air and reporting.

Cleanup CrewThe convoluted on-board documentation made the process clear as mud, but the mud was washed away in three minutes with the help of Cisco's support folks. To simplify this process in the future, Cisco is shipping all new access points with IOS, the standard OS for most Cisco LAN switches.

When all was said and done, the search results came quickly and clearly. Using the WLSE, I discovered three rogue access points and the attached switch port information corresponding to each. Very cool!

Lee Badman is a network engineer at Syracuse University. Write to him at [email protected].

Post a comment or question on this story.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights