Operations Guide

Anywhere, Anytime Wireless Protection
Operations
.2 r7
AirDefense Operations Guide, Release 7.2, Issue 1.0, December, 2006 Copyright 2003, 2004, 2005, 2006 by AirDefense, Inc. All rights reserved worldwide. Printed in the United States of America
Proprietary Notices
AirDefense is licensed software and hardware. Its use is subject to the terms and conditions of a license agreement or nondisclosure agreement between AirDefense, Inc. and its customers. It is against the law to copy the software on any medium except as specifically allowed in the license or nondisclosure agreement. Information contained in this document is subject to change. No part of this manual and/or software may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or information storage and retrieval systems, for any purpose other than personal use by AirDefense, Inc. without the express written permission of AirDefense, Inc.
Trademarks
AirDefense is a trademark of AirDefense, Inc. in the U.S. and other countries. Air Termination, Active Defenses, Anywhere, Anytime, and Self-Managing are trademarks of AirDefense, Inc. All other trademarks are the property of their respective owners.
Call Center Support

AirDefense is available to you via our Online Customer Care Tracking System, AirDefenses Support Desk, or email. Your customer care team is there to support your application, connectivity, and technical infrastructure questions. Online Customer Care Tracking: http://suport.airdefense.net Call Center Support: 800.913.1257 (US and Canada), 306.791.5673 (International) Technical Support can be reached by email: support@airdefense.net For more information, contact: AirDefense, Inc. 4800 North Point Parkway, Suite 100 Alpharetta, GA 30022 US www.airdefense.net
770.663.8115
AirDefense Operations Guide
Table of Contents
Proprietary Notices................................................................................................................... 3 Trademarks .............................................................................................................................. 3 Call Center Support.................................................................................................................. 3
Introduction
About this Guide....................................................................................................................... 2 Product Overview..................................................................................................................... 3 About the User Interfaces ........................................................................................................ 4 AirDefense and Time ............................................................................................................... 6
Chapter 1 Using the Interfaces

Thin Client Web Download and Reporting Interface ................................................................ 8 Command Line Interface.......................................................................................................... 9 Graphical User Interface (GUI) .............................................................................................. 11 Sensor User Interface (Sensor UI)......................................................................................... 30 Sensor Console Interface (Sensor CI) ................................................................................... 31
Chapter 2 Managing Users

The Four User Roles (Types)................................................................................................. 34 Managing Users ..................................................................................................................... 35 User Preferences ................................................................................................................... 37 Limiting Users Network Scope with Domain-Based Partitioning ........................................... 38 Authentication ........................................................................................................................ 39 Sensor UI Users..................................................................................................................... 40 ADDadmin and Users ............................................................................................................ 41
Contents
Chapter 3 Managing Alarms

GUI......................................................................................................................................... 44 ADDadmin.............................................................................................................................. 47 Practical Applications ............................................................................................................. 49
Chapter 4 Managing Software

Adding ADDadmin Service Modules ...................................................................................... 56 Managing Licenses ................................................................................................................ 57 GUI......................................................................................................................................... 59 Managing Certificates ............................................................................................................ 60
Chapter 5 Managing Notifications

ADDadmin.............................................................................................................................. 64 GUI......................................................................................................................................... 65 Practical Applications ............................................................................................................. 66
Chapter 6 Managing the Database

Clearing the Database ........................................................................................................... 70 Exporting Report Data From the Database............................................................................ 72 Backing Up the Database ...................................................................................................... 73 Recovering the Database....................................................................................................... 76 Importing Access Points & Stations ....................................................................................... 78 Checking the Integrity of the Databases ................................................................................ 81 Updating Vendor MAC Address Information .......................................................................... 82
Chapter 7 Configuring the System

ADDadmin.............................................................................................................................. 86 GUI......................................................................................................................................... 94
Chapter 8 Managing the System

System Statuses and Logs .................................................................................................... 98 Restarting AirDefense ............................................................................................................ 99 Rebooting AirDefense .......................................................................................................... 100 Halting AirDefense ............................................................................................................... 101 Exporting Frame Capture Files ............................................................................................ 102 Clearing Frame Capture Files .............................................................................................. 103
Chapter 9 Managing Sensors

Sensor Overview.................................................................................................................. 106 Using the Sensor UI ............................................................................................................. 108 Configuring the Sensor ........................................................................................................ 109 Sensor UI ............................................................................................................................. 112 Troubleshooting the Model 500 Series Sensors .................................................................. 118 Using the Sensor CI for Model 400 Sensor.......................................................................... 122 Zero-Configuration Option.................................................................................................... 123 Obtaining the Sensor IP Address......................................................................................... 125 Using the Sensor Manager (GUI)......................................................................................... 128 Upgrading Sensor Firmware ................................................................................................ 129 Practical Applications ........................................................................................................... 134
Chapter 10 Configuring Enterprise Features

About Air Termination .......................................................................................................... 144 About Policy-based Termination .......................................................................................... 145 About Termination Controls ................................................................................................. 147 Domain-Based Partitioning .................................................................................................. 148 About VLAN ......................................................................................................................... 151 Device Synchronization Configuration ................................................................................. 152
Contents
Chapter 11 Managing Switches

Adding/Configuring a Switch ................................................................................................ 158 About Port Lookup ............................................................................................................... 164 About Port Suppression ....................................................................................................... 165
Chapter 12 Location Tracking

Location Tracking (Signature) .............................................................................................. 174
Chapter 13 Reporting
Using Web Reporting ........................................................................................................... 180 Using the Report Builder ...................................................................................................... 182
Chapter 14 System Setup Wizard

Configuration Wizard Navigation.......................................................................................... 185 System Setup Wizard Pages ............................................................................................... 185
Appendix A: ADDadmin Utilities Appendix B: Automated Data Retrieval Software License Agreement
191 195 i
Introduction
Welcome to AirDefense Enterpriseyour key to achieving the ultimate rogue management, policy enforcement, intrusion protection, and health monitoring solution for your wireless LAN.
1.0.1 In This Chapter

This chapter contains the following topics. Topic About This Guide Product Overview About the User Interfaces AirDefense and Time Page 2 3 4 6
Introduction
1.1
About this Guide
This guide describes operational information and some procedures for using the AirDefense Enterprise Wireless LAN protection and management system. This guide is organized by functional areas of the product, because while some functions may require you to use the Command Line Interface (ADDadmin), the majority can be accessed from the Graphical User Interface. Each chapter addresses logical functional areas, regardless of which interface they require. Some chapters include practical applications to help you get the most value out of AirDefense.
1.1.1 Scope
It is not the intent of this guide to give step-by-step instructions on how to install and set up the AirDefense Server or AirDefense Sensors. For these instructions, refer to the AirDefense Server Quick Start, Sensor Quick Start, and Web User Quick Start guides. If you do not have these guides, contact AirDefense, Inc. or download the documentation from the self-support site (search solutions at http://support.airdefense.net You will find the contact numbers on the inside front cover of this guide. Additionally, it is not the intent of this guide to give you step-by-step instructions on how to use all aspects of the AirDefense GUI. For these instructions, use the Online Help on the Help menu in the Airdefense GUI.
1.1.2 Warnings and Important Information

Look for this triangle symbol for warnings, important information, and procedures that, if not performed properly, can have an adverse effect on AirDefense operations and network security.
1.1.3 Audience
The audience for this guide includes AirDefense customers and partners who want to use AirDefense and other AirDefense wireless LAN security solutions in their wireless LANs. Familiarity with wireless technology and networks is advisable.
Important!
In the interest of security, you must be a Web User with the role of Admin to use all functions in AirDefense. AirDefense enables you to assign Web User roles to individuals. Your ability to access AirDefense GUI programs depends on your Web User role. It is advisable that the AirDefense administrator have the necessary competency with regard to understanding the basic precepts of wireless networks. Additionally, since the role of Admin represents the highest level of security clearance, it is highly advisable that the administrator be a person who is at the appropriate clearance level to maintain and protect enterprise security.
1.2
Product Overview
AirDefense Enterprise is the ultimate rogue management, policy enforcement, intrusion protection, and health monitoring solution for your wireless LAN. It is the industry's first Self-Managing wireless intrusion protection system (IPS), providing automated protection against wireless threats and attacks. As a key layer of security, AirDefense Enterprise complements wireless VPNs, encryption, and authentication. AirDefense Enterprise is part of the AirDefense family of products that include AirDefense Mobile and AirDefense Personal, offering Anywhere, Anytime Protection for your wireless network.
1.2.1 Integration with AirDefense Mobile

AirDefense Mobile is a complementary solution to the AirDefense Enterprise monitoring platform, giving enterprises an AirDefense-powered mobile product to perform a real-time snapshot of all WLAN infrastructure and activity (802.11 a/b/g). Running on a Windows XP or 2000 platform, AirDefense Mobile installs on any laptop with an Atheros-based 802.11 a/b/g wireless card, such as Netgear (WAG511) or Cisco (CB21AG). AirDefense Mobile is fully integrated into AirDefense Enterprise, enabling synchronization of authorized and rogue wireless devices for a specified location.
1.2.2 Integration with AirDefense Personal

An industry first, AirDefense Personal protects mobile users of hotspots and other public Wi-Fi networks from wireless specific risks that could expose private data and transactions. AirDefense Personal is a software agent that runs on Windows PCs and monitors for malicious or accidental wireless activity and wireless misconfigurations that may cause security exposures or policy violations. This solution complements personal firewalls and host-based IDS systems that dont protect the client against wireless attacks. Multiple AirDefense Personal agents can be managed centrally using the AirDefense Personal Central Manager. Policy profiles that are defined centrally can be automatically downloaded to each mobile user or group of users. If threats are discovered, AirDefense Personal notifies the user and sends the logs to the Central Manager for centralized reporting & notification, enforcement of corporate policies and complete protection for the mobile worker, regardless of location. The AirDefense Personal Central Manager is fully integrated into AirDefense Enterprise.
Introduction
1.3
About the User Interfaces
A basic AirDefense system consists of an AirDefense Server and one or more Sensors. You manage these components using a combination of interfaces. Each user interface has designated user names, passwords, and in, some cases, varying levels of privileges, based on user roles. The table below describes the interfaces, the program area they manage, the functions within the program area, and the type of user required. The user interfaces are described in detail in Chapter 1. Users are described in detail in Chapter 2.
User Interfaces Enterprise Command Line Interface
Program areas ADDadmin (utilities)
Functionality Manage Dbase Software Config Dashboard Rogue Performance Compliance Forensic Intrusion Alarms Reports Config Web reporting Installer downloads Sensor Configuration
User Command Line User
Enterprise Graphical User Interface (GUI)
AirDefense Enterprise Wireless Intrusion Prevention System
User
Enterprise Thin Client Web Interface Sensor User Interface (Sensor UI) Sensor Console Interface (Sensor CI) only on Model 400
Enterprise thin client web page
User
AirDefense Sensor
Sensor User
AirDefense Sensor
Sensor Configuration
Sensor Console User
1.3.1 Required Accounts

To manage AirDefense Enterprise, you must have the following accounts:
A Command Line User smxmgr account An AirDefense Graphical User Interface (GUI) Web User account with the role of Admin
You can find instructions on how to acquire these accounts in the AirDefense Server Quick Start Guide and in Chapter 2 of this guide, Managing Users.
Introduction
1.4
AirDefense and Time
AirDefense reports alarms and device information, and traffic statistics, every minute. To understand the data that appears in AirDefense, you must understand how AirDefense addresses system time versus the local GUI time, particularly in regard to alarms. When an alarm occurs, AirDefense detects the alarm in system time, and records this time in its database. You configure AirDefense system time by using the Command Line Interface, found in the Configuration program area. When reporting the alarm to your local GUI, however, AirDefense adjusts the report time to your local system time zone. It uses this time to report alarms to the Alarms panel, and it also reports other statistical data in this manner. The last updated time on each GUI program screen (indicated by the time stamp) correlates to the local system where the browser is running. You configure the GUI time in your local system. Additionally, the AirDefense Server translates the date. The date drop-downs in the applicable programs of your GUI in New York City will turn over to the next day according to local time.
Exception
An exception to this is the Alarm Details panel in Alarms. This panel reports alarm details in system time. The Alarm Details time stamp correlates to the AirDefense Server's system time.This is the same time stamp you use for SNMP and Email Notifications. You can use this as a point of reference if more than one Web User is viewing the GUI from different time zones.
Using the Interfaces
1 Using the Interfaces

AirDefense has five user interfaces:
Thin client web download and reporting interface Command Line Interface Graphical User Interface (GUI) Sensor User Interface (Sensor UI) Sensor Console Interface (Sensor CI)
This chapter explains what each of these interfaces is used for.

This chapter contains the following topics. Topic Thin client web download and reporting interface Command Line Interface Graphical User Interface (GUI) Sensor User Interface (Sensor UI) Sensor Console Interface (Sensor CI- only for Model 400 Sensors) Page 2 9 11 30 31
AirDefense Enterprise Server 7.2 Operations Guide
Chapter 1
1.1 Thin Client Web Download and Reporting Interface

The Thin Client interface has two functions: it lets you download the GUI installation programs and it lets you create reports from templates using selected data.
1.1.1 Downloading the Installation Programs

Before you access the GUI for the first time, you must download and run the installer from the thin client web page at one of the following locations:
https://<server_ip_address>:8543 https://<server_name>:8543
After you finish the GUI installation, you can log in remotely from a browser.
1.1.2 Web Reporting

For a description of the AirDefense Enterprise systems reporting functionality, see the Reporting chapter in this book.
1.2
Command Line Interface
The Command Line Interface (CLI) contains a set of utilities, called ADDadmin utilities, which you use for initial configuration of the AirDefense Enterprise server. The Command Line Interface also lets you manage file storage and retrieval. You can access the Command Line Interface remotely via SSH, or directly. There are two types of Command Line Users: smxmgr and smxarchive. Each Command Line User requires a password. (For more information on smxarchive, see Appendix B.) The Command Line Interface has the following ADDadmin program areas, all of which appear on the ADDadmin main screen. Each program area contains ADDadmin utilities for performing AirDefense operations. The ADDadmin program areas are:
Manage Dbase Software Config Help
1.2.1 Accessing the ADDadmin utilities

To use the ADDadmin utilities, you must access the Command Line Interface. There are two ways to do this. 1 2 LOCALLY, using a keyboard and monitor directly connected to the AirDefense Server, or REMOTELY, using an SSH protocol 2 client for network access (requires AirDefense Server IP address).
Note: AirDefense does not allow telnet sessions.
Local Access
Step 1 Action Turn on power to the AirDefense Server. As the AirDefense Server is booting up, a command-line login prompt appears on the monitor. At the login prompt, enter smxmgr as your Command Line User name, followed by your Command Line User password.
10
3 After logging in, enter ADDadmin (case-sensitive!) to launch ADDadmin. The ADDadmin main screen appears.
Chapter 1
Remote Access
Step 1 Action Launch your SSH client and connect to the AirDefense Servers IP address. Note: You must have a client that supports SSH protocol 2, installed on the remote workstation from which you wish to connect to the AirDefense Server. If your client attempts to use SSH protocol 1, you will receive protocol error messages in syslog. Example: 6/4/2003 16:45:22 sshd(pam_unix) LOGGED: authentication failure, logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=tparkerpc.hitest.com user=root 2 3 At the login prompt, enter smxmgr as your Command Line User name, followed by your Command Line User password. After logging in, enter ADDadmin (case-sensitive!) to launch ADDadmin. The ADDadmin main screen appears.
Information About Rebooting

Important! A system reboot is required after the execution of some ADDadmin utilities. Follow the steps below to perform this operation: 1Do not close the SSH window. 2Exit out of ADDadmin by typing q until you reach the Command Line prompt. This initiates a system reboot where required.
11
1.3
Graphical User Interface (GUI)
The AirDefense Graphical User Interface (GUI) is the interface you use to do most of the daily operational and administrative tasks in AirDefense. Users of the GUI are called Web Users in some program areas.
Each User requires a User password. Users can be added to the system. Users can have varying levels of user privileges, based on roles. The roles are Admin, Manager,
Guest, and Network Operator. For more information, see Chapter 2. Users can be assigned a Domain consisting of one or more locations. The view of data will be restricted to those Domains. For more information, refer to Domain Based Partitioning.
1.3.1 GUI Features

In addition to the actual AirDefense programs, the GUI has some features that enable you to more effectively use AirDefense.
The GUI provides innovative hierarchical trees and advanced filtering for navigation in some program
areas and in the Net Map. Hierarchical trees have color-coded icons that represent the components that comprise your wireless LAN. These are Locations, Groups, Sensors, Access Points, Stations and Switches. These icons appear in the trees and in information panels throughout the GUI. Icons represent the devices and their associations in the wireless LAN. Colors represent the state of each device in the wireless LAN. The Net Map enables you to see a logical map of the devices in your wireless LAN. You can determine how each Device Type appears throughout the GUI. This is called a Display Preference. For example, you can set Sensors to appear as a Name, an IP address, or a MAC address. The GUI enables you to drill down into any device using the Forensic Analysis Wizard, which provides detailed Device, Traffic Association, and Forensic data for further analysis. The GUI provides access to Analysis Wizards, such as Rogue Analysis, Performance Analysis, Compliance Analysis, and Intrusion Analysis for a summary of all relevant events pertaining to the category selected. The GUI enables you to see a Live View of each device in your wireless LAN. Live View displays a Summary, Details, and Decodes for any device you select and enables you to perform a packet capture. The GUI enables you to terminate an unauthorized or rogue device, disabling the connection of the device from your wireless LAN. This is called Termination.
1.3.2 AirDefense GUI Minimal Resolution Requirements

The AirDefense GUI requires a minimal resolution setting of: 1024 x 768, which you set on your computer: Control Panel > Display window > Settings tab.
1.3.3 About Multiple Versions

Important! If you have previously loaded multiple version of AirDefense, you need to clear and reset the Java cache on your workstation (Settings>Control Panel>Java Plug-In) prior to accessing the AirDefense GUI.
12
Chapter 1
1.3.4 Accessing the GUI

Before you access the GUI for the first time, you must download and run the installer from the thin client web page at one of the following locations:
https://<server_ip_address>:8543 https://<server_name>:8543
After you finish the GUI installation, you can log in remotely from a browser. The GUI is not accessible directly from the AirDefense Server.
1.3.5 GUI Command Strip

The AirDefense GUI has an on screen command strip that appears at the top of all GUI programs. The strip consists of:
Nine navigation icons to access each GUI program area Six command icons Two status indicators
1.3.6 GUI Program Areas

The following table lists the program areas of the AirDefense GUI. Program Area/ Window Dashboard
This program/window enables you to... See a complete overview of the device and alarm activity taking place in your wireless LAN since midnight. In the Dashboard program area, you can access four different views using the Select View drop down list: Manager, Performance, Security and Vintage views. Graphs can be switched between total and daily trending views. All four Dashboard views provide: A system activity panel that provides lists for the number of Sensors, Access Points, Stations and active Alarms on your wireless network. Pie charts and bar charts displaying the top 5 items that are generating alarms in your wireless network, or the scope as selected in the tree panel. Manager View The Dashboard window's default Manager View window provides information relevant to administrators based on a summary of both Performance and Security data, and includes analysis data for: Security Threat, Rogue Threat, Intrusion Threat, WLAN Health, WLAN Congestion, and WLAN Utilization.
13
Program Area/ Window Dashboard
This program/window enables you to... (continued) Performance View The Performance View provides information based on Performance data relevant to a network administrator. This view includes analysis data for: WLAN Health, WLAN Congestion, WLAN Utilization, WLAN Protocol Usage, WLAN Connection Speed, and Alarms. Security View The Security View provides information based on Security data relevant to the administrator. This view includes analysis data for: Security Threat Indications, Rogue Threat, Intrusion Threat, Enterprise Policy Compliance, Station Behavior Threat, and Alarms. Vintage View The Vintage View provides a non-role based, device and alarm information in a table layout similar to the older Enterprise v4.0 Dashboard. This shows you all of the devices seen in the last 15 minutes on the system at a quick glance. The window displays information in the following layout: Sensors, Access Points, Stations and Alarm count row View Selection Row; Last update date-time-group Recent Access Points table Recent Stations table Recent Alarms table
The hierarchical tree is also a navigation tool. The Dashboard Tree uses color-coded icons to display the identity and location of each System, Sensor Location, Sensor Group, and connected Sensor in your wireless LAN. The tree represents data that AirDefense has accumulated since the system began running. You can use filter selections to customize which types of Sensors appear in the tree. You can search for a specific device. The tree has a Search Dialog you can use to find any Sensor, AP or Station in your wireless LAN. The Dashboard displays data for any item or scope you select in the tree. Select the Refresh button to update the view.
14
Chapter 1
Program Area/ Window Rogue
This program/window enables you to... Provides a list of devices detected by AirDefense which pose the greatest risk to the security of your network and how to manage them. The Rogues can be viewed by the Indicator to prioritize the threats, and then allow you to scrutinize a device so that decisive action can be taken quickly. Using the Rogue Device Analysis window, you can view:
The severity of the device threat by color coded Threat Level

and Group.
The name of the location and group where the devices has been
seen. The type of Rogue, SSID, last seen time, signal strength and channel of the device. Right-click on the Device to view additional device detail by accessing the Forensic Analysis Wizard for further investigation. Exploits Views display devices within the selected scope that are causing or are experiencing intrusions/exploits in your WLAN. Exploits can come in the form of denial of service, identity theft, manipulation of frames and protocol, penetration attempts by malicious users and reconnaissance activities. Using the Exploits Analysis window, you can view:
The priority of the exploit threat by color coded threat level, and
group.
The name of the location and group where the devices have
been seen. The type of exploit, last seen, time signal strength and channel of the device. Right-click on the Device to view additional device detail by accessing the Forensic Analysis Wizard for further investigation. Vulnerability Displays devices within the selected scope that provide an analysis of device configuration and how susceptible to attack they are. Exploits are events in which a user is actively interacting with the wireless network or wireless medium. By exploiting wireless vulnerabilities a malicious user could cause wireless network disruptions or use the wireless medium to gain access to corporate resources and confidential data. The vulnerabilities may exist due to network configuration, corporate policy, or an inherent flaw in the 802.11 protocol. Using the Vulnerability Analysis window you can view:
The priority of the vulnerability threat by color coded threat level,

and group.
The name of the location and group where the vulnerable

devices have been seen. The type of vulnerability alarm, last seen, time signal strength and channel of the device.
15
Program Area/ Window Policy
This program/window enables you to... Policy Compliance events provide information about the observed operational configuration compared to the configured configuration as set in the AirDefense policy manager. Using the Policy Analysis window, you can view:
The criticality of the device policy violation by color coded Level

and Group.
The name of the Location and Group where the devices have
been seen. The type of policy violation alarm, SSID, last seen time, signal strength and channel of the device. Select a policy violation and right-click on a device to edit policy configuration. Right-click on the Device to view additional device detail by accessing the Forensic Analysis Wizard for further investigation. Reconnaissance The Reconnaissance window gives an overview of devices that are currently scanning, and/or actively monitoring what is occurring on your network. Using the Reconnaissance Analysis window you can view: Performance The priority of the reconnaissance threat by color coded threat level, and group. The name of the location and group where the external devices have been seen. The type of alarm, last seen, time signal strength and channel generated by the external device.
The Performance Analysis window is the view where you can assess at a glance the overall status and health of device activity on your network, identify potential problem areas and then escalate action against it. This window identifies problem areas, by showing all performance-based alarms that appear in your environment. Using the Performance Analysis Wizard you can view: The criticality of the device issue. The name of the location and group where the devices have been seen. The type of performance issues, device SSID, last seen time, signal strength, and channel. Right-click on the Device to view additional device detail by accessing the Forensic Analysis Wizard for further investigation.
16
Chapter 1
Program Area/ Window Alarms
This program/window enables you to... View the alarms that are occurring in your wireless LAN, or in selected scope, manage alarms and termination policies. Using the Alarms window, you can: See which Sensors, Access Points, and Stations are generating alarms, when the alarms are being generated, and what conditions are triggering the alarms. View Details and Summaries on any selected single alarm, and suggest a course of action. Expert Help is also available on specified alarms and provides more information on the alarm cause, effect and potential remedy. Determine which alarms to display in the Alarms panel, and how to summarize the data for a particular alarm. Use built-in (default) filters or design custom filters to determine the data content of information panels. Group alarms into Alarm Priorities or other groupings. Enable, re-enable, clear, or remove one or more alarms from AirDefense. Enable or disable any specific alarm, either globally or by device. Change the Alarm Priority of any alarm in AirDefense. Edit device termination policies (Action Plans) for Policy-based Terminations.
Location
Go to the Location Tracking (Triangulation) window for location tracking configuration and device tracking. Using the Location Tracking sub-window, you can: Upload multiple bitmap layouts of your Location. Accurately measure distances using the Set Scale function. Click and drag devices into your uploaded map. Perform triangulation on a device with a minimal of 3 Sensors. Review all of the basic stats of a detected rogue device.
17
Program Area/ Window Forensics
This program/window enables you to... Review specific device information and analyzes what it is currently doing in AirDefense. This window is a universally applicable function, which provides detailed Device, Traffic Association, and Forensic data for further analysis of a suspicious device (AP or Station). The window also allow users to analyze a device which may not have been listed as an offending device in any of the other analysis drill-downs. Using the Forensic Analysis Wizard window you can view:
Threat Analysis tab which lists all alarms and displays the
Threat Level of a particular device.
Device Information tab provides comprehensive detail on the
device status and traffic activity. Device Forensics tab display device traffic flow patterns to and from access points/stations, associations and additional data to ascertain device traffic and determine device activity. Locate Device tab where you can access Live View, and/or locate devices using triangulation or signature. The Locate tab also shows a Behavior map and signal strength for sensors seeing the device. Threat Mitigation tab which enables you to take further action. The options are: configure device policy, terminate wirelessly, or look-up the wired port.
Refresh and Activity Icons

Icon Click once to... Refresh the display with the latest data. Note: Except for the Dashboard, which updates its display automatically while you are on the Dashboard program area, AirDefenses windows are static.The data is accurate as of the minute you open a page or load a report. Activity Indicator. This indicates that an Enterprise function you selected is currently active and is in the process of being completed.
Drop Down Menu Options
18
Chapter 1
Use the GUIs four drop down menu bar options located in the upper left corner, to access all of AirDefenses categories of functions and system information. Program Area/Window File This program/window enables you to... Log out of the AirDefense Enterprise. Refresh the content of the program area being currently displayed. Closes and exits out of the AirDefense Server. View Tools Help Access the Dashboard, Rogue, Exploits, Vulnerability, Policy, Reconnaissance, Performance, Alarms, Location, Terminations, and Port Suppression program areas. Access the Tools related program areas of AirDefense: Configuration, Forensics, Network Map, Reports and Reports Builder. Access all instructional, help and reference material: Online Help, Operations Guide (PDF), Icon Key (PDF), Glossary (PDF), as well as technical support information.
1.3.7 Status Indicators

Whenever your AirDefense GUI loses connectivity to its data source and server, a disconnected dialog appears:
When connectivity to the AirDefense Graphical User Interface (GUI) is properly connected to its data source with all systems functioning normally and is successfully receiving updates, there is no visible indication on your AirDefense GUI. If your status disconnects, you must reload the browser and log in again.
19
1.3.8 System Configuration Icons

The System Configuration program area accessed via Tools > Configuration drop down menu, provides another menu of program areas to manage system level tasks. Program Area/ Window Config > User Preferences
This program/window enables you to... View and manage user preferences Using the Config windows User Preferences, you can: Change the display preferences. Change the current user password. Change the Dashboard refresh rate.
Config > Manage Alarms
View and manage Alarms and Alarm Priorities Using the Config windows Manage Alarms, you can: Enable or disable alarms. Adjust the priorities of each Alarm. Clean or purge the Alarms.
Config > Sensor Manager
View and configure the Sensors in your wireless LAN. Using the Config windows Sensor Manager, you can: View the status and location of Sensors in your wireless LAN, organized in a hierarchical tree. The Sensor Tree shows the associations and behaviors of each Sensor, represented by a colorcoded icon. Beside each icon is a letter designation (a,b,g), representing the protocol of the device. Icons and folders also display a number (nn), representing the number of devices that appear below them in the tree. Build your AirDefense hierarchy of devices, consisting of Location, Group, and Sensor. Identify Sensor Locations and Sensor Groups. Configure the settings for Sensors. Add managed switches for wired-side rogue detection and port lookup.
20
Chapter 1
Program Area/ Window Config > ager Policy Man-
This program/window enables you to... Define and manage policies for the devices in your wireless LAN, and to add Access Points and Stations to your wireless LAN. Using the Config windows Policy Manager window, you can: View the location of devices in your wireless LAN, organized in a hierarchical tree. The Policy Tree shows the associations and behaviors of each device, represented by a color-coded icon. Beside each icon is a letter designation (a,b,g), representing the protocol of the device. Icons and folders also display a number (nn), representing the number of devices that appear below them in the tree. Create policies to apply to individual Sensors, Access Points, and Stations in your wireless LAN. This includes setting Access Point Configuration Policies to allow a VPN (Virtual Private Network). Add Access Points and Stations to your wireless LAN. Import Access Points and Stations into your wireless LAN. Delete devices from your wireless LAN. Manage Access Point policies.
Monitor the use of VLANs that are partitioned on the Access Point by an SSID, and to alarm if they are not being used where required. Config > NotificationManager Specify how AirDefense delivers its alarm notifications and reports to designated recipients. Using the Config windows Notification Manager window, you can: Set the default intervals for the notification system. You can toggle notifications on and off. You can enable or disable all Email, SNMP, and Syslog notifications, and configure the Email, SNMP, and Syslog intervals (in minutes) for each type of notification. This is the minutes that lapse between the Email, SNMP, and Syslog notifications (applies only to alarm notifications). Configure Email Notifications. You can configure options for individuals who will receive alarm and report notifications by email, and if desired, configure daily or weekly management reports. There are standard settings and advanced settings, which include filters and utilities that enable you to customize email notifications. You can send email notifications immediately to selected recipients, using the Send Now feature.
21
Program Area/ Window Config > NotificationManager
This program/window enables you to...
Configure SNMP Notifications. AirDefense can send traps to your SNMP server. There are standard settings and advanced settings, which include filters and utilities that enable you to customize SNMP notifications. Configure Syslog Alarm Notifications. AirDefense can send notifications to your Syslog server. There are standard settings and advanced settings, which include filters and utilities, that enable you to customize Syslog notifications.
Config > Appliance Manager
Administer your AirDefense system. The programs you will be able to use depend on your Web User role. Using the Appliance Manager area, you can: Configure User Display Preferences and Current User Information. View and configure Web Users. Export and back up data. Instead of backing up the entire database, you to just back up user-supplied configurations, including policies and system configurations, without backing up the entire statistics and alarm databases. Update AirDefense licenses. View and create security certificates and perform other administrative tasks concerning requesting and installing certificates. Use the User Edits panel to view and track edits to AirDefense. Configure Location Tracking (Signature) settings, manage calibration settings, and manage tracking sessions for Location Tracking (Signature). Synchronize device information between a server third party management and the AirDefense Server.
Give your AirDefense system a name; set a system port for access to the AirDefense GUI; enable or disable Air Termination, Policy-based Termination, and Port Suppression for the system; adjust the Threat Level Sensitivity for the system.
22
Chapter 1
Program Area/ Window Config > Configuration Wizard
This program/window enables you to... The System Setup Wizard that guides the user through a basic list of system settings required for AirDefense system configuration. All eight configuration step categories are optional and can be finished at any point. Using the Configuration System Setup Wizard, you can: Setup System Settings Define Network Structure Create User Accounts Define Policies Configure Alarms Schedule Autoclassification Enable Notifications Import Devices
1.3.9 Maintenance Instructions

Important! Maintenance activities require that you reload the browser and log in again once the maintenance activity is complete. An example of a maintenance activity is when an ADDadmin utility reboots or clears the database. In these cases, the browser will no longer be connected to the database, and you must reload the browser. A login screen will appear. Note: Some maintenance activities, such as reboot or recovering a database from backup, may take several minutes to complete, during which time the browser, if reloaded, will display an error page.
1.3.10 GUI Program Area Control Rows

Some GUI program areas have control rows that you use to access the programs within the program area. Just click on the button to access the program. The button control row for Application Manager (below) is an example.
1.3.11 Color-Coded Icons

Color-coded icons display throughout the AirDefense GUI. There are static icons for System, Sensor Location, and Sensor Group, and stateful icons for Sensors, Access Points, Stations and Switches (see GUI Icon Color Codes on page 25). These display in the various navigation trees and in information panels throughout the GUI.
Cikir

Icons represent the devices and their associations in the wireless LAN. Colors represent the behavior of each stateful device in the wireless LAN.
Note: For a complete list of icons, see the Icon Key in the GUI Help Menu. Icon lists are also available in the Online Quick Help.
23
1.3.12 GUI Panels

The AirDefense GUI displays much of its data in information panels. Many program screens have multiple panels that contain data.
You can re-size the width of panel columns by dragging the column separators with your mouse.
(Column size persists as pages are refreshed, but not if the screen reloads. In this case, the columns return to their default size.) You can sort the contents of the panel by clicking any column heading (see Column Sorting, below).
The cursor changes to a two-sided arrow when you drag over a column separator.
Column Sorting
In any column, you can click on the column header to sort the contents of the column. The black sorting arrow will only appear when the header is selected. Sorting can affect the data across the entire row. Sorting of numeric columns toggles the data from greatest to least (down arrow) or from least to greatest (up arrow). Sorting of alphanumeric columns toggles the data alphabetically, from A to Z (up arrow) or from Z to A (down arrow).
1.3.13 Navigation Trees

The AirDefense GUI provides Navigation Trees in some program areas. The trees display the identity, location, and behaviors of the devices, using a combination of static and stateful color-coded icons organized in a hierarchical tree. The following GUI areas have Navigation Tree:. Dashboard Rogue Exploits Vulnerability Policy Reconnaissance Performance Alarms Location Tracking (Triangulation)
24
Chapter 1
Using the Navigation Trees, you can access data based on a combination of the network topology and the type of information you are looking for. You can easily isolate the devices you want to receive data on, and customize the data that appears. The trees work in conjunction with the actual information panels. The Navigation Trees provide filters that enable you to determine the contents of the tree, effectively reducing the number of devices in the tree, making navigation easier. Using the Tree Filter, you can select from over 30 different criteria, depending on the device type. This includes isolating devices by a, b, and g protocols.
Navigation Tree Structure

The Navigation Trees are navigational tools. Each tree displays devices in your wireless LAN. The illustration to the right shows the Policy tree panel.
Display Order drop down list

The trees are true, structured hierarchies that consist of static and stateful color-coded icons with labels. The highest level is at the AirDefense (system) view and the lowest level is at Station view. You can adjust the order of how the tree hierarchies appear by selecting on the top Display Order drop down list. The Display Order options are as follows:
AP>SSID The hierarchical order changes to
display Access Points observed (during the selected time range), followed by their SSID. AP>Station The hierarchical order changes to display Access Points observed (during the selected time range), followed by associated Stations. SSID>AP>Station The hierarchical order changes to display SSIDs observed (during the selected time range), followed by Access Points, then Stations under the SSID. Station>AP>SSID The hierarchical order changes to display Stations observed (during the selected time range), followed by their associated APs, then their SSIDs. Switch The hierarchical order changes to display device Switch IP addresses and Port Numbers.
Icons show the Sensor Location, Sensor Group, Sensor, Access Point, and Station associations in your network. In GUI programs where the tree appears, you can click on the individual network elements in the tree to access information and configuration screens that apply to the element.
1.3.14 GUI Icons

The GUI uses both static and stateful color-coded icons. Stateful color-coded device icons represent a physical deviceSwitches, Sensors, Access Points, and Stations.

Icons represent the devices and their associations in the wireless LAN. Colors represent the state of each device in the wireless LAN.
25
Static icons represent network elements. Each network element in the AirDefense wireless LAN is represented by an icon. Static icons represent logical associations, such as a SSID, a Location, or a Group. The AirDefense GUI Help contains full descriptions of AirDefense icons. You can also access the AirDefense Icon Key .PDF file, also found under the Help drop down list.
1.3.15 GUI Icon Color Codes

Each icon that displays in both the Navigation Trees and in information panels that appear throughout the AirDefense GUI has a color that represents its state. The following table contains a basic description of the colors and their meanings: Note: For more information go to the Color Blue Meaning Blue indicates a default placeholder state for Sensors, Access Points, or Stations that are not observed by AirDefense. Placeholder items are always a manually-added or an imported Access Point or Station. They will always be Blue. Note: When you import an Access Point that has never been entered into AirDefense, it will be Blue, even if you authorized it in its configuration in the import file. When AirDefense detects the newly imported Access Point, the state changes to either authorized (Green) or unauthorized (Red), depending on your configuration in the import file. Grey Grey indicates that a Access Point or Station is being ignored by AirDefense Note: AirDefense sees devices that are in the ignored state, but does not generate an alarm unless an attack occurs.
26
Chapter 1
Color Red
Meaning Red indicates the following: Access Point: Unauthorized. All Access Points are unauthorized when they are first discovered by AirDefense. They remain unauthorized until a Web User with the role of Admin changes their state to authorized. Station: Unauthorized on a given Access Point. Unauthorized indicates that the Station is not authorized for the Access Point it appears under. The same Station can appear as Red or Green, depending on whether or not they are authorized on the Access Point they are under. Stations have a W on Red if they are on the Watch List. Sensor: Offline, which indicates that the Sensor has been observed by the Server, but is currently not communicating with the AirDefense Server. If you did not intentionally take a Sensor offline, reboot it. (see Managing Sensors on page 105). Stations Station is authorized under the Access Point and has been observed as associated to that Access Point. Stations have a W on Green if they are on the user-configurable Watch List (for information on how to configure the Watch List, go to the Policy program area in the GUI and click on Quick Help from the Help Menu). Access Points Access Point is authorized and has been observed by a Sensor. Sensor Online, which indicates that the Sensor is functioning normally and in communication with the AirDefense Server.To be in this state, the Sensor must be connected to the AirDefense Server.
Green
1.3.16 GUI Net Maps

The GUI Net Map feature enables you to see a logical map of the devices in your wireless LAN. Access Net Map by clicking on the Tools > Network Map drop down menu. After selecting a device in the network tree, Net Map will identify the location of the device. The map will show the following for the selected device:
Domain Location Group Sensors seeing the device Access Point that the device is connected to (in case of a Station)
27
1.3.17 About Live Views

AirDefense gives you a Live View of the Sensors, APs, and Stations operating in your wireless LAN. Live View capability exists throughout the AirDefense GUI, wherever a device icon appears in an information panel or navigation tree. You access Live View by clicking on the Tools > Live View drop down menu, which automatically limits the data to the specific device you choose. Live View consists of three main categories of information:
Live View Summary Live View Details Live View Decodes
Live View Summary tab

Live View Summary tab provides summary information on the selected device. Graphs display b, g, and a protocol traffic. Color bars on the graph display mean signal strength and noise for all traffic protocols, for all devices seen on a channel during a specific time period. The graphs display for current time and previous time. A Red bar indicates noise, Green indicates signal strength. Information panels show data on devices, such as last seen protocol and last seen signal strength, and frame counts by type (broadcast, multicast, and unicast).
28
Chapter 1
Live View Details tab

Live View Details tab provides detailed information on a selected device. Graphs display utilization by rate, traffic by rate, and detailed signal strength, noise, frame, and traffic data. Information panels show detailed data on devices, such as frame counts by rate and type, and control, data, and management frames by count.
Live View Decodes tab

Live View Decodes tab gives you a real-time detailed view of the packet decodes observed in your wireless LAN. You can also select one decode and see the decode details at the bottom of the screen.
Frame Capture
Frame Capture allows you to capture all transmitted frames in the air for a specific device. The data can then be exported to external tools such as Ethereal or AiroPeek to analyze real-time data.
29
1.3.18 GUI Display Preferences

Device Identifiers for each Access Point, Station, and Sensor display throughout the AirDefense GUI. For example, devices can display as either a MAC address, an IP address, a Name, or a DNS name. AirDefense defaults to display the IEEE MAC address for each device. Each GUI Web User determines their own preference for which identifier they would like to see displayed throughout the GUI. To do this the GUI Web User must make a display selection for each device type in Admin>User Prefs. The selections in this User Prefs determine which Device Identifier a device has in all GUI panels. Each GUI Web User can set different preferences. Two GUI Web Users looking at the same AirDefense system from two different locations can see different views, depending on how each Web User set the preferences. The following table lists the display preferences for Device Identifiers.
1.3.19 Device Identifiers

Device Access Points Preference (you can choose one) Stations Sensors MAC address Vendor prefix IP Address Name DNS (name) MAC address Vendor prefix IP Address Name DNS (name) 802.1x (Username) MAC address IP Address Name
1.3.20 GUI Time

Important! In the GUI, the data times for alarms, statistics, and other information are relative to AirDefense system time (see AirDefense and Time on page 6). However, the last updated time on each GUI program screen (the Time Stamp) relates to the local system where the browser is running.
30
Chapter 1
1.4
Sensor User Interface (Sensor UI)
The Sensor User Interface (Sensor UI) is an HTML-based interface that resides on the Sensor. Each Sensor actually contains a small web server. The Sensor UI enables you to initially configure Sensors and to perform some maintenance activities after the initial installation. There are two types of Sensor Web Users, admin and monitor. These roles have varying levels of user privileges. Each Sensor Web User requires a password.
1.4.1 Accessing the Sensor UI

You can access the Sensor UI only by logging in remotely from a web browser. It is not accessible directly from the AirDefense Server.
1.4.2 Using the Sensor UI

Typically, you use this interface to configure Sensors for the first time. You can also use this interface to update Sensor firmware, however, effective as of AirDefense v4.0, you can accomplish this remotely, using the AirDefense GUI. After initial configuration, you can administer Sensors by using the GUI, with some exceptions, including adding another Sensor to your wireless LAN. See the chapter on Managing Sensors. You must use the Sensor UI to:
Change the password for the Sensor Web User (Admin or Monitor user)
31
1.5
Sensor Console Interface (Sensor CI)
The Sensor Console Interface (Sensor CI) enables Sensor maintenance via direct access of the Sensor through its serial (console) port; this section only applies to the Model 400 Sensor. This feature is useful in the event of a lost Sensor IP address, or if the default IP address of the Sensor already exists in another device on the network. Without an IP address, you cannot access the Sensor UI to configure the Sensor.
1.5.1 Accessing the Sensor CI

To access the Sensor CI, plug a keyboard / monitor into the serial (not SSH) port. Log into the Sensor directly as user: support, password: airdefense. You can also log into the Sensor using SSH. This enables you to perform only two configurations: Setup the primary AirDefense IP address, and to configure the MTU (Max Transmit Unit). Password is a unique password provided by AirDefense, Inc.
1.5.2 Using the Sensor CI

Once you connect to the Sensor CI, a menu will appear on your monitor that shows the current settings and a list of numbered menu items. Using this menu, you can view, set, and save certain key network parameters, and if desired, restore the Sensor to its factory defaults (excluding admin/monitor passwords). Note: The REBOOT option on the menu is not active. To reboot the Sensor so the new settings will take effect, manually power it down and up. Once set, you can use the Sensor UI to make additional configurations to the Sensor.
32
Chapter 1
Managing Users
33
2 Managing Users
AirDefense lets you create numerous users with role-based permissions that control which functionality each user can access. You can also limit each users exposure to alarms to specific areas of the network, and customize the default navigation tree views for each user. Although the primary way you manage users on the AirDefense Enterprise server is through the GUI, you can use the CLI (ADDadmin) for some functions. AirDefense, Inc. recommends that you use the GUI. This chapter focuses primarily on managing users through the GUI.
2.0.1 Chapter Contents

This chapter contains the following topics. Topic The Four User Roles (Types) Managing Users User Preferences Limiting Users Network Scope Authentication Sensor UI Users ADDadmin and Users Page 34 35 37 38 39 40 41
34
Chapter 2
2.1

The Four User Roles (Types)
AirDefense Enterprise Server contains four role types that you can assign to users in the system. Each role has access privileges appropriate for various roles in your organization. The role types are: Admin Manager Network Operator Guest
Admin
Users with the role of admin have read and write access to all areas of AirDefense server and sensor administration, including creation of other admin users. An individual with Admin privileges can change all configurations.
Important!
Because of the level of responsibility for configuring the AirDefense server and the implications for enterprise security, you should make sure that any users with the role of admin have a comprehensive understanding of networking, wireless devices, and security, as well as the appropriate network access and clearance to implement the system.
Manager
Manager represents the second level of security clearance. Users with the role of Manager have the same privileges as the Admin, with the exception that a Manager cannot manage users.
Network Operator
Network Operator represents the third level of security clearance. Users with the role of Network Operator have primarily read-only access, but they can acknowledge, clear, and purge alarms in the Alarms program area.
Guest
Guest represents the lowest level of security clearance. Users with the role of Guest have readonly access to the following GUI program areas:
Dashboard Alarms Sensor Policy Notification
In addition, a Guest can:
Set their own user preferences and passwords in the Admin program area Create and save alarm filters in Alarms
Managing Users
35
2.2
Managing Users
User Mgmt (Config > Appliance Manager > User Mgmt) opens the User Management tab. You can use this panel to view and configure user configurations in AirDefense.
ViewView user names, roles, full names, and descriptions for all users. Configure
Add users Change user passwords Delete users Limit user views to devices and alarms for specific Locations and Groups Configure Local or External Authentication
2.2.1 Adding Users

Step 1 2 3 4 5 6 7 8 9 10 11 12 13 Action Log in to the AirDefense GUI. Click Tools > Configuration to open the Configuration program area. Click the Appliance Manager button. Select the Users button to open the User Management window. Click on the Configure tab and select Add. Type a new user name. Select the User Role for the new user. Accept the defaults for Authentication and Domain unless you want to use remote authentication and domain partitioning. Type the users Full Name (optional). Type a description for the user. (optional). Type the new user password. Verify (retype) the new users password. Click Apply to save. You may need to refresh the Configuration window for the user to appear in the list.
2.2.2 Changing Passwords for Other Users

If you are a user with admin privileges, you can change passwords for other users. You do not need to know the current password. Other users can change their own passwords on the User Preferences tab; they must know their current password to change it.
Strong Passwords
The AirDefense Enterprise GUI requires strong passwords that meet the following criteria:
Contain no spaces or tabs At least 5 characters (up to 34 characters max.) Contain at least one digit Contain at least one uppercase character Contain at least one lowercase character Contain at least one of the following symbols: ~ ! @ # $ % ^ & * ( ) _ + - = ? < > { } [ ]|\:;,./
36
Example: Admin!23
Chapter 2
Important!
You should change the default admin account user password at yoru first opportunity. Leaving the default password on the system poses a security risk.
Procedure
Step 1 2 3 4 5 6 7 8 Action Log in to the AirDefense GUI. Click Tools > Configuration to open the Configuration program area. Click the Appliance Manager button. Select the User Mgmt button to open the User Management window. Select the name of the user whose password you want to change. Click the Configure tab and type the new password. Type the new Web User password in the Verify Password box. Click Apply to save.
2.2.3 Deleting Users

Step 1 2 3 4 5 6 7 8 Action Log in to the AirDefense GUI. Click Tools > Configuration to open the Configuration program area. Click the Appliance Manager button to access the Appliance Manager window. Select the Users button to open the User Management window. Click the Configure tab. Select the name of the user you want to delete. Click Delete. Click YES to confirm. A confirmation Message screen appears.
Managing Users
37
2.3
User Preferences
Every user can control some aspects of the way the AirDefense Enterprise GUI displays information. Users can do this themselves, or, if you are an admin user, you can set up user preferences for other users. Select Config > User Preferences to display the three tabs that let you control your user preferences:
User Display Preferences Current User Info Dashboard Preferences
2.3.1 Display Preferences tab

You can set display preferences for APs, Stations, and Sensors, and to define the order of preferences for how you view devices. Device Identifiers appear next to stateful color-coded icons throughout the AirDefense GUI.The Display Preference tab lets each user determine whether he would like the GUI to identify each device by its MAC address, vendor prefix, IP address, or user-selected name, etc. If you choose not to use MAC addresses (default), AirDefense server displays your preferred setting instead. Example: AirDefense server can display Access Points throughout the GUI as a MAC address, a Vendor Prefix, an IP address, a DNS name, or as a user-defined Name.
2.3.2 Current User Information tab

The Current User Information tab displays your user name and role, and lets you change your password, regardless of whether you are an admin user or another type of user.
Changing your own password

To change your password, type your current password, and then type your new password in both fields. Click Apply to save your change.
2.3.3 Dashboard Preferences tab

This tab controls the appearance and refresh rate of the Dashboard window. Select the rate at which you want the Dashboard to refresh. The default refresh rate is 10 minutes. Choose the Dashboard view that you want to be your own default view. Choose from:
Manager (default): Displays a combination of security and performance charts Performance: Displays performance charts Security: Displays security charts Vintage: Displays data in list form, as did previous versions of the AirDefense Enterprise GUI
Regardless of which view you choose as your default, you can change the view at any time by choosing a view from the Data View drop-down on the Dashboard.
38
Chapter 2
2.4 Limiting Users Network Scope with Domain-Based Partitioning

Domain-Based Partitioning lets you limit the scope of what each user can view and manage by creating network domains, and then restricting each user to one or more domains. This is helpful when:
Different users have responsibility for different parts of the network Different users have responsibility for different customer accounts on the same appliance (such as
managed security services) You want to limit the amount of alarms a user is likely to see Each domain can include multiple Locations and corresponding Groups. Only users with Administrative privileges can assign domains.
Overview of Domain-Based Partitioning:

1 2 3 Enable it. Define domains. Assign domains to users.
Instructions for defining domains and assigning them to users are located in Chapter 10, Configuring Enterprise Features.
Managing Users
39
2.5
Authentication
AirDefense server provides options for the way it authenticates users. By default, it uses Local Authentication. If you want the system to authenticate users using passwords stored on a RADIUS or LDAP server, you can configure Authentication profiles and assign them to users. To access the Configuration window for External Authentication profiles, go to Tools > Configuration > Appliance Manager > External Auth. After you define Authentication Profiles, you can assign profiles to users. Step 1 2 3 4 5 6 Action Select Tools > Configuration to open the System Configuration window. Select the Appliance Manager button, and then click the Users button. If you are assigning a profile to an existing user, Select a user from the View tab. Select the Configure tab and click the Edit button Under Authentication, select one of the pre-defined profiles from the drop down menu. Click Apply to save.
40
Chapter 2
2.6
Sensor UI Users
The Sensor UI enables you to view and configure Sensor UI User names, roles, and passwords. You can assign user access to the Sensor UI according to the roles of individuals in your organization. The access privileges differ for each role. The role determines which settings are activated for use in the Sensor UI.
Admin The Sensor UI User with the role of Admin has both read and write privileges. This enables
the Admin to make changes to Sensor settings.The Admin can add new Sensor UI Users and can assign them to a role, including as another Admin. An individual with Admin privileges can change all Sensor settings. MonitorThe Sensor UI User with the role of Monitor can only view settings.
Managing Users
41
2.7
ADDadmin and Users
Although you perform most User configuration activity on the Enterprise GUI, there are two ADDadmin utilities that you can perform from the CLI.
2.7.1 Managing Users (WEBU)

Use the ADDadmin utility WEBU to manage AirDefense GUI Web User names and passwords. You can:
Add a Web User to AirDefense, and assign a role to the new Web User (this can be either an Admin,
Manager, Guest, or Network Operator)
Delete a Web User from AirDefense Set or change the password for a Web User
Using the WEBU utility

You access the WEBU utility the same way for all three functions:
1 2 3 4
Log in to the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type m, press <Enter> at the command prompt. The Manage screen appears. Type webu, then press <Enter>. If you want to add a user: Type A, and then press Enter. Type the new user name. Assign a role to the new user by typing Admin, Manager, Guest, or Network Operator. Type the new Web User password, and then confirm it by typing it again. If you want to delete a user: Type d, and then press Enter. Type the name of the user to delete, press <Enter>, and then type yes to confirm
42
6
Chapter 2
If you want to change a users password: Select Change a Password. Type the name of the user whose password you want to change, and then press <Enter>. Type the current password; press <Enter>. Type the new password; press <Enter>. Type the new password again; press <Enter>. Type yes to confirm, and then press <Enter>.
2.7.2 Changing Passwords (PASSWD)

Use the ADDadmin PASSWD utility to change the password of a Command Line User. Using PASSWD, you can change the password for the smxmgr and the smxarchive. Your ability to change the password depends on your user designationsmxmgr or smxarchive. (For more information on smxarchive, see Appendix B.)
If you are logged in as user smxmgr, you can change passwords for smxmgr and smxarchive. If you are logged in as user smxarchive, you can change the password for smxarchive.
Step 1 2 3 4 Action Log in to the Command Line Interface. Type m, press <Enter> at the command prompt. The Manage screen appears. Type passwd, press <Enter> at the prompt. Type the line number of the user whose password you want to change (smxmgr or smxarchive). Press <Enter>. If you are the Command Line User smxmgr and you pressed 1, AirDefense prompts you for your current UNIX password. Type in your password now. AirDefense then prompts you for a new password. Go to step 5. If you are the Command Line User smxarchive and you pressed 2, AirDefense prompts you for a new password. Go to step 5. Type the new password. Press <Enter>. If the system accepts the format of your new password, it returns Retype new password: Type the new password again. Press <Enter>. If the system accepts your password, it returns All authentication tokens updated successfully.
Managing Alarms
43
3 Managing Alarms
To manage alarms, you use both the AirDefense Enterprise GUI and the ADDadmin utilities in the Command Line Interface. GUI: Using the Alarms program area in the AirDefense GUI, you can:
Acknowledge alarms, or clear alarms from the Alarms counters. Clear or purge alarms from the AirDefense database. Change the priority of any entire alarm type in AirDefense. Enable or disable specific alarm types. Manage Policy-based Terminations
ADDadmin: Using ADDadmin utilities in the Dbase program area, you can:
Enable / Disable AirDefenses automated alarm management feature. Change the maximum alarm count.

This chapter contains the following topics. Topic GUI ADDadmin Practical Applications Page 44 47 49
44
Chapter 3
3.1
GUI
The GUIs Alarms program area has an Alarms panel that contains details about the alarms triggered/generated in your wireless LAN. This includes information about which Sensors, APs, and Stations are generating alarms, when the alarms are being generated, and what conditions are triggering the alarms. This panel also has a feature you can use to acknowledge and clear an alarm or group of alarms. When you acknowledge or clear an alarm in this panel, AirDefense records your user name and the time, and the alarm remains active.
3.1.1 Managing Alarms

The Alarms program area has an Alarm Manager window that enables you to manage alarms. Using this feature, you can:
Enable or disable types of alarms from occurring. Adjust alarm priorities for an entire alarm type by highlighting an alarm in the table, right-clicking, and
selecting Alarm Configuration. Each alarm type in AirDefense has one of five Criticalities: Severe, Critical, Major, Guarded/Minor and Low/Safe. These priorities are system-wide, and are independent of the user. Clear all alarms from the display panels, remove all cleared alarms from the AirDefense database, or remove ALL alarms from the database. You can also remove cleared alarms from the database for the time range you specify, or remove ALL alarms from the database for the time range you specify. See the online help for more information.
Managing Alarms
45
3.1.2 Adjusting Alarm Configurations

Each alarm in AirDefense has a criticality, classification, and type. You can use the Alarm Configuration window to: Adjust alarm criticality Enable/disable alarms Specify Alarm Duration View alarm information & add escalation procedure To access the Alarm Configuration window, go to Tools > Configuration > Manage Alarms.
3.1.3 Enable/Disable Alarms

If you are an admin user, you can enable or disable the specific alarms for all devices by selecting or clearing the checkbox. You can also choose to enable an alarm for a subset of devices:
All Devices Disabled for Devices Authorized/Unauthorized Devices Ignored Devices
46
Chapter 3
You can disable the alarm for devices as specified by their MAC address in the Disabled for Devices field. The devices that appear in this list can only be specified and entered on the Alarm Manager window. Use the adjacent Remove button to remove them from the list.
3.1.4 Reset to Factory Defaults

If you want to reset the currently selected alarm to the factory default settings, click the button, which is located in the upper-right corner of the Alarm Configuration window.
Managing Alarms
47
3.2
ADDadmin
The ADDadmin Dbase program area has an ALARMS utility that you can use to:
Enable AirDefenses automatic alarm management feature (default) Disable AirDefenses automatic alarm management feature Change the maximum alarm count (default is 15,000)
When automatic alarm management is enabled, the AirDefense system begins automatically deleting repetitious alarms when the number of alarms exceeds a maximum alarm count that you specify, leaving one alarm of a specific device type and day for each alarm. Depending on the volume of incoming alarms, AirDefense begins deleting the oldest alarms first, at fifteen minute intervals. This moves to intervals of one hour, twelve hours, one day, and thirty days, until the number of alarms is equal to or less than the specified count. To use the Alarms utility, do the following: Step 1 2 Action Access the Command Line Interface. Type d, press <Enter> at the command prompt. The Dbase screen appears.
Type alarms, then press <Enter>. The current alarm state appears, followed by these choices: (E) Enable Automatic Alarm MGMT this is the default setting on the current alarm state window. When you open this window, the following message is listed at the top: Automatic Alarm Management currently enabled with maximum alarms set to 15000. This message just lets you know that alarms are now enabled with the specified alarm count. This setting will remain until you select one of the following two options.
48
Chapter 3
(D) Disable Automatic Alarm MGMT indicates that the alarms are now disabled. A message asks you to save the current alarms state as shown, which is now disabled. Type yes to confirm that you want alarms disabled, type no to return to the Dbase settings screen, leaving the database untouched. (C) Change max alarm count asks you to enter a new maximum alarm count, by either pressing <Enter> to keep the existing count, or by entering a new number. Once you do this, a message indicates that alarms are now enabled with the specified alarm count. A message asks you to save the current alarms state as shown, which is now enabled. Type yes to confirm that you want alarms enabled with the specified count, type no to return to the Dbase settings screen, leaving the database untouched. 4 Type q, press <Enter> to return to the main screen.
Managing Alarms
49
3.3
Practical Applications
The Email, SNMP, and Syslog alarm notifications you receive from AirDefense (see Managing Notifications on page 51) indicate the alarm priority of each alarm. You should set the alarm priorities as desired for the notifications. Use the Auto Classification panel (Tools > Configuration > Policy Manager > Auto Classification) to apply a series of rules to detected devices on your network at one time. This forms the basis on how the system will automatically classify each device discovered in the system as Authorized, Unauthorized, Ignored or marked for deletion. You can classify a large list of devices simultaneously and unauthorize/unauthorize/ignore or devices on your network, bypassing the labor-intensive process of applying policy settings to individual devices.
3.3.1 On Demand vs Scheduled Classification

The automatic device classification can be performed On Demand or it can be Scheduled to be performed periodically. The On Demand option lets you manually re-classify all discovered devices in the system. This option should be considered for initial system set-up to automatically classify all devices discovered. You can also opt to Schedule a periodic device re-classification. For example, in an environment with many transient devices the user may want to periodically re-classify all newly discovered devices to limit the alarm count caused by unauthorized devices. This configuration panel has four tabs, representing four sub-panels:
On Demand Rule Sets Action Rules Scheduled
To open a panel, click on the tab.
Policy Manager window controls

Located on the Policy Manager window. Function Apply Cancel Close Description Select this option to save any changes made on any of the tabs. Removes any changes made to the previous settings without saving. Exits you from the Policy Manager window to the main AirDefense GUI.
3.3.2 To Begin Using Auto Classification

Use the following steps to initialize Auto Classification. 1 Go to the Action Rules tab to view available rules or define a custom rule. Create as many rules as needed to cover all different devices you wish to classify.
50
2
Chapter 3
Go to the Rule Sets tab view the available Rule Set or define a new Rule Set; add Action Rules to your new Rule Set (at least one Rule). The various rules in a Rule Set will be handled in sequence, top to bottom-- i.e., 1st Rule + action, 2nd Rule + action. Go to On Demand to select a Rule Set, click on the Classify Devices button, and run it based on the Rule Set selected. You must select the Apply button to confirm the selection.
3.3.3 On Demand tab

The On Demand tab allows the user to manually classify or re-classify all discovered devices in the system based on a predefined Rule Set. Function Reclassify authorized and ignored devices Description If this checkbox is left unselected, then when Auto Classification is used, it only looks for unauthorized devices, enabling them to be reclassified as authorized, ignored, or deleted. When this checkbox is selected, this causes the Auto Classification function to reclassify authorized and ignored devices along with unauthorized ones. In this drop down list, select the range of Scope for the classification function to search for devices that meet its criteria. In this drop down list, select the rule set you wish to use for classifying devices. Select this button to initiate the device classification function to search for devices based on the selected rule set. The classification results are displayed in the On Demand tab table. Once you have a range of devices listed in the table, select this button to apply the auto classification results to them. You can un-check any devices before confirming the action of Auto Classification results. Click this button to limit the number of rows (50 max) that appear per page if the list of devices exceeds more than one page. If the classification results table span multiple pages, use the Page (1-50) drop down list to select, and then the View button to go directly to that page.
Scope
Rule Set Classify Devices
Apply Results
Max
View (page number)
Managing Alarms
Function Scroll Buttons Description Use the horizontal scroll buttons to move front and back through multiple pages of classification results.
51
3.3.4 Rule Sets tab

Use the Rule Sets tab to select sets of one or more action rules created on the Action Rules tab and add them to the table of Action Rules. Once you have built a list of Action Rules, they are made available on the On Demand tab. Function Add/Delete Description Select the Add button to activate the features on the Rule Sets tab. Select the Delete button to delete an existing Rule Set. Make Rule Set selections in this drop down list to be used for Auto Classification criteria. Manually enter the name of Rule Sets in this text box then click Add for them to be added into the Action Rules table. Where existing individual Action Rules are listed. Clicking the Add button opens the Select Action Rule sub-window. On it, choose individual rule criteria that must be set on the Action Rules tab. Select the Remove button to delete an existing Action Rule. Highlight a listed Action Rule in the table and click the Move Up/Move Down buttons and move it up or down.
Select Rule Set
Name
Action Rules table Add/Remove/Move Up/Move Down
3.3.5 Action Rules tab

The Action Rules tab lets you define new Action Rules that can be used in a Rule Set for Auto Classification (also see Auto Classification). This tab is crucial since this is where you set the foundation of Action Rules that comprise Rule Sets to automatically classify devices. Note: You must always define at least one Action Rule for Auto Classification to work. Function Add Description Select this button to add a new Action Rule.
52
Chapter 3
Function Delete Copy
Description Select this button to delete an existing Action Rule. Select an existing Action Rule and then click this button to transfer it and/or modify it to create a new Action Rule. Choose an existing Action Rule to open from this drop down list. When creating a new Action Rule enter the name of that rule in this text box. Existing names can be edited here. Select whether the rule applies to APs or Stations in this drop down list. Select the particular action for this rule: Authorize, Delete, Ignore, or Unauthorize, to be taken if the Condition is met. Select whether the device must met all, met any, fail all, or fail any of the conditions.
Select Rule Name
Device Type Action
Conditions
Managing Alarms
Function Filter Parameters Description The user can select and highlight any or multiple parameters from the provided list and define filters for them:
53
Vendor Channel SSID Signal Strength Protocol 802.1x Username Last Seen Connectivity Base Authentication Extended Authentication Key Generation Encryption
After you have modified a parameter, it appears bold. Example: Action Rule authorizes APs that meet the Vendor name filter and the SSID filter: Multiple parameters and filters can be selected. Once the user clicks Apply the selections will be saved for that Action Rule.
WARNING!
Scheduled Auto Classification should be used with CAUTION. The System will periodically re-classify all devices that meet a pre-defined Rule Set. Based on the criteria you specify, the system will automatically and periodically authorize, ignore, or delete devices detected by the system.
3.0.1 Scheduled tab

Allows user to schedule a periodic re-classification of all devices that occurs automatically. Checkboxes:
Enable scheduled Classification - This checkbox must be selected first in order for scheduled classification to be added and enabled.
54
Chapter 3 Reclassify authorized and ignored devices - Auto-classification usually considers only unauthorized
devices, however the Reclassify option can also be configured to consider authorized and ignored devices. Function Scope Description Select the Scope for Auto Classification; the Scope can be the whole System, a Domain, Location or Group. Select the interval for each update, and can be measured in Minutes, Hours, or Days from the available drop down list. Enter the date that the re-classification will begin in this text box, and in the adjacent drop down list, enter the specific time of day. Select the Rule Set that will be used for re-classification from this drop down list. The selections that appear here must be first added in the Rule Set tab.
Update Interval
Update Start
Rule Set
After you click Apply, the selections made will be saved for that scheduled classification rule.
Managing Software
55
4 Managing Software
To manage AirDefense software and licenses, you use the ADDadmin utilities in the Command Line Interface. You must perform all operations in the sequence prescribed in this chapter. This chapter includes information about:
Adding Software Service Modules Updating AirDefense licenses Managing security certificates
ADDadmin: Using the utilities in the ADDadmin Software program area, you can:
Install a service module into the AirDefense software Display the current AirDefense license Install a new AirDefense license Create a package of AirDefense system keys

This chapter contains the following topics. Topic Adding ADDadmin Service Modules Managing Licenses GUI Managing Certificates Page 56 57 59 60
56
Chapter 4
4.1
Adding ADDadmin Service Modules
Feature enhancements and improvements to the modules in your existing version of AirDefense software are available through the Support Center portal at http://support.airdefense.net or on CD-ROM from AirDefense. Once you download the module bundle into your local server, you must connect and log in to AirDefense Enterprise via SSH, access the Command Line Interface, and use the ADDadmin SERVMOD utility (Software program area) to install the module. The SERVMOD utility adds the module to your current AirDefense software version. Step 1 2 Action Access the Command Line Interface. See Accessing the ADDadmin utilities on page 9 for instructions on how to do this. Type s, then press <Enter> at the command prompt on the main screen. The Software screen displays.
Type servmod, then press <Enter>. The system asks you to enter the fully qualified directory path where the update bundle resides, or to type C if the bundle is on CD-ROM. Type in the fully-qualified directory path, or type <C> for CD-ROM. If you type the directory path: The Server gives a list of service modules in the directory; we must select the service module we want to install and then follow the on-screen directions. Once selected, AirDefense retrieves and installs the service module. The system then returns you to the Software screen. If you type <C> The system prompts you to install the CD-ROM. The service module installation takes place once you install the CD-ROM. Type q and press <Enter> to return to the main screen.
Managing Software
57
4.2
Managing Licenses
Managing licenses is a function of both the ADDadmin utilities in the Command Line Interface and the GUI.
4.2.1 ADDadmin
The ADDadmin Software program area provides three utilities. These enable you to: display the current AirDefense license (CURRLIC); install a new AirDefense license (LICENSE); and create a package of AirDefense system keys that can be used by AirDefense support to repair corrupt licenses (KEYPKG).
4.2.2 CURRLIC
CURRLIC displays information on the current AirDefense license. To view the current license: 1 2 3 Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type s, press <Enter> at the command prompt on the main screen. The Software screen displays Type currlic, then press <Enter>. Information on the current AirDefense license displays. 4 MAC address of the current licensed system License version number Number of authorized Access Points allowed Number of Sensors allowed License expiration date Maintenance expiration date
Press <Enter> to return to the main screen.
4.2.3 LICENSE
LICENSE installs a new AirDefense license into AirDefense or renews an expired license. AirDefense, Inc. supplies the license file.
Important!
If your license has expired and you wish to renew it, contact AirDefense, Inc. to obtain a replacement license file. You can then use the ADDadmin License utility to install the license. Note: You can use the AirDefense GUI to update an existing (not expired) license. to install a license Step 1 2 Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type s, then press <Enter> at the command prompt on the main screen. The Software screen displays
58
3
Chapter 4
Type license, then press <Enter>. You are prompted to enter the fully-qualified (complete) path name of the license file. AirDefense, Inc. supplies this file, either on CD or via email, which you can load onto your server. Alternately, you can press <CR> to exit without changes. 4 5 Select the file and press <Enter>. This loads the license into AirDefense. Type q and press <Enter> to return to the main screen.
4.2.4 KEYPKG
KEYPKG enable you to create a package of AirDefense system keys. AirDefense, Inc. support personnel can use these keys to update your license or repair it if it becomes corrupted.
TO CREATE SYSTEM KEYS
Step 1 2 3
Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type s, then press <Enter> at the command prompt on the main screen. The Software screen displays Type keypkg, then press <Enter>. The system displays the key package and location, for example, /usr/local/tmp/WIPSKeys-0000D60991456-2005-03-29.16.17.tar.gz Press <Enter> to return to the main screen.
Managing Software
59
4.3
GUI
The GUI Configuration program area provides a Software program that enables you to update licenses to authorize more Access Points or Sensors for your wireless LAN. This is accomplished using the AirDefense License Management panel.
4.3.1 AirDefense GUI License Management

To access the Software section, select: Configuration > Appliance Manager > Software; an AirDefense License Management panel appears. Use this to install a new license that has been provided via email by AirDefense, Inc. Using this, you can:
Update unexpired licenses to authorize more Access Points in your wireless LAN. Update unexpired licenses to authorize more Sensors in your wireless LAN. View the parameters of your current license.
For complete step-by-step instructions on how to use the GUIs license management features, see the Online Help for Appliance Manager > Software.
60
Chapter 4
4.4
Managing Certificates
Managing security certificates is a function of the GUI. You must be a Web User with the role of Admin to manage certificates. Certificates verify the authenticity of the AirDefense Server. They can prevent hijacking of administrative sessions between your window session and the AirDefense Server, and can even alert you to physical replacement of the AirDefense Server. Certificates install into the AirDefense Server and are sent by the Server directly to your window session, enabling you to use AirDefense over a secure, TLS-encrypted https web session.
Important!
AirDefense, Inc. recommends using a security certificate for every AirDefense Server in your network. Furthermore, we recommend that you replace the pre-installed security certificate from AirDefense with either a self-signed certificate or a root-signed certificate. For complete step-by-step instructions on how to use the GUIs certificate features, see the Quick Help for Admin: Certificates.
4.4.1 GUI
The Configuration program area has a Certificates program that enables you to view and create security certificates, and to perform other certificate-related administrative tasks, such as installing certificates. There are three types of certificates from which to choose, each represents a different level of security.
AirDefense certificate (minimal level of security) Self-signed certificate (intermediate level of security) Root-signed certificate (high level of security)
AirDefense Certificate
The AirDefense certificate represents a minimal level of security. AirDefense, Inc. ships the AirDefense Server with a pre-installed security certificate. It is a working certificate that provides TLS encryption, but has not been verified and digitally signed by a root Certificate Authority (CA). The host name identified in the certificate will not match the actual host name of your AirDefense Server. Unless the certificate meets all required criteria, you will receive one or more alert screens when you open a session with AirDefense (see Security Alerts on page 61).
Self-Signed Certificate
A self-signed certificate represents an intermediate level of security. A self-signed certificate (also called Tomcat certificate) is a certificate that you generate, in which you specify the host name of the AirDefense Server in the certificate, but do not have the certificate verified and digitally signed by a root Certificate Authority. Unless the certificate meets all required criteria, you will receive one or more alert screens when you open a session with AirDefense (see Security Alerts on page 61).
Managing Software Root-Signed Certificate

A root-signed certificate represents a high level of security.
61
A root-signed certificate is a public certificate verified by a root Certificate Authority (CA). This is a digitally signed certificate that ensures the authenticity of the AirDefense Server.
Security Alerts
During the initial Enterprise GUI login, Security Alert windows pop-up that alert you to certificate statuses. There is one Security Alert window, and two Java Security Alert windows that can appear.
Security Alert (window)
The Security Alert window appears if the certificate does not meet any of the three criteria listed on the window. A yellow triangle indicates that the certificate does not meet the criteria. A green checked circle indicates that the certificate meets the criteria.
62
Chapter 4
Once all three criteria are met, this screen no longer appears when you log in. Click on View Certificate to view and install a certificate. The table below describes the criteria. Criteria The security certificate is from a trusted certifying authority. Explanation To meet this criteria, the AirDefense Server must have a certificate signed by a trusted Certificate Authority installed, and the certificate must be applied to the AirDefense GUI. Hint: For the installation to take effect, you must restart AirDefense by using the ADDadmin RESTART utility. The security certificate has expired or is not yet valid. The name on the security certificate is invalid or does not match the name of the site. To meet this criteria, the range of valid dates generated for the certificate must be within the current date range in your workstation. To meet this criteria, the host name generated for the certificate must match the name of the AirDefense Server.
Java Security Warninghost name mismatch

The Java Security Warning window for host name mismatch will appears during initial Enterprise login if your certificate host name does not match the host name of the security certificate.
Managing Notifications
63
5 Managing Notifications
To manage notifications, you use both the ADDadmin utilities in the Command Line Interface and the AirDefense GUI. ADDadmin: Using ADDadmin utilities in the Config program area, you can:
Set the Hostname for the AirDefense Server. Set the Domain Name for the AirDefense Server. Configure the Mail Relay host for the AirDefense Server.
Using the Notification Manager program area in the AirDefense GUI, you can specify how AirDefense delivers its alarm notifications to designated recipients. You can:
Enable or disable notifications for the system. Set the default intervals for notifications. Configure a recipient to receive alarm notifications, or to just view configurations. Configure options for receiving Email, SNMP, and Syslog alarm notifications. There are standard options and advanced options that include filters for limiting alarm notifications, and tools for customizing alarm notifications. Important! Notifications are suspended during some maintenance activities you may perform using the ADDadmin utilities, such as those for reboot (REBOOT), restart (RESTART), clear databases (CLRU, CLRALL), and recover databases (RCVRDB).

This chapter contains the following topics. Topic ADDadmin GUI Practical Applications Page 64 65 66
64
Chapter 5
5.1
ADDadmin
The ADDadmin Config program area contains utilities that you can use to:
Set the Hostname for the AirDefense Server (HNAME) Set the Domain Name for the AirDefense Server (DNAME) Configure the Mail Relay host for the AirDefense Server (MRELAY)
For complete steps on how to set the Host Name, Domain Name, and Mail Relay Host for the AirDefense Server, see Practical Applications on page 66.
65
5.2
GUI
The GUIs Notification Manager program area gives you the information and tools you need to specify how AirDefense delivers its alarm notifications to designated recipients and destinations. Alarm notifications list specific alarms that AirDefense generates. The Notification Manager program area enables you to:
Toggle notifications on and off and set the default interval for notifications. You can enable or disable
all Email, SNMP, and Syslog notifications, and configure the Email, SNMP, and Syslog intervals (either in minutes, or by selecting Instant) for each type of notification. Configure what individuals and email destinations will receive alarm notifications. Configure standard options for notifications. Standard options include selecting recipients, inserting email addresses, filtering notifications by alarm priority or by Sensor, selecting a format for the notifications, and selecting a time interval for receiving the notifications. Configure advanced options for notifications. Advanced options include creating advanced filter expressions for specific alarm notifications (actual Boolean expressions that you can build and edit), designating custom templates for notifications, filtering out repetitious alarms, and setting queue size for optimum system performance. For complete steps on how to configure and manage Email, SNMP, and Syslog notifications, see the Online Quick Help for Notification Manager.
66
Chapter 5
5.3
The following are practical applications for managing notifications in AirDefense.
5.3.1 Setting Hostname, Domain Name, and Mail Relay Host

Use the ADDadmin utilities HNAME, DNAME, and MRELAY in the Command Line Interface Config program area to set the hostname, domain name, and mail relay for the sender address for Email notifications. Note: Hostnames and Domain Names are considered valid based on RFC 952, RFC 1035, RFC 1123 Section 2.1, and RFC 1591 Section 2. RFCs can be examined online at http://rfc.net. Important! Whenever you change either the host name or the domain name of the AirDefense Server, you must also modify its host name or domain name in all devices that refer to it (e.g., DNS Servers). Also, if AirDefense is given a static IP address, but is not specifically assigned a hostname or domain name, it will pull its host name/domain name info from a responding DNS server. Domain name cannot be assigned until a specific host name is assigned to the system. That host name can even be the same host name the DNS server would give it. The difference is that when AirDefense pulls its info from DNS, it merges the host name and domain name info. When you assign a specific host name, the info is kept discrete, so it can be changed separately.
5.3.2 Access the Command Line Interface

Step 1 2 Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type c, then press <Enter> at the command prompt. The Config screen displays.
67
5.3.3 To Set the Host Name

Step 1 Action Type hname, then press <Enter> at the prompt to change the name of the AirDefense Server. The host name is the name assigned to the computer that acts as a server for other computers on the network. For instance, a web host is what provides the content of web pages to the computers that access it. The Hostname screen displays your current host name. 2 3 4 At the prompt, enter a new name for the AirDefense Server to which you are currently connected. Press <Enter>. You are prompted to commit the change. Type yes or no, then press <Enter>.
5.3.4 To Set the Domain Name

Step 1 Action Type dname, then press <Enter> at the prompt to change the domain to which the AirDefense Server belongs. The domain name identifies a web site. For example, apple.com is the domain name of Apple Computer's web site. A single web server may have more than one domain name, but a single domain name points to only one device. The Domain name screen displays your current domain name in bold text. 2 3 4 At the prompt, enter a new name for the domain to which you belong. Press <Enter>. You are prompted to commit the change. Type yes or no, then press <Enter>.
68
Chapter 5
5.3.5 Set the Mail Relay Host

Your network setup may require that you designate a server that relays AirDefense email notifications outside of a firewall or other secure network configuration. If this is the case, you can configure the AirDefense Server to send its email to a mail relay server. Note: You must configure your mail server to allow the AirDefense Server to relay email messages through it, or at least to direct its mail to another mail server that will relay email. In addition, you must define at least one DNS server for this function to operate correctly. Step 1 Action Type mrelay, then press <Enter> at the prompt to configure the AirDefense Server to point to a mail relay host. The Mail Relay host screen appears. Type a to add an entry, or d to delete an entry. To add an entry: type a at the prompt and enter the IP address or fully qualified host name (e.g., myhostname.mydomainname.com) of a mail server to process email alarm messages. Press <Enter> to add the mail server to the list of servers. Hint: You must use a host name that is fully qualified, that is, must be in standard format (<hostname>.<domainname>). The domain name must end in a standard format, i.e., .com, .org, .uk, .tx, etc. Hint: Use the IP address to define the Mail Relay Host if you want to send all mail to a particular Mail Relay Host, and you do not want the AirDefense Server to try an resolve the recipients addresses, for example, in case you cannot get DNS queries out because of a firewall. Defining the Mail Relay Host by IP address turns off DNS lookups within sendmail. To delete an entry: type d at the prompt and enter at the ensuing prompt the number of the mail server you want to delete. 3 4 Type q, then press <Enter> to return to the main screen. You are prompted to save your changes. Type yes or no, then press <Enter>.
Managing the Database
69
6 Managing the Database

To manage the AirDefense database, you use both the ADDadmin utilities in the Command Line Interface and the AirDefense GUI. ADDadmin: Using the utilities in the ADDadmin Dbase program area, you can:

GUI:
Clear the database except for user data, or clear the database of all data. Backup database configuration information. Recover database configuration information. Back up the database. Recover the database. Check the integrity of the databases. Update vendor MAC address information in database.
Using the Appliance Manager program area in the GUI, you can:
Export report data from the database. Export report data now, or schedule an export of report data. Back up the database now, or schedule a backup of the database.

This chapter contains the following topics. Topic Clearing the Database Exporting Report Data From the Database Backing Up the Database Recovering the Database Importing Access Points & Stations Checking the Integrity of the Databases Updating Vendor MAC Address Information Page 70 72 73 76 78 81 82
70
Chapter 6
6.1
Clearing the Database
You cannot use the GUI to clear the AirDefense database. To clear portions or all of the AirDefense database, you must use the ADDadmin utilities CLRU, or CLRALL. These utilities enable you to clear the AirDefense database at varying degrees.
CLRU clears all data, except user data CLRALL clears all data
6.1.1 ADDadmin
Step 1 2 Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type d, then press <Enter> at the command prompt. The Dbase screen displays.
6.1.2 CLRU
This utility clears the database, except user data. Use this utility to delete and rebuild the AirDefense database, with the exception of user information.
Important! This utility deletes and rebuilds the AirDefense database, but saves your current user information. Use this utility, for example, when you move AirDefense to a new network and want to start fresh with new data and policies, but want to maintain your user information.
Step 1 Action Type clru, then press <Enter> to clear databases, except user data. You are prompted to confirm by typing yes or no.

2 Type yes or no. No returns you to the Dbase settings screen, leaving the database untouched. Yes deletes and rebuilds databaseincluding deletion of all network statistics and policiesand returns you to the Dbase settings screen. 3 Type q, then press <Enter> to return to the main screen.
71
6.1.3 CLRALL
1 Type clrall, then press <Enter> to clear databases of all data. This deletes and rebuilds the AirDefense databaseit deletes all data (including network statistics), user information, and policies. You are prompted to confirm by typing yes or no. 2 Type yes or no. No returns you to the Dbase settings screen, leaving the database untouched. Yes deletes and rebuilds the databaseincluding deletion of all network statistics, policies, and user dataand returns you to the Dbase settings screen. 3 Type q, then press <Enter> to return to the main screen.
72
Chapter 6
6.2
Exporting Report Data From the Database
Exporting data is a function of the GUI. For complete step-by-step instructions on how to use the GUIs data export feature, see the Online Quick Help for Config > Appliance Manager > Data Mgmt. The GUIs Appliance Manager window provides a Data Mgmt program that enables you to export report data from the AirDefense Server into your local system. Using this program, you can:
Manually export data (Export Now) Schedule an export of data

Important! AirDefense purges its data every 7 days. If you want to archive your data, AirDefense recommends that you use the GUIs Data Mgmt program to export report data into your local system, or to completely back up your database using the Data Mgmt program in the GUI, and the ADDadmin BCKUPDB utility in the Command Line Interface (see Managing the Database on page 69).
6.2.1 Exporting Data

You can export data as report files. You can manually export AirDefense reports or schedule regular exports of data. Files export in a tab-delimiter format to a.txt file and are placed in a specific directory on the AirDefense Server (/usr/local/smx/reports). The text files end in a.rpt extension. Once exported into the Server, you can copy the files to another system, then import into Excel or some other spreadsheet or database system. Report Data Export AirDefense generates alarms and records statistics about your wireless LANdevice associations, traffic, channel usage, and other important information on the state of AirDefense. This data is deleted from AirDefenses database after 7 days. You can export this data to external files, to run queries against AirDefense. Exporting data is not automatedit requires a Web User with the role of Admin to administer. At the time of export, AirDefense exports all data of the selected types collected since midnight of the current day. You can also fully back up and archive the database, or fully restore the database to AirDefense from the backup.
73
6.3
Backing Up the Database

Important! Back up your database regularly. AirDefense purges its data every 7 days. If you want to archive your data, AirDefense recommends that you use the GUIs Data Mgmt program to export report data into your local system, or to completely back up your database using the ADDadmin BCKUPDB utility in the Command Line Interface. You can also choose to backup only the configuration information in your database, using the ADDadmin BUDBCFG utility.
Backing up the database is a function of the ADDadmin utilities and the GUI.
6.3.1 ADDadmin
The ADDadmin Dbase program area provides a BCKUPDB utility that enables you to back up the AirDefense database, and a BUDBCFG utility that enables you to backup only database configuration information.
To Back Up the Database

Type bckupdb, then press <Enter>. The database backs up to a specified directory. When complete, the Dbase screen appears. Type q, then press <Enter> to return to the main screen.
74
Chapter 6
To Back Up Database Configuration Information

Type budbcfg, then press <Enter>. The database configuration backs up to the specified directory /usr/local/smx/backups/ on the AirDefense Server. When complete, a prompt to press <Enter> to return to the previous menus appears. Type q, then press <Enter> to return to the main screen.
6.3.2 GUI
The GUIs Config > Appliance Manager window provides a Data Mgmt program that enables you to backup the contents of the AirDefense Server database. For complete step-by-step instructions on how to use the GUIs data export feature, see the Online Quick Help for Config > Data Mgmt. Using this program, you can:
Manually backup all data (Backup Now) Schedule a backup of data
6.3.3 Backing up Data

You can manually backup all data to the AirDefense Server, or schedule an automatic backup of all data. You can then pull the database off the AirDefense Server and archive it to your local system.

Important! Back up your database regularly.
75
To copy the data backups to another server, log into the Command Line Interface as smxmgr. You can manually back up all data or just policy and configuration data, or to schedule a backup of all data to the AirDefense Server. Files back up a specific directory on the AirDefense Server (/usr/local/smx/backups). To recover the backups, you must use the ADDadmin utility, RCVRDB command. Note: For information on how to automate retrieval of files from the AirDefense Server, see Appendix B.
76
Chapter 6
6.4
Recovering the Database
The ADDadmin Dbase program area provides the RCVRDB utility for database recovery, and the RCDBCFG utility to recover database configuration information. You cannot use the GUI to recover the database. Note: Due to database incompatibility between Enterprise versions, a database backup can only be recovered to a system of the same build number.
6.4.1 ADDadmin
To Recover the Database
Use the RCVRDB utility to recover the AirDefense database from backups. Step 1 2 Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type d, then press <Enter> at the command prompt. The Dbase screen displays.
3 4
Type rcvrdb, then press <Enter>. You are prompted to enter the directory in which database recovery files reside. Press <Enter>. The database restores from the directory you entered, or if you did not enter a directory, from the default directory. When complete, the Dbase screen appears. Type q, then press <Enter> to return to the main screen.
To Recover Database Configuration Information

Use the RCDBCFG utility to recover database configuration information from backups.

77
3 4
Type rcdbcfg, then press <Enter>. You are prompted to enter the directory in which backup config file resides. Enter the directory in which the backup config file resides. Press <Enter>. The database configuration information restores from the directory you entered, or if you did not enter a directory, from the default directory usr/local/smx/backups/. When complete, the Dbase screen appears. Type q, then press <Enter> to return to the main screen.
78
Chapter 6
6.5
Importing Access Points & Stations
The file for importing Access Points should contain rows of data, one row for each Access Point being imported into your AirDefense wireless LAN. Each row is separated by a carriage return or new line character.If the AP being imported is already in the system, the import overwrites the field values, based on the MAC address.The text field values are overwritten, regardless of letter case.
6.5.1 Guidelines
Use the following guidelines.
Each row of data must consist of a comma-separated list of field values for each AP (as defined in
the table below, for example: MAC address, alias, IP address, DNS name, description, authorize, bridge). You do not have to use all field values for the AP, but you must use the MAC address. Spell out null for any field value that you do not want to use, for example: 00:02:2d:01:23:04, null, null,
null, null, yes, no.
Do not leave any field values as empty spaces. Separate each row by a carriage return or new line character. Separate all field values with commas. These are the delimiters. You must use colons in MAC addresses. White space must exist between each column. Field Name mac address alias ip Address dns name description authorize bridge Valid Values Valid mac address Text string or null if not defined Valid ip address or null if not defined Text string or null if not defined Text string or null if not defined yes or no yes or no
Examples
aa:aa:aa:aa:aa:aa, My Access Point, 172.16.0.232, machine@xyz.com, this is my access point, yes, yes bb:bb:bb:bb:bb:bb, AP B, 145.16.0.232, box2@xyz.com, null, no, no
79
6.5.2 File Format for Importing Stations

The file for importing Stations should contain rows of data, one row for each Station being imported into your AirDefense wireless LAN. Each row is separated by a carriage return or new line character. You can pre-authorize a Station on an AP prior to importing, but you must import the AP first. If you do not, the Station will still import into AirDefense, but not as an authorized Station. The file for importing Stations should contain rows of data, one row for each Station being imported into your wireless LAN. If the Station being imported is already in the system, the import overwrites the field values, based on the MAC address. The text field values are overwritten, regardless of letter case.
6.5.3 Guidelines
Use the following guidelines.
Each row of data must consist of a comma-separated list of field values for each Station (as defined
in the table below, for example: MAC address, alias, DNS name, description, authorize, list of comma-separated APs). You do not have to use all field values for the Station, but you must use the MAC address. Spell out null for any field value that you do not want to use, for example: 00:02:2d:01:23:04, null, null,
null, null, null, yes, aa:aa:aa:aa:aa:aa, bb:bb:bb:bb:bb:bb.
Do not leave any field values as empty spaces. Separate each row by a carriage return or new line character. Separate all field values with commas. These are the delimiters. White space must exist between each column. Field Name mac address alias dns name description authorize Valid Values Valid mac address Text string or null if not defined Text string or null if not defined Text string or null if not defined yes, no, or null If yes or no is selected, the next field (aplist) should be defined and this station will be either authorized (yes value) or unauthorized (no value) for every access point in the aplist aplist all (for all access points), comma-separated list of access point mac addresses
Examples
cc:cc:cc:cc:cc:cc, Station C, machine1@xyz.com, this is my access point, yes, all dd:dd:dd:dd:dd:dd, Station D, machine2@xyz.com, null, no, aa:aa:aa:aa:aa:aa, bb:bb:bb:bb:bb:bb ee:ee:ee:ee:ee:ee, Station E, machine3@xyz.com, this is station e, null ef:ef:ef:ef:ef:ef, Station EF, machine3@xyz.com, this is station fe, yes, aa:aa:aa:aa:aa:aa ef:ef:ef:ef:ef:ef, Station EF, machine3@xyz.com, this is station fe, no, bb:bb:bb:bb:bb:bb
80
Chapter 6
Station C will be entered into the system, authorized on all access points. Station D will be entered into the system, unauthorized on access points aa:aa:aa:aa:aa:aa, bb:bb:bb:bb:bb:bb. Station E will be entered into the system with configuration information only. Station EF will be entered into the system, authorized on access point aa:aa:aa:aa:aa:aa, unauthorized on bb:bb:bb:bb:bb:bb.
81
6.6
Checking the Integrity of the Databases

Note: The AirDefense database is actually subdivided into two databases: Main and Users. The Users database holds login and password information. Step 1 2 Action Access the Command Line Interface. Type d, then press <Enter> at the command prompt on the main screen. The Dbase screen appears.
The ADDadmin Dbase program area provides an INTCK utility for checking the integrity of the AirDefense databases. You cannot use the GUI to perform this function.
Type intck, then press <Enter> The system displays three choices for a database integrity check: Main Database (see step 4) Users Database (see step 5) All of the Above Databases (see step 6) Type 1 <Enter> to check the Main Database. The system executes a limited examination. The result is either PASSED or FAILED. If the test fails, it is because it detected a database integrity problem in the Main Database (smx_main). The system will prompt you to re-index the database. Click y (yes) to fix the most common source of database corruption without deleting data. If the test passes, the system executes Test 2, which is a full data traversal. If Test 2 fails, the system will prompt you to re-index the database. Click y (yes) to fix the most common source of database corruption without deleting data. Type 2 <Enter> to check the Users Database. The system executes a limited examination. The result is either PASSED or FAILED.
82
Chapter 6
If the test fails, it is because it detected a database integrity problem in the Main Database (smx_users). The system will prompt you to re-index the database. Click y (yes) to fix the most common source of database corruption without deleting data. If the test passes, the system executes Test 2, which is a full data traversal. If Test 2 fails, the system will prompt you to re-index the database. Click y (yes) to fix the most common source of database corruption without deleting data. Type 3 <Enter> to check both the Main and Users databases simultaneouly. The system executes a limited examination. The result is either PASSED or FAILED. If the test fails, it is because it detected a database integrity problem in the Main Database (smx_main), the Users Database (smx_users), or both. The system will prompt you to re-index the databases. Click y (yes) to fix the most common source of database corruption without deleting data. If the test passes, the system executes Test 2, which is a full data traversal. If Test 2 fails, the system will prompt you to re-index the databases. Click y (yes) to fix the most common source of database corruption without deleting data. Type q and press <Enter> to return to the main screen.
6.7
Updating Vendor MAC Address Information
The ADDadmin Dbase program area provides an OUI utility for updating vendor MAC address information to the AirDefense database. You cannot use the GUI to update vendor MAC address information. The OUI (organizationally unique identifier) utility adds new vendor MAC addresses to the AirDefense database. Step 1 2 Action Access the Command Line Interface. Type d, then press <Enter> at the command prompt on the main screen. The Dbase screen displays.

3
83
Type OUI, then press <Enter>. The system asks you to enter the fully qualified directory path where the OUI update resides (use this if you downloaded the OUI table of vendor MAC addresses from the IEEE Server), or to type I if you wish to access the IEEE Server directly (via the internet) to download the new OUI table of vendor MAC addresses. Type in the fully-qualified directory path, or type <I>. If you type the directory path: AirDefense retrieves and installs the update file directly from your local server. The system then returns you to the Dbase screen. If you type <I>: The system accesses the IEEE Server via the internet and automatically downloads the new OUI table into the AirDefense database. Type q and press <Enter> to return to the main screen.
84
Chapter 6
Configuring the System
85
7 Configuring the System

Use the ADDadmin utilities in the Command Line Interface to perform initial AirDefense configurations, then use the GUI for ongoing configuration. Notes: Use the GUI to name the AirDefense Server; set the system port for GUI access; enable (or disable) Air Termination, Policy-based Termination, Domain Management, and Port Suppression; and set a Threat Level (for the Dashboard) at the system level.

This chapter contains the following topics. Topic ADDadmin GUI Page 86 94
86
Chapter 7
7.1

ADDadmin
The ADDadmin Config program area provides the following utilities for configuring AirDefense: IPuse this to change the IP address, subnet mask, and default gateway of the AirDefense Server NETPORTuse this to change network interface settings, and to toggle Autonegotiation on and off DNSuse this to add or delete a DNS nameserver (Domain Name Server) ARPuse this to configure a permanent ARP table HALLOWuse this to configure which systems are allowed to connect to the AirDefense Server HDENYuse this to identify which computers are not allowed to connect to the AirDefense Server PINGuse this to enable/disable ping to the AirDefense Server CADuse this to enable/disable [Ctrl] [Alt] [Del] for system reboot TIME use this to configure the AirDefense Servers operating time and date TZ use this to configure the time zone in which the AirDefense Server operates NTP use this to configure a specific network time server, instead of setting TIME and TZ UIPORTuse this to change the network port you are using for the GUI
To use ADDadmin utilities, you must access the Command Line Interface. Step 1 2 Action Access the Command Line Interface. See Using the Interfaces on page 7 for instructions on how to do this. Type c, then press <Enter> at the command prompt. The Config screen displays.
87
7.1.1 IP
Step 1 Action Type ip, then press <Enter> at the prompt to change the IP address, subnet mask, and default gateway of the AirDefense Server you are logged onto. The IP configuration screen opens, displaying the current network configuration. Type a new IP address at the prompt. Press <Enter>. You are prompted to enter a new subnet mask. Type a new subnet mask. Press <Enter>. You are prompted to enter a new gateway. Type a new gateway address. Press <Enter>. Your new values display in bold text. Type yes or no at the prompt to commit the changes. This returns you to the previous network screen. AirDefense reboots on exit from the ADDadmin.
2 3 4 5
Important!
If you are logging in remotely using SSH, check these values carefully for accuracy before typing yes or no to commit the changes. Committing incorrect information will cause you to lose connectivity to the AirDefense Server.
7.1.2 NETPORT
Use NETPORT to configure the network interface link speed, duplex setting, and to toggle Autonegotiation on and off. The Autonegotiation feature enables the AirDefense Server to analyze the network and find the most efficient network interface available in some cases. Step 1 Action Type netport, then press <Enter> at the prompt to configure network link speed, duplex, and to turn Autonegotiation On and Off. The Netport configuration screen opens, displaying current network interface configuration...Enter on of off for Autonegotiation. At the prompt, press <Enter> to keep the Autonegotiation at its current status, or type in on or off to change the configuration. Press <Enter> again. The screen displays the link speed selections. At the prompt, press <Enter> to keep the current link speed, or type in the desired value. Choices are: 10, 100, or 1000 Mb/s. Press <Enter> again. The screen displays the duplex setting selections. At the prompt, press <Enter> to keep the current duplex setting, or type in the desired setting. Choices are half (for half duplex) and full (for full duplex). Press <Enter> again. The screen displays the new network interface configuration. At the prompt, type yes to commit the changes, or no to cancel the operation. Press <Enter>. You are returned to the Config settings screen.
Note: The following steps appear only if the off option is selected. 3
5 6
88
Chapter 7
7.1.3 DNS
Step 1 Action Type dns, then press <Enter> at the prompt to define DNS Servers. This adds or deletes a DNS nameserver (Domain Name Server). This is the name of the server you give to your DNS server. The NameServer screen opens, displaying your current DNS servers IP address in bold text. 2 At the prompt, type either a to add a new DNS server, or d to delete a server. To add an entry: type a at the prompt and type the IP address at the ensuing prompt. Press <Enter> to add the new DNS server to the list of nameServers. To delete an entry: type d at the prompt. At the next prompt, type in the number of the nameserver you want to delete. (If you delete a DNS server that is followed by other servers, all the ones with a lower preference will move up in priority.)
Important!
Multiple DNS servers process DNS requests in order. The first DNS server on the list (identified by the number 1) is the first to offer name resolution, the second DNS server on the list (identified by the number 2) is the second to process the request if the first is unable to do so. To change the order preference of multiple servers, you must delete them all, and re-enter them in the order you want them to process your DNS requests. The first DNS server you enter will become number 1the first to process name resolution. 3 4 Type q, then press <Enter> to quit and return to the main screen. You are prompted to save your changes. Type yes or no, then press <Enter>.
7.1.4 ARP
Use ARPs to configure a permanent ARP table. ARP (Address Resolution Protocol) is a TCP/IP protocol used to obtain a node's physical address. A client station broadcasts an ARP request onto the network with the IP address of the target node it wishes to communicate with, and the node with that address responds by sending back its physical address so that packets can be transmitted. ARP returns the layer 2 address for a layer 3 address. ARP requests are broadcast onto the network, requiring every station in the subnet to process the request. Creating a permanent ARP table that contains ARP records for your gateway and other important machines protect connections between the AirDefense Server and remote administrators from being hijacked by man-in-the-middle ARP blasts (that redirect traffic for the AirDefense Servers IP address to an alternate MAC address). Step 1 2 Action Type arp, then press <Enter> at the prompt to configure a permanent ARP table. The ARP screen displays your current ARP records in bold text. Type a to add an entry, or d to delete an entry. To add an entry: type a at the prompt and type the hardware (MAC) address of a device. Next, type the IP address associated with the MAC address. An invalid entry will cause an abort, unreachable IP addresses will display a warning
89
3 4
message. Press <Enter> to add the device to the ARP table. Now, when opening a connection to that device, the device will first look in its own ARP table to discover how to connect to it, instead of relying on an ARP broadcast. To delete an entry: type d at the prompt. At the next prompt, type the number of the record in the ARP table you want to delete. Type q, press <Enter> to return to the parent screen. You are prompted to save your changes. Type yes or no, press <Enter>.
7.1.5 HALLOW
Step 1 Action Type hallow, then press <Enter> at the prompt to configure which systems are allowed to connect to the AirDefense Server. You may specify which computers are allowed to connect to an AirDefense Server. Only those containing IP address, subnet, fully qualified host name, or domain name match an entry in this list are allowed to connect to a AirDefense Server to run ADDadmin. The Allow list screen displays your current list of allowed computers in bold text. 2 Type a to add an entry, or d to delete an entry. To add an entry: Type a at the prompt. At the next prompt, do the following: Type either a single host IP address (123.456.789.963), class A, B, or C subnet (123., 123.456., 123.456.789.note the trailing . in the subnets), AND Fully qualified host name (myhostname.mydomainname.com), OR Domain name at the ensuing prompt. Anyone within a specified subnet, or from a specified host or domain, may connect to an AirDefense Server. Repeat as desired. To delete an entry: type d at the prompt and, at the ensuing prompt, enter the number of the record in the allow table you want to delete. Type q, then press <Enter> to return to the parent screen. You are prompted to save your changes. Type yes or no, then press <Enter>.
3 4
7.1.6 HDENY
Step 1 Action Type hdeny, then press <Enter> at the prompt to identify which devices are not allowed to connect to the AirDefense Server. Any device containing: IP address, subnet, fully qualified host name, or domain name matches an entry in this list are not allowed to connect to a AirDefense Server to run ADDadmin. Note: HALLOW takes precedence over HDENY. For example, if 123.456.789.963 is on the allow list, yet the subnet 123.456.789. is on the deny list, the individual system above is allowed to connect to the AirDefense Server. Note: Do not unwittingly lock yourself out of the AirDefense Server by creating a deny policy that affects your wireless LAN. Ensure that you create an allow policy for yourself. The Deny list screen displays your current list of denied systems in bold text. 2 Type a to add an entry, or d to delete an entry.
90
Chapter 7
To add an entry: type a at the prompt and enter either a single host IP address (123.456.789.963), class A, B, or C subnet (123., 123.456., 123.456.789note the trailing . in the subnets), fully qualified host name. (myhostname.mydomainname.com), or domain name at the ensuing prompt. Anyone within a specified subnet, or from a specified host or domain, is not allowed to connect to the AirDefense Server. Repeat as desired. To delete an entry: type d at the prompt and, at the ensuing prompt, enter the number of the record in the allow table you want to delete. 3 4 Type Q, then press <Enter> to return to the parent screen. You are prompted to save your changes. Type yes or no, then press <Enter>.
7.1.7 PING
Use PING to change the ping setting for the AirDefense Server. PING is enabled by default. PING makes it possible for you to ping the AirDefense Server from a remote location, and also allows outgoing pings from the AirDefense Server to other network nodes. The main purpose of a ping is to test a system on the Internet to see if it is working. Pinging an AirDefense Server can test the response time of the Server while connected to the Internet. This is helpful in finding Internet bottlenecks, so that data transfer paths can be re-routed the most efficient way. Step 1 2 Action Type ping, then press <Enter> at the prompt. A status line at the top of the screen indicates the current status. Type E to enable ping, or D to disable ping. E: type E at the prompt, then press <Enter> to enable pinging (default). The status line reads: Pinging currently enabled. D: type D at the prompt, then press <Enter> to disable pinging. The status line reads: Pinging currently not enabled.
7.1.8 CAD
Use this to enable/disable [Ctrl] [Alt] [Del] for system reboot. CAD is enabled by default. CAD makes it possible for you to reboot AirDefense without having to access the Command Line Interface REBOOT utility. Step 1 2 Action Type CAD, then press <Enter> at the prompt. A status line at the top of the screen indicates the current status. Type E to enable CAD, or D to disable CAD. E: type E at the prompt, then press <Enter> to enable CAD (default). The status line reads: CTRL-ALT-DEL currently enabled. D: type D at the prompt, then press <Enter> to disable CAD. The status line reads: CTRL-ALT-DEL currently disabled.
91
7.1.9 TIME
Important!
Changing the system time/date could affect the integrity of the database. Any change will cause a system reboot on exit from ADDadmin. Setting AirDefense time consists of setting the Time and Date (TIME) and the Timezone (TZ), or alternately, enabling an NTP server (NTP). You must set the correct time--time of day, timezone, and date--or alternately, enable an NTP server when you first setup AirDefense. Changing the time configurations after your AirDefense has accumulated data can have an adverse affect on the integral state, time, and event associations that are essential to accurate data reporting. Step 1 Action Type time, then press <Enter> at the prompt to change the AirDefense Servers operating time and date The current date and time displays. You are prompted to enter a date in MMDDYYYY format. (Do not use colon, forward slash, or other delimiters.) 2 3 4 Press <Enter>. You are prompted to enter a time in 24-hour HHMM or HHMMSS format. Press <Enter>. You are prompted to save your changes. Type yes or no, then press <Enter>. You return to the Config settings screen.
7.1.10 TZ
Important! I
Any change will cause a system reboot on exit from ADDadmin.
Step 1
Action Type tz, then press <Enter> at the prompt to change the AirDefense Servers time zone. The Time zone screen displays a list of global, continental regions. AirDefense prompts you to choose a global area in which your AirDefense Server resides.
2 3
Enter the corresponding number (to the left of your region name). Press <Enter>. A list of nations appears. Enter the abbreviation of your nationality (to the left of the nation) in which the AirDefense Server resides. Press <Enter>. A list of nationalities appears. Enter the number of the region within your nationality in which the AirDefense Server resides. Press <Enter>. You are prompted to save your changes. Type yes or no, press <Enter>. Typing yes or no reboots and clears the database on exit from ADDadmin.
92
Chapter 7
7.1.11 NTP
Instead of setting the AirDefense Time (TIME) and Timezone (TZ), you can enable automatic time synchronization with an NTP. If you change the AirDefense time because,
Example: If you change the AirDefense time such as when you move the AirDefense Servers location from the east to west coast of the United States, you must also locate a new network time server in the same time zone.
Step 1
Action Type ntp at the command prompt to enable or disable a specific network time server (NTP). The NTP screen displays your current status in bold text, whether or not you are currently set to use NTP. Type e to enable NTP. You are prompted to enter the IP address or fully qualified host name (hostname.domainname.com) of a network time server. Alternately, you can type d to disable NTP. No additional input is requiredNTP is immediately disabled.
To save the network time server settings, type q to quit. You are prompted to save your settings.
Important! I
Entering an invalid time server generates an error and logs you out of ADDadmin. Also, changing the time configurations after your AirDefense has accumulated data can have an adverse affect on the integral state, time, and event associations that are essential to accurate data reporting.
7.1.12 UIPORT
You can change the port the GUI is using. Step 1 2 Action Type UIPORT at the command prompt to change the port the GUI is currently using. The UIPORT screen displays the current UI port in use. At the prompt, type yes to change the current port, or no to keep the current port. If you typed no, go to step 3. If you typed yes, go to step 4. If you type no, the operation is canceled. Press <Enter> to return to the Config settings screen. If you type yes, the system asks you to enter a new port. Enter a new port number and press <Enter>. AirDefense automatically accepts the change. Press <Enter> again. You are returned to the Config settings screen.
3 4
93
7.1.13 FALLOW/FDENY
The Advanced Forensic Analysis Engine is an add-on module to the Enterprise System that provides the user the ability to mine the vast amount of data stored in IntelliCenter. The console is a separate application that runs on a Window PC and can be used to extract pertinent historical data from the server for forensic analysis. Use FALLOW to allow a specific client, which is an external PC with the Advanced Forensic application, to connect to the AirDefense server. Step 1 2 Action Type FALLOW at the prompt and press <Enter>. The system prompts you to enter the IP address of your PC running the Advanced Forensic Analysis application. FALLOW must be set for EACH PC running the Advanced Forensic Application. Use the exact address of the specific Forensic Client PC. Press <Enter>. The system prompts you to save your changes. Type yes or no, then press <Enter>. The system returns you to the ADDadmin main window. Do not exit from ADDadmin; this will cause the system to reboot.
3 4
About FDENY
The ADDadmin utility FDENY is the direct opposite of FALLOW. Use this utility to deny a specific Forensic Client PC from connecting to the AirDefense Enterprise Server.
94
Chapter 7
7.2
GUI
The Configuration program area of the AirDefense GUI provides the Appliance Manger window that enables you to name the AirDefense Server, set the system port for GUI access, enable (or disable) Air Termination, Policy-based Termination, and Port Suppression, as well as set Threat Levels (for the Dashboard) at the system level. For complete step-by-step instructions on how to use the GUIs System naming and port selection features, see the Online Help.
7.2.1 System Name

The system name you enter in the System Settings window in Tools > Configuration > Appliance Manager > Settings is the name that will appear at the top of the directory trees, in all instances throughout the AirDefense GUI. It will also appear on Dashboard, and in Email Notifications.
7.2.2 System Port

The system port setting in the System Settings window found under Tools > Configuration > Appliance Manager > Settings enables you to set the system port for access to the AirDefense GUI by choosing the port from a port indicator/selector. Choices are port 1024 through 65000.
7.2.3 Air Termination

Clicking either the Yes or No radio button in the System Settings window found under Tools > Configuration > Appliance Manager > Settings enables or disables Air Termination for the system. Once enabled, the Air Termination setting for individual Sensors can also be enabled. The System enable is one of three settings you must configure in order to activate Air Termination. You must also enable Notifications and enable individual Sensors for Air Termination (see About Air Termination on page 144). Air Termination enables you to terminate the connection between your wireless LAN and any associated authorized or unauthorized Access Point or Station that appears either in the hierarchical trees or in information panels throughout AirDefense programs. This includes the Dashboard, Manage Alarms, Policy Manager, and Reports. Devices must be associated in order to be terminated. To use this feature, you must be a user with the role of Admin or Manager. Air Termination supports two methods of termination:
Air Termination: Where the Access Point connection is terminated and all Stations associated to the
Access Point are de-authenticated, or the connection between a Station and an Access Point is terminated. Port Suppression: When a network port through which a device is communicating is shut off. For more information on Air Termination, see the Online Help
7.2.4 Policy-based Air Termination System Enabled

Clicking either the Yes or No radio button in the System Settings window found under Tools > Configuration > Appliance Manager > Settings enables or disables policy-based termination for the system. The System enable is a requirement to activate Policy-based Termination (see Prerequisites for Using Policy-based Termination on page 145).
95
Policy-based Termination is an automated version of Air Termination. This feature enables you to formulate an Action Plan to automatically terminate the connection between your wireless LAN and any associated authorized or unauthorized Access Point or Station, based on alarms. For more information on Policy-based Termination, see the Online Quick Help
7.2.5 Port Suppression System Enabled

Clicking either the Yes or No radio button in the System Settings window found under Tools > Configuration > Appliance Manager > Settings enables or disables port suppression for the system. The Port Suppression feature enables you to turn off the port on the network switch through which a device is communicating. You can suppress the communications port for any network device, effectively shutting down the communication port for the device.
96
Chapter 7
Managing the System
97
8 Managing the System

To manage the system, use only the ADDadmin utilities in the Command Line Interface. ADDadmin provides utilities to restart, reboot, or halt AirDefense, utilities to display system statuses and logs, utilities to clear logs, and utilities to export or clear frame capture files from the AirDefense Server.

This chapter contains the following topics. Topic System Statuses and Logs Restarting AirDefense Rebooting AirDefense Halting AirDefense Exporting Frame Capture Files Clearing Frame Capture Files Page 98 99 100 101 102 103
98
Chapter 8
8.1
System Statuses and Logs
ADDadmin provides a Manage program area that has the following utilities for system statuses and logs:
are three entries: Notice, Error, and Debug. You can either display the logs on screen, or write logs to a text file (syslogdata.txt). CLRLOG Clears rotated system logs if /var partition is approaching 100% usage, clears overly large postgresql log.
STATUS Displays the process and disk status of the system. SYSLOG Displays system log entries resulting from authentication and sendmail failures. There
Managing the System
99
8.2
Restarting AirDefense
Step 1 Action Type restart, press <Enter>. The AirDefense Server automatically shuts down some processes and restarts. ADDadmin enables you to restart all processes (10), or to choose a specific process to restart. The choices are: (1) Notification Manager (2) Report Server (3) Integration Server (4) Location Tracking Interface (5) Network Behavior Engine (6) Protocol Analysis Engine (7) Database (8 Graphical User Interface (9) ALL OF THE ABOVE 2 3 Type the number of the process option you wish to use. Type q, then press <Enter> to return to the main screen.
The ADDadmin Manage program area provides a RESTART utility to restart AirDefense processes. You can choose individual processes to restart or restart all processes (This is not a full reboot!).
100
Chapter 8
8.3
Rebooting AirDefense
Step 1 Action Type reboot, then press <Enter> to reboot the AirDefense Server. The AirDefense Server automatically shuts down and restarts.
The ADDadmin Manage program area provides a REBOOT utility to perform a soft reboot of AirDefense. Use this utility to reboot the AirDefense Server.
Managing the System
101
8.4
Halting AirDefense
Step 1 Action Type halt, then press <Enter> to halt AirDefense. AirDefense immediately stops and runs its shutdown routine.
The ADDadmin Manage program area provides a HALT utility to halt AirDefense.
102
Chapter 8
8.5
Exporting Frame Capture Files
You can set AirDefense Sensors for Frame Capture. When you set the Sensor for Frame Capture ON, the Sensor captures raw data packets and sends them to the AirDefense Server. You can place a maximum of five Sensors in this mode. This feature is OFF by default. When off, the Sensor only sends information needed for analysis to the AirDefense Server. See Chapter 9, Managing Sensors, for information on setting the Sensor for Frame Capture Mode, and on setting the Frame Capture Filter. If you choose to capture files, you must use Command Line Interface utilities to export the captured files. The Frame Capture Filter limits the raw data packets that are transmitted. You can specify which packets AirDefense captures.
8.5.1 SAVECAP
The ADDadmin Manage program area provides a SAVECAP utility that enables you to export frame capture files into one of two file formats: a peek format, for viewing using AiroPeek NX, or a pcap format, for viewing using Ethereal or tcpdump. SAVECAP enables you to access captured packets (pcapture files) in the pcaptures directory of the AirDefense Server (/usr/local/smx/pcaptures), and save them as either a peek (AiroPeek) or a pcap (tcpdump) formatted file. The AirDefense Server archives frame captures into two files, one at a time. Each has a 300 Mb capacity. When the second file reaches 300 Mb, captured data moves to the first file and overwrites the existing data. Using SAVECAP, you can save one captured file at a time into the directory, and your format of choice. You can then use a secure copy utility, for example WINScp, to copy the exported files from the AirDefense Server to your local server. Once on your local server, you can use AiroPeek, Ethereal, or tcpdump to view the data, depending on how you saved the files.
Important!
Because of space limitations, you can only save one captured file in the pcaptures directory at any one time. If you have a file of previously saved capture data, ADDadmin will prompt you to save it into /home/smxmgr. If you do not, AirDefense automatically deletes the file out of the pcaptures directory. AirDefense, Inc. recommends that you scp the files to another machine for archiving if you want to keep the data. You can also perform a Capture from the AirDefense GUI using Live View.
Managing the System
103
8.6
Clearing Frame Capture Files
The ADDadmin Manage program area provides a CLRCAP utility that enables you to clear frame capture files from the AirDefense Server, freeing up space in the pcaptures directory (/usr/local/smx/pcaptures). Use this if you would like to completely delete all pcaptures from the AirDefense Server. The ADDadmin Manage program also provides a disk STATUS utility that displays the percentage of allowed disc space use in the /usr/local/smx/pcaptures directory (see System Displays in this Chapter). If this directory becomes full, it will impact the integrity of frame capture data.
104
Chapter 8
Managing Sensors
105
9 Managing Sensors
9.0.1 Firmware Prerequisite
AirDefense Enterprise 7.2 supports sensors at firmware version 4.4.x or higher.
9.0.2 Sensor Interfaces

AirDefense provides three user interfaces for managing the Sensors in your system. The Sensor Manager in the Graphical User Interface (GUI) is the primary interface. The three interfaces are:
Sensor User Interface (Sensor UI)Typically, you use this web-based interface to configure Sensor settings for the first time.
Sensor Manager (Enterprise GUI)Typically, you use this window in the AirDefense GUI to administer Sensors after initial configuration for most settings. Sensor Console Interface (Sensor CI)This interface is for special circumstances. It requires direct interface to the console port of the Sensor. This is only available on Model 400 Sensors. Important! You must configure and physically install each Sensor on your network. For additional information on installation and deployment, see the AirDefense Sensor Quick Start that accompanied your AirDefense Server.

This chapter contains the following topics. Topic Sensor Overview Using the Sensor UI Configuring Sensors Using the Sensor CI for Model 400 Sensor Zero-Configuration Option Obtaining the Sensor IP Address Using the Sensor Manager (GUI) Upgrading Sensor Firmware Practical Applications Page 106 108 109 122 123 125 128 129 134
106
Chapter 9
9.1
Sensor Overview
AirDefense, Inc. offers several Sensor models, where most models function the same, and are similar from an installation and configuration standpoint. The three most common Sensors deployed with AirDefense systems are: AirDefense Model 400 Sensor
Model 400
The AirDefense Model 400 Sensor, with firmware V.4.x, monitors 802.11a, 802.11b, and 802.11g traffic.
AirDefense Model 510 Sensor

Model 510
The AirDefense Model 510 Sensor, with firmware V.4.2.x, monitors 802.11a, 802.11b, and 802.11g traffic. The Model 510 Sensor has internal antennas and external antenna capabilities and must be powered by 802.3af compliant Power-over-Ethernet. The Model 510 Sensor is also plenum rated.
AirDefense Model 520 Sensor

Model 520
The AirDefense Model 520 Sensor, with firmware V.4.2.x, monitors 802.11a, 802.11b, and 802.11g traffic. The Model 520 Sensor comes with two external antennas (using RP-SMA connectors) and can be powered by a DC adapter or 802.3af compliant Power-over-Ethernet. The Model 520 Sensor is also plenum rated.
9.1.1 Access Points as Sensors

In addition to the AirDefense Sensor models listed in the previous section, AirDefense Enterprise can support 3rd party Access Points that have been converted to a dedicated Sensor. AirDefense Enterprise r7.0.5-SM2 or higher supports the following:
Managing Sensors
Trapeze Mobility Point MP-372 as a Sensor
107
AirDefense Enterprise r7.0.5-SM2 or later supports Trapeze Mobility Points (MP-372) that have been converted to a Sensor. The converted AP will operate as a dedicated sensor, continuously monitoring all 802.11a, 802.11b and 802.11g traffic The user must have Trapeze Mobility System version 5.0 and download the sensor conversion software called adconvert.bin. After copying the sensor conversion software on the Trapeze MX switch that manages the AP to be converted; the sensor software can be loaded into the AP. The sensor can be converted back to an MP-372 Access Point through the AirDefense Enterprise GUI or Sensor UI. Symbol AP300 Access Port as a Sensor AirDefense Enterprise r7.0.5 or later also supports Symbol AP300 Access Points that have been converted to Sensors. The converted AP will operate as a dedicated sensor, continuously monitoring all 802.11a, 802.11b and 802.11g traffic. The user must have the sensor conversion software to convert an AP300 Access Point to a Sensor. This is Windows-based application that is available from Symbol Technologies, Inc. The same application can convert an AP300 sensor back into an Access Point.
108
Chapter 9
9.2
Using the Sensor UI
The Sensor UI is an HTML-based web server that resides on the Sensor. To access the web-based Sensor UI, you must log in remotely from a web browser. Use the Sensor UI for initial configuration during Sensor installation. After initial configuration, you can administer Sensors using the Sensor program area of the AirDefense GUI, in most cases. This includes adding another Sensor to your wireless LAN. However, you must use the Sensor UI to do the following:
Enable/disable remote maintenance mode (SSH) to the Sensor. Change the password for the Sensor Web User (Admin user or Monitor user).
9.2.1 Sensor Network Connections

You must have the appropriate ports open for communication between the Sensors and the AirDefense Server, and for administrative sessions with the AirDefense Server. TCP Port TCP 80 (httpnot secure) TCP 443 (httpssecure) Connection between... Sensor and AirDefense Server no encryption. Note: This port is automatically selected when Encryption Mode is Off in the Sensor UI. Sensor and AirDefense Server encryption. Sensor and Sensor UI browser client encryption (https). Note: This port is automatically selected when Encryption Mode is On in the Sensor UI.
Managing Sensors
109
9.3
Configuring the Sensor
Follow the steps below to install Sensors, access the Sensor UI, and then configure the Sensor for use in AirDefense Enterprise.
9.3.1 Model 500 Series Prerequisites

You must have the hardware and software components listed below:
One (minimum) AirDefense Enterprise Server running version 7.0.5-SM1 or higher. Model 500 Series Sensor running firmware version 4.3.x.x or higher. Power Source for the Sensor:
Model 510 sensor: The model 510 sensor must receive Power over Ethernet (PoE) from a switch or other network device that supplies power over the network cable based on the IEEE 802.3af standard (not included). Model 520 sensor: The model 520 sensor can be powered by an AC to DC power adapter (supplied). The sensor does not have a power switch; it is powered on when connected to the power adapter, and the power adapter is connected to a power source (100-240 Volts at 50 or 60 Hz). The model 520 sensor may also receive Power over Ethernet (PoE) from a switch or other network device that supplies power over the network cable based on the IEEE 802.3af standard (not included). Note that if the sensor is connected to a PoE source device and also connected to a local power source through the AC power adapter, PoE will be disabled. Important! The Model 510 and Model 520 Sensors are designed to receive power from an 802.3af-compliant source, an 802.3af compliant switch, or an AirDefense-approved power injector. Connecting a sensor to a Power-overEthernet device that is not approved by AirDefense can damage the equipment.
9.3.2 Step 1: Connect to AirDefense Sensors

Follow the instructions below to connect each AirDefense Sensor.
500 Series Sensors Step 1 Action Directly connect the Sensor to your station using the supplied Ethernet cable:
110
Chapter 9
Note: If an AirDefense PoE injector is used, connect your Station to Data In and connect your Sensor to Data and Power out.
Model 510 Plug Ethernet Cable into port 1 or 2. 2
Model 520 Plug Ethernet Cable into port PoE in.
Power up the Sensor with the AC/DC power adapter (Model 520 only) or power up the Sensor with your 802.3af compliant PoE source.
400 Sensors Step 1 Action Directly connect the Sensor to your workstation or laptop using one of two methods: Method One: Connect the Sensor and your workstation or laptop to a hub, using standard Ethernet cables. AirDefense, Inc. recommends this method, which eliminates some equipment incompatibilities. Method Two: Connect the Sensor to your workstation or laptop using a crossover Ethernet cable (supplied). On the Sensor side, the Ethernet cable plugs into the LAN port on the back of the Model 400 Sensor. 2 3 Connect the Sensor power cord and DC adapter between a standard AC receptacle and the DC input connector on the Sensor back panel. Power up the Sensor.
9.3.3 Step 2: Access the Sensor Interface

Follow the instructions below to set up each AirDefense Sensor in your wireless LAN. You will be using the Sensor User Interface (Sensor UI) for this setup, an HTML-based interface that resides on the Sensor. Use the Sensor UI to initially configure Sensors, and to perform some maintenance activities after the initial installation. To access the Sensor UI, you must log in remotely from your workstation web browser. Step 1 2 3 Action Set your workstations IP address to 192.168.100.10 and subnet mask to 255.255.255.0. Type https://192.168.100.100 in your browser; press <Enter>. The Sensor UI login screen appears. Enter the default user name and password in the login screen: User Name: admin Password: airsensor Important! In the interest of security, change the Sensor Web User login password at your earliest opportunity.
Managing Sensors
111
9.3.4 Step 3: Set Addresses

You must provide a valid IP address, netmask, and gateway IP address for the Sensor to communicate with the AirDefense Server. You can manually set each Sensors static IP address, Sensor Netmask, and Gateway IP address, or you can automatically receive these address settings from a DHCP (Dynamic Host Control Protocol) server. Hint: For dedicated monitoring applications/devices, manually setting the addresses is often used to provide well known IP addresses for sensors and thus facilitate troubleshooting. Use the Sensor UI to set the addresses. A detailed description is located in this chapter.
9.3.5 Step 5: Confirm Connectivity to the Server

Confirm connectivity to the Sensor by looking at the tree panel on the Sensor Dashboard panel of the Sensor UI. In order to do this: Step 1 2 Action Log into the AirDefense Server. View the Sensor tree in the Dashboard tree panel. It should display the list of Sensors currently in your network. The new sensor will be listed under: Default Location > Default Group.
112
Chapter 9
9.4
Sensor UI
All Sensor network settings can be modified from either the Sensor UI or from the Sensor program area in the AirDefense GUI. Correct network settings are necessary for proper Sensor configuration. The Sensor UI consists of a display area and three tabs:
Configure Sensor View Status Update Software

The display area and tabs are described in this chapter.
9.4.1 Display Area

The display area appears at the top of the window and lists information that the sensor has automatically detected:
MAC address Software Version Hardware Model Sensor Up-time Information about the connection
Managing Sensors
113
9.4.2 Configure Sensor Tab

The Configure Sensor tab is the default tab in the Sensor UI. It contains controls that let you specify sensor settings. The following table lists these settings.
Model 500 Sensor Sensor Name Locate Sensor
Description Enter a friendly user name for the Sensor. When you open AirDefense, this is the name the Sensors will have in the tree panel area. This feature helps you physically locate and/or identify a Sensor. Select the Yes radio button to enable the Locate Sensor function. When you enable this button and then click Save, sensor LEDs begin blinking amber. Model 510: both LED1 and LED2 begin blinking. Model 520: LED1 and LED2 blink alternately with LED2 and LED3. WARNING! You must turn the Locate function off (select No) after you have completed your Sensor search.
Primary AirDefense Server IP Address Secondary AirDefense Server IP Address Use DHCP
Enter the Primary AirDefense Server IP address.
Enter the Secondary AirDefense Server IP address.
Select the option of setting up your Sensor to use a DHCP Server. Choose Yes or No. If you choose No, type the servers: IP Address Netmask Gateway IP Address
Obtain DNS Automatically
Select the Yes or No radio button to indicate whether you want to automatically obtain DNS. If you select No, type the following: Primary DNS Secondary DNS Domain Name
Use Syslog Syslog Host
Select the Yes radio button to use a Syslog host server for the Sensor data to be routed or not routed. Enter the IP address of the Syslog Host server to which the Sensor data can be routed.
114
Chapter 9
Model 500 Sensor Link Speed and MTU New Admin Password/ Verify Admin Password New Monitor Password/ Verify Monitor Password Extended Channel Scan FIPS Level Encryption
Description Choose the link speed and Maximum Transmission Unit. Link Speed Control enables you to set the Ethernet interface to either auto-negotiate (default), or to fix the interface to 10Mbs or 100Mbs, Full or Half duplex. To change the password for an admin user, type the new password, and then verify it by typing it again. To change the password for a monitor user, type the new password, and then verify it by typing it again. Select Yes or No to indicate whether you want this sensor to be able to perform extended channel scans. Select Yes or No to indicate whether you want to use FIPS level encryption. This setting controls the https encryption level between the sensor and the browser. When selected, the sensor will only allow AES encryption to the browser (sensor UI). Only browsers that support this type of encryption will be able to connect to the sensor UI (e.g. Firefox) once this setting is configured to 'yes. If you are using IE, do not select this option. Communication between the sensor and the server is not affected by this setting, and is always negotiated for AES.
After entering or changing configuration information, use the buttons along the bottom of the screen to:
Restore to Factory Defaultsremoves your changes and any other changes made in the past Rebootreboots the sensor Canceldiscards changes. Saveapplies changes and saves them on the AirDefense server and Syslog server.
The following screen shows the confirmation you see after your changes are saved and the sensor is about to reboot.
Managing Sensors
115
9.4.3 The Update Software Tab

The Series 500 Sensors have the ability to upgrade via anonymous FTP server. The Update Software tab contains a text box in which you can type the URL containing the IP address of the FTP server. For example <ftp://169.254.1.3/SNfirmware-4-2-510-23.img> (without the greater-than/less-than brackets). Note: Make sure that the upgrade message appears in the FTP server.
To update the sensor software, type the URL in the text box, and then click the Update button. The file will be downloaded by the sensor via anonymous FTP server from the FTP server and checked for validity. This includes checks for the following: Check to see if the File was signed via MD5. Check to see if the file was generated at AirDefense for the model 510 or model 520 sensors. Check to see if the proper length file was transmitted (not cut short or expanded along the way). Check to see if the whole file was transmitted without errors.
116
Chapter 9
9.4.4 The View Status tab

The View Status tab displays information about the Sensor and lets you access the syslog. Information is displayed in two panes to reflect whether it pertains to the Wired or Wireless configuration.
Wired:
Ethernet IP Address Netmask Gateway
MTU
Wireless
Transmit Mode status 2.4GHz information
5GHz information
Managing Sensors
117
The Sensor Syslog Window You can click the View Syslog button at the bottom of the View Status tab to see syslog details. The Sensor Syslog window displays real-time data on the sensors status and events. Use the following buttons to manage the data the syslog displays:
Refresh Return Clear Log Show device table in syslog
118
Chapter 9
9.5 Troubleshooting the Model 500 Series Sensors

All sensor models have LEDs (Light Emitting Diodes) that provide status information about the device. Refer to the following table for descriptions of LED functionality.
9.5.1 Model 510 Sensor LED Functionality:

The standard orientation or positioning for the Model 510 Sensor is to have all LEDs at the bottom of the device (smiley face).
LED 1 (bottom left) = Radio Activity Indicator LED 2 (center) = Power & Hardware Indicator LED 3 (bottom right) = Network Connectivity Indicator
Managing Sensors
119
9.5.2 Model 510 LED Status Indications

LED LED1: Radio Activity Indicator Appearance Off Blinking GREEN Off Solid GREEN LED2: Power & Hardware Indicator Solid AMBER Description Not connected to server OR connected and no wireless traffic Radio traffic (on one or both a and b/g radios) No power to the Sensor Power on and all hardware functioning properly Hardware problems (radio(s) not functioning properly or other hardware failure) No network connection Physical Connection to established switch Ethernet connection established, but no DHCP (if DHCP enabled) Other Network Connection issues Attempting to connect to server Connect to Server All LEDs will turn green for 1-2 seconds on initial power up Firmware upgrade in process (do not unplug) Only when Locate command is issued through the Sensor UI
Off Solid AMBER LED3: Network Connectivity Indicator Blinking AMBER - slow Blinking AMBER - fast Blinking GREEN - slow Solid GREEN LED1, LED2, and LED3 LED1, LED2, and LED3 LED1 and LED3 All LEDs GREEN for 1-2 seconds All LEDs AMBER Both blinking AMBER-(fast)
120
Chapter 9
9.5.3 Model 520 Sensor LED Functionality

The standard orientation or positioning for the Model 520 Sensor is to have all LEDs at the bottom right of the device as you have it facing you.
LED1: Power Indicator (Pwr) LED2: Link Indicator (Link) LED3: Network Connectivity Indicator (CON) LED4: Radio Activity (a/b/g) Indicator (Radio)
Managing Sensors
121
9.5.4 Model 520 LED Status Indications

LED Appearance Off LED1: Power Indicator Solid GREEN Solid AMBER LED2: Link Indicator Off Solid GREEN Off LED3: Network Connectivity Indicator Description No power to the Sensor Power on and all hardware functioning properly Hardware problems (radios(s) not functioning properly or other hardware failure) No network connection Physical connection to Switch established Ethernet connection established, but no DHCP (if DHCP enabled) -- assuming LED solid green Cannot establish network connection Attempting to connect to server connected to Server Not connected to server OR connected and no wireless traffic Radio traffic (on one or both a and b/g radios) LED2 will turn green for 1-2 seconds on initial power-up; LED1 will be off Firmware upgrade in process (do not unplug)
Blinking GREEN - slow Blinking GREEN - fast Solid GREEN Off
LED4: Radio Activity Indicator LED1 and LED2
Blinking GREEN LED1 off and LED2 Solid GREEN LED1 solid AMBER, LED2 and LED3 solid GREEN LED (1&2) alternate blinking as a pair with LED (3&4)
LED1, LED2 and LED3 LED1, LED2, LED3 and LED4
Only when Locate command is issued through Sensor UI
122
Chapter 9
9.6
Using the Sensor CI for Model 400 Sensor
The Sensor Console Interface (Sensor CI) enables Sensor maintenance via direct access of the Sensor through its serial (console) port. This feature is particularly useful in the event of a lost Sensor IP address, or if the default IP address of the Sensor already exists in another device on the network. Without an IP address, you cannot initially access the Sensor UI to configure the Sensor.
9.6.1 How to Use the Sensor CI

Do the following to use the Sensor CI. Step 1 2 3 Action Plug a laptop directly into the serial port of the Sensor, using a null modem. Open the HyperTerminal program (or comparable terminal emulation program). Go to the properties settings in the program. Make certain the communication and configuration settings are as follows: Communication Port: Com1 Bits Per Second: 115200. (For AirDefense Sensor release below 4.0.0.7, use 9600.) Databits: 8 Parity: None Stop Bits: 1 Flow Control: None Press <Return> on the keyboard. Log in prompts appear. Log in to the Sensor as support, password: airdefense. A menu will appear on your monitor that shows the current settings and a list of numbered menu items. Using this menu, you can view, set, and save certain key network parameters, and if desired, restore the Sensor to its factory defaults (excluding admin/monitor passwords). Use the Reboot menu item when complete.
4 5
If the REBOOT option on the menu is not active, reboot the Sensor by manually powering down and powering up for the new settings to take effect. Once set, you can use the Sensor UI to further configure the Sensor.
Managing Sensors
123
9.7
Zero-Configuration Option
The Quick Start Guide describes the scenario for manual configuration of the IP address of the primary AirDefense appliance using the Sensor UI. After initial configuration, the user can administer Sensors by using the Sensor program area of the AirDefense Enterprise GUI. Alternatively, the network administrator can use the Zero-Configuration DHCP option, which allows you to issue vendor options from the DHCP server. On Linux DHCP servers the 043 vendor specific option will usually have to be added into a configuration file, for Microsoft DHCP servers it is chosen from the existing DHCP option 043 Vendor Specific Info. With option 043 configured, the sensors will be able to automatically request AirDefense primary server information from the DHCP server. This allows the user to add a sensor to the network with no preconfiguration.
9.7.1 Before you Start:

You must first download a utility to generate the vendor options string. Contact Support for Zero-Config utility or log in to your Self Support account at http://support.airdefense.net and search for Setting up Zero Config DHCP for sensor under Solutions. Download the Zero-Config utility: For windows download gendhcp.exe For Linux download gendhcp
9.7.2 Run the Zero-Config Utility:

"gendhcp primary_address [secondary_address]" Secondary IP address is optional if the secondary option is left blank; both the primary and secondary server will be setup the same.
Example:
gendhcp.exe 192.168.100.2 192.168.100.3 will produce the string: 01:06:41:44:77:69:64:73:02:04:c0:a8:64:02:03:04:c0:a8:64:03:ff
9.7.3 For Microsoft Windows 2000, 2003 DHCP Servers:

Open the DHCP utility, then go to the scope options for the DHCP scope you are placing the sensors in. Right click on Configure Options, then on the general tab scroll down to 043 Vendor Specific Info. OR If configuring a specific DHCP Vendor Class: Step 1 2 3 4 5 Action Create a new Vendor Class with any name unique to that system. Add the vendor ID adsensor (without quotes) to the ASCII portion of the vendor ID field. From the server options, select Predefined Options for this vendor class. From the list of predefined options presented, choose 043 to be added to this vendor class. In the new 043 Vendor Specific Info, enter the new binary data from the output of genDHCP into the Binary area of the data field.
124
Chapter 9
Note: This generated string is in Binary and must be typed into the binary field; this cannot be cut and pasted into the ASCII field as the string will be treated as ASCII instead of binary. Important! At the time of this release, some versions of the Microsoft DHCP Server do not correctly implement predefined options under vendor class.
9.7.4 For Linux:

Under Linux, the following example shows the necessary lines to add to the dhcpd.conf file: option dhcp-class-identifier "adsensor"; option vendor-encapsulated-options 01:06:41:44:77:69:64:73:02:04:ac:10:00:44:03:04:ac:10:00:b5:ff;
Managing Sensors
125
9.8
Obtaining the Sensor IP Address
In order to access the web-based Sensor UI, you must first log in remotely from a web browser. This requires you to first determine and obtain the Sensors IP address. Use the Sensor UI for initial configuration during Sensor installation. After initial configuration, you can administer Sensors by using the Sensor program area of the AirDefense GUI, in most cases. There are 2 methods to determine the Sensors IP address:
Method One: Observe broadcast UDP packet on port 10999 during start-up (Model 510 and 520
Sensors only)
Method Two: Use the Enterprise GUI to view each sensors IP address
9.8.1 Method One: Observe broadcast UDP Packet on start-up

Each sensor broadcasts a UDP advertisement packet on port 10999 on start-up. The installer can use freeware from Kiwi Syslog at http://www.kiwisyslog.com/ or equivalent to monitor network broadcasts. Kiwi Syslog Daemon is a freeware Syslog Daemon for Windows. It receives, filters, logs, displays and forwards Syslog messages and SNMP traps from hosts such as routers, switches, UNIX hosts and any other Syslog enabled device. Step 1 2 3 Action Start the Kiwi Syslog program. Go to the Setup window and in the left-side directory tree panel select UDP. In the UDP Port text box, change the port number to 10999, then select the Apply button.
Reboot the Sensor (by briefly removing the power connection), and monitor the messages.
126
Chapter 9
Note: The user must be on the same subnet and you must temporarily turn off any personal firewalls.
5 6
Match the Sensor MAC address to find the appropriate IP address. Now access the Sensor UI by opening your Internet browsers and typing: https://<sensor_IP_address>
9.8.2 Method Two: Observe IP Address using Enterprise GUI

For this method all sensors must be connected to your Enterprise server. You can use this method if your server has the same IP address as the default Primary IP address (192.168.100.1) or the default Secondary IP address (192.168.100.2). All new sensors are programmed with these defaults and will automatically connect to these server IP addresses. Alternatively, you can use the Zero-Configuration option, which will allow you to issue vendor options from the DHCP server. Add DHCP option 043 Vendor Specific Info to DHCP server so that the sensors will be able to pull AirDefense primary server information from the DHCP server. This enables the sensor to be dropped on the network with no configuration. Please contact AirDefense Support or search for ZeroConfiguration options on our Self Support site to enable this feature. From the AirDefense Enterprise GUI: Step 1 2 3 4 Action Go to System Configuration by selecting Tools > Configuration > Sensor Manager. In the tree panel, find the new Sensors by clicking under Default Location > Default Group. Select and open your new Sensors(s). Select the Network tab to view the Sensor IP address in its applicable text box.
Managing Sensors
127
128
Chapter 9
9.9
Using the Sensor Manager (GUI)
Once you have initially set up the Sensor, you can use the Sensor window in the AirDefense GUI to make subsequent settings to Sensors. You can also use the Sensor window to manage Locations, Groups, and individual Sensors in your wireless LAN, to update Sensors with the latest firmware, and to manage Terminations. (Also see Practical Applications on page 134.)
9.9.1 How to Use the Sensor Manager

You can use the Sensor window in the GUI to:
Add Sensor Locations to your wireless LAN. Configure the settings for individual Sensors and Groups of Sensors in your wireless LAN.These
include operation and network settings. Note: You must use the Sensor UI or the Sensor CI to make initial Sensor settings. Once complete, the configurations you are able to perform using Sensor are identical to the configurations you are able to perform using the Sensor UI or Sensor CI. Additionally, Sensor gives configuration information that is unique to the GUI.
Identify the Location of Sensors in your wireless LAN, including their Groups. You can search for any
Location, Group, or individual Sensor in your wireless LAN. View the status of a Sensorwhether or not it is active, and online with the AirDefense Server. Begin building your AirDefense hierarchy of devices, consisting of Location, Group, and Sensor. For complete step-by-step instructions on how to manage Sensors using the GUI, see the Online Quick Help for Sensor: Sensors.
Managing Sensors
129
9.10
Upgrading Sensor Firmware
Updates to Sensor firmware are available from AirDefense, Inc. You can use either the web-based AirDefense GUI or the web-based Sensor UI to update Sensor firmware. Hint: Upgrading a Sensor places the firmware update file into the AirDefense database. The only way to remove it from the database is to use the ADDadmin utility DELFU, which is in the ADDadmin Manage program area.
9.10.1 Check the Current Sensor Version

Check to see if you require a Sensor upgrade. Step 1 2 3 4 Action Right click on a sensor in the navigation tree. Select View/Edit Sensor Configuration. Look at the Software version on the Sensor Identification tab. Compare the version against the currently available firmware version. To access the Upgrade Server, you need to contact AirDefense support to acquire a username and password.
Example: If your current firmware version is 4.1.0.24, and the file in the current directory is SNfirmware-M4004-2.0.17, this indicates that a more current firmware version is available.
9.10.2 Obtain the Upgrade File

You can download the Sensor upgrade file directly to your local system from either the AirDefense Upgrade Server or a CD-ROM supplied by AirDefense.
9.10.3 Upgrading Firmware Using the AirDefense GUI

You can use the Sensor Upgrades window in the AirDefense Sensor program area to remotely update Sensors with the latest Sensor firmware.This feature has a Firmware Upgrade utility that retrieves the latest Sensor firmware file from its location in the AirDefense Upgrade Server, your local system, or a CD-ROM supplied by AirDefense, Inc. Step 1 2 Action From the main AirDefense Control Panel, click on Tools > Sensor Upgrades to open The Sensor Upgrades window will appear.
130
Chapter 9
9.10.4 Using the Sensor Upgrades window

Click on the Firmware Upgrades tab to initiate, download, update and manage Sensor upgrades. When updating firmware, it is important that the new version file name first appears in the Available Sensor Update List. This scroll list indicates that the firmware file is in your AirDefense Server, and is ready for downloading to your Sensors. Part 1 Step 1 2 Action Check the Available Sensor Update scroll list to view the types of sensors that are available for your AirDefense server. Your AirDefense Server ships with the latest versions of Sensor Firmware. These are the Sensor hardware versions that automatically display until you download a subsequent update into the AirDefense Server, using the Load Update File button.
Managing Sensors
3
131
This opens the Select Sensor Update File sub-window where you select the Sensor Firmware Files (*.img).
Once you have selected the needed *.img file, select OK to return to the Sensor Upgrades window.
Part 2 Step 1 Action After entering the new Sensor firmware in the AirDefense Server and it appears in the Available Sensor Update scroll list, you can add Sensors to the Sensor Update List by clicking the Add button, which opens the Choose Sensor Set sub-window.
Click and highlight the Sensor you wish to add and click OK. This closes the sub-window and the Sensor then appears in the Sensor Update List.
132
3
Chapter 9
After the new Sensors are entered in the Sensor Update List, highlight the Sensors you wish to update, and click on Update to begin the update process. Sensors will only update with the versions that are displayed in the Available Sensor Update scroll list. The Update Status column keeps you informed of the update, indicating whether it is in progress, new or completed. Close the Manage Sensors window once you have finished. The intended update can only take place if the firmware version that displays in the Sensor Update List matches the firmware version in the Available Sensor Update List, as in the example below.
To update a Sensor with a version of firmware other than the currently loaded version (the version that currently displays in the Available Sensor Update scroll list), you must first delete the Sensor off the Sensor Update List, load the new update into the AirDefense Server (so that it appears in the Available Sensor Update scroll list), then re-add the Sensor to the Sensor Update List. You can then proceed with the update.
9.10.5 Upgrading Using the Sensor UI

1 Log in to the Sensor. Model 400: In the Update Firmware panel, Click Browse to navigate to the locally saved firmware file and select the file. Click Commit. The Sensor firmware automatically upgrades. This process will take from one to two minutes, after which a status screen appears indicating success. If you receive a success indicator, you are finished. If you receive a failure indicator, go to step 2. Model 500: These Sensors also have the ability to upgrade via anonymous FTP. Using the 500 Series Sensor UI the default webpage contains a form field for "Upgrade URL". In this field type a URL containing the IP address of the FTP server and the filename of the load to be burned into FLASH. For example <ftp://169.254.1.3/SNfirmware-4-2-510-23.img> (without the greater-than/lessthan brackets). Note: During the upload process, the Sensor goes offline. It returns to an online state on completion of the upload. 2 Reboot the Sensor and repeat the firmware upgrade. Note: The upgrade will fail if one or more of the following occur: An incorrect Sensor update file was uploaded.
Managing Sensors
133
The upgrade was interrupted on the Sensor end, for example, by a power outage. During the upload process, the Sensor receives the new firmware file, checks the data, and burns the data into its flash memory. If a power interruption takes place during this process, the Sensor will either reboot itself, or will have to be remotely rebooted. In this case, the Sensor reverts back to its factory-installed firmware version. The Sensor you are upgrading is on a different subnet from the default subnet (sshd 172.16.0.). To correct this, add the Sensor's new subnet to the AirDefense hosts.allow file. To do this, you must use the ADDadmin Configuration utility Hallow to edit the hosts.allow file. For instructions on using Hallow, see Configuring the System on page 85.
134
Chapter 9
9.11
Important! You must match each Sensor with the wireless LAN environment and to configure Sensors properly to ensure accurate data reporting.
9.11.1 Radio Settings

Radio settings are per radio. For the AirDefense Sensors, you must configure each radio separately when setting up your Sensors.
Radio 1left antenna802.11b/g Radio 2right antenna802.11a
9.11.2 Scanning Mode

Sensors have two user-selectable scanning modes:
Lock on Channel Scan Channels
9.11.3 Lock On Channel

Select Lock On Channel if you want the Sensor to listen to network traffic on the selected channel. If you choose Lock on Channel, you must configure the channel in the Select Channel drop-down. Although you configure the Sensor to receive data on a particular channel (1-14 for 802.11a or 36-64 for 802.11b/g), depending on protocol, it may also receive data from adjacent channels, due to the overlapping nature of radio signals. This data also appears in the AirDefense GUI.
9.11.4 Scan Channels

Select Scan Channels if you want the Sensor to continuously scan one or more channels that you select, and spend a length of time (in seconds) you define scanning each channel. While in Edit mode, selecting this option enables Set Scan Pattern. Click this to select channels and the length of time the Sensor should listen on each channel.
9.11.5 Quick Scan Mode

Quick Scan provides a method for continuously monitoring of all available Sensor channels. Enabling Quick Scan simply places a one-second scan on each channel. There are two ways you can use Quick Scan Mode. 1 You can use Quick Scan Mode in conjunction with Scan Channels. In this method, the Sensor will scan the channels you selected in Scan Channels for the seconds you define. With Quick Scan enabled, the Sensor will also do a 1-second spot scan of all remaining channels. Quick Scan will not override a channel with a scan time already configured.
Managing Sensors
2
135
You can use Quick Scan Mode alone, which enables the Sensor to do a one-second scan of all channels.
9.11.6 Frame Capture

The AirDefense feature: Frame Capture Mode enables you to capture raw data packets for viewing and archiving. The data is saved as capture files. The Frame Capture feature is found in the Live View window. The Live View window can be accessed from the hierarchical tree by clicking on any device, right-click on it, and then select Analyze - Live View. This window can also be accessed by clicking on the Forensic button on the control panel, to open the Forensic Analysis Wizard window. The Live View sub-window allows you to analyze real-time data traffic flow, both transmit and receive data, from the device you are viewing.
Use the Capture button to capture all frames sent to and from this device. This function basically acts as a "sniffer" of that device's real-time frames, and you can then export the data to external analyzer tools such as Ethereal or AiroPeek. 1 2 Select the Capture button; a Save As sub-window appears. In the sub-window's provided text box, enter the name that you would like to save the file as. Select Save. The file is automatically saved in AiroPeek (.apc) format.
136
3
Chapter 9
The Frame Capture window appears indicating that the function is now "sniffing" the device's data:
This window provides the device number and the location on your local client of where the file is being saved, and the number of frames captured are indicated. These are the actual packets of 802.11 protocol that have been observed by the AirDefense sensor for that given device. The longer you keep the Frame Capture up, the more frames will be captured. 4 Select the Stop button to cease the frame capture. The sample is then saved as an .apc formatted file.
9.11.7 Link Speed Control

You must set this feature in the Sensor UI>Network Settings. Link Speed Control enables you to set the Ethernet interface to either auto-negotiate (default), or to fix the interface to 10Mbs or 100Mbs, Full or Half duplex.
9.11.8 Encryption Mode

To provide additional security, you can use Encryption Mode to encrypt data between the Sensor and the AirDefense Server. Data Port: If you turn Encryption Mode On, the Sensor uses Port 443: If you turn Encryption Mode OFF, the Sensor uses Port 80.
9.11.9 Sensor Reboot

This feature is only available from the Sensor UI>Status, and for use only by Sensor web users who have the role of Admin. You can find the Reboot button in the Sensor UI Status panel. Clicking on the Reboot button reboots the Sensor from a remote location.
9.11.10 Bandwidth Control or Minimum Bandwidth Mode

You can use the Sensor program area in the AirDefense GUI to configure Sensors for Bandwidth Control or Minimum Bandwidth Mode, depending on the version of Sensor firmware you are using. Bandwidth Control When you configure a Sensor for Bandwidth Control On, you effectively limit the amount of bandwidth that the Sensor uses, effectively limiting the amount of traffic that takes place on the wired side, between the Sensor and the AirDefense Server, regardless of how much traffic the Sensor is picking up in the air. Default = Bandwidth control on.
Managing Sensors
137
Limiting the bandwidth is especially useful if you are monitoring remote facilities with limited bandwidth, for example, sites that use 128 Kbps or 56 Kbps links. Sensors under bandwidth control use an adaptive algorithm to maintain monitoring fidelity while minimizing bandwidth consumption. Minimum Bandwidth Mode When you configure a Sensor for Minimum Bandwidth Mode On, the Sensor will use a minimum amount of bandwidth. This limits the amount of traffic that takes place on the wired side, between the Sensor and the AirDefense Server, regardless of how much traffic the Sensor is picking up in the air. If you also have Frame Capture Mode on for at least one Sensor radio, frame information may still be limited. When you configure a Sensor for Minimum Bandwidth Mode Off, the Sensor operates in its standard mode, i.e., sends logically compressed frames. (If Frame Capture Mode is On, the Sensor will use full frames.)
9.11.11 Sensor Deployment

AirDefense uses remote Sensors to collect data being transmitted by 802.11a, b, and g compliant devices and to send that data to a central AirDefense Server for analysis and correlation. The Sensors behave in a passive, listen-only fashion thereby obviating the need for Access Point-like density and placement constraints. AirDefenses experience in real-world deployments indicates that our design principal of many Access Points monitored by a single Sensor is realized and works well. You should leverage any site surveys you conduct for placement of Access Points as aids to Sensor placement decisions. Below is a list of areas that a sight survey may identify that can guide Sensor placement. A Typical site survey may include, but is not limited to these areas. Building Structure
Many materials used in building construction may significantly impact the propaga
tion of signals in the 2.4-GHz spectrum. Concrete reinforcement bar Elevator shafts Electric motors (for example, blowers and generators) Lighting fixtures
Other Sources of Physical and Electromagnetic Interference
Cordless phones and headsets Bluetooth devices Consumer cordless devices (for example, surveillance cameras, baby monitors, and
video transmission extenders) 802.11a, b, g Device Density
Support of high number of users Support of high bandwidth consumption
138 Localization of wireless network service

Desired Granularity of Device Locality Information
Chapter 9
While a single AirDefense Sensor may be capable of monitoring a very large area, it is often useful to consider a distribution of Sensors that, when reporting on a device, will give a sense of location of that device relative to a Sensor. For example, if there is only one Sensor in a large building, that Sensor may be able to see devices in most parts of the building. However, the only information available to the Sensor that it can use to locate an Access Point is that the Access Point is in the building. It is possible to distribute Sensors in such a manner as to provide a better idea of where a device is operating, such as by floor or wing where, even though many Sensors may see activity from a device, it is observable which Sensor receives the strongest, most consistent signal from the device. This allows for a significant narrowing of the possible locations of the device. Desired Monitoring and Intrusion Protection Functionality Organizations have varying requirements for monitoring and controlling the wireless medium around them. These requirements can be divided into four categories.
Location Tracking This requires that a device that is to be tracked can be

observed by two or more Sensors.
Connection Termination This requires that a device that is to be terminated is
within range of a Sensor sending termination signals. Policy Enforcement To ensure adherence to policies or to detect attacks against managed devices Sensors must be able to receive a representative sampling of traffic sent by all devices they are monitoring. Rogue Detection Even sporadic emanations from wireless Stations and Access Points can reveal the presence of rogues. You need to place Sensors where transmissions from rogue devices can be detected in a timely fashion as soon as they enter the scanning area. Assets to be Protected
Wireless-capable devices that contain sensitive data must be protected. Wired networks protecting the wire from wireless breach. This approach is key to
making wireless monitoring deployment decisions in very large installations, such as military bases, airports, power plants, campuses, etc. A common perception is that wireless devices must be detected and monitored throughout a given property. This becomes impractical in many cases and an approach that protects the wired backbone allows for sane decisions about monitoring coverage.
9.11.12 Sensor Quantity, Location, and Installation

Using these factors in baseline decisions with regard to Sensor placement, the following coverage area guidelines may be applied to establish an effective deployment.
Managing Sensors
(All numbers are in square feet.) Location Tracking 15000 19000 25000 Connection Termination 17000 22000 30000 Policy Enforcement 20000 30000 40000 Rogue Detection 30000 45000 60000
139
802.11 b/g Indoor/Office Warehouse, Distribution, Manufacturing Outdoor, Hangar
802.11 a Indoor/Office Warehouse, Distribution, Manufacturing Outdoor, Hangar
Location Tracking 11000 17000 19000
Connection Termination 14000 19000 24000
Policy Enforcement 17000 26000 30000
Rogue Detection 25000 35000 45000
Where a sanctioned wireless LAN deployment is being monitored (not just rogue), this typically equates to six to eight Access Points per Sensor. A solid working guidance based on the above represents approximately one Sensor per 20,000 sq/ft of area to be monitored. In areas where Sensors may be exposed to harsh environments, Sensors may be placed in accessory enclosures (NEMA-4) that protect the Sensor and provide code, regulatory compliance, or both.
9.11.13 Power and Data cabling

Sensors are often placed in areas that take advantage of pre-existing power and data cabling. These areas include wiring closets and other areas where IDFs may be located. Where these locations are somewhat shielded from the wireless environment, the Sensor may be extended to just outside of these spaces using standard power cords and pre-terminated data cables, obviating the need for additional, costly fixed runs. Choosing facilities that come as close to centrally locating the Sensors in the intended monitoring space should be done when practical. In instances where wiring closets, IDFs, or both are not ideally located for Sensor placement, Sensors may take advantage of Power Over Ethernet, either from a single power injector or a compliant switch. PoE injectors are available from AirDefense. If there are gaps in coverage, or if deployment cost is a factor (due to the required density of Sensors or the cost of wiring to place Sensors in strategic locations), there are several relatively inexpensive remedies. Where wiring for placement in an ideal location is impractical, employ additional Sensors to correct as necessary. The FCC Rules regulates the use of antennas as aids to reception for the Sensors, in regard to the Sensors 802.11 component. If antennas would greatly enhance the overall deployment, AirDefense is available to advise on the best approach for antenna application, considering both regulatory guidelines and the physical design of the Sensors. In either case, always use facility floor plans to indicate where Sensors are placed and to indicate areas where a coverage test was done. This may be included in the AirDefense Operations Guide along with information on Sensor IP information and other Sensor attribute settings.
140
Chapter 9
9.11.14 Sensor Coverage Planning Process

AirDefense Architect is a revolutionary software package that enables you to efficiently design, model, and measure 802.11a, 802.11b, and 802.11g networks, as well as plan your sensor coverage. Building facilities and campus environments can be quickly modeled using menus that guide you step-by-step. You can quickly place access points and predict signal coverage during the WLAN design phase. Post-WLAN deployment, you can use AirDefense Architects powerful features for measuring network performance and validating network designs.
Rapidly Design and Deploy More Efficient Networks: AirDefense Architect helps design quality wireless networks by helping to overcome the challenges of coverage holes, poor service areas and improper capacity and network resource allocation. Avoid Costly Retrofits: AirDefense Architect minimizes design and deployment costs by helping the designer visualize the physical location and configuration of installed network equipment, automatically placing and configuring access points, and accurately predicting network coverage and capacity. Simplify Complex Wireless Environments: Designers can quickly compare site-survey measurements to the expected network performance, enabling real-time and accurate design modifications. AirDefense Architect is intuitive and helps users rapidly operate and design in all phases of WLAN build-out and management. Included: AirDefense Survey functionality, which provides real-time, in-field measurements for site surveys. Seamlessly integrated into AirDefense Architect, measurements from AirDefense Survey can be used to optimize and compare its predictions. In addition to planning all your Access Points prior to deployment, Architect also offers a Sensor planning feature. You can use the same building maps to carefully plan sensor placement, ensuring maximum coverage and no dead spots.
9.11.15 Sensor Coverage Survey Process

With anticipated Sensor locations mapped out, assessment of the effectiveness of that coverage can be accomplished based on correlating site surveys and assumptions discussed previously. The test procedure prescribed here will act as the final validation of Sensor location. Use AirDefense Architect to plan sensor placement or validate sensor placement using the following procedure (See Sensor Coverage Planning Process). Customer Prerequisites Documents that can aid in the determination of Sensor placement are:
Floor Plans Existing Site Surveys Wiring layouts Regulatory rules and codes for wiring, construction, materials, etc., where applicable
During the survey, access to all areas to be monitored is required. Once Sensor placement recommendations are determined based on the above guidelines, the next step in the deployment is to assess the coverage being provided by the Sensors at the specified locations. Since Sensors are passive devices that do not have the capability to transmit data, the process of determining the Sensor coverage depends on a reverse site-survey process in which a signal is introduced in your Wireless LAN by a device, and the signal is tracked through the facility using the deployed Sensors.
Managing Sensors
Procedure: Following is a step-by-step process to accomplish this task. Step 1 2 Action
141
Prepare a laptop that will run AirDefense Mobile r4.0 or later (or AirDefense Survey r1.1). Prepare an 802.11a/g wireless device (Station or Access Point). The ideal output power for this device (around 40 mW) would be that of a retail quality Station card or Access Point, as these are likely rogue candidates. Note: A soft Access Point on a laptop is often an ideal target because it can be Locked On a channel and is battery powered through being hosted on a laptop. Obtain Maps/Layouts of the facility and determine the traversal plan. Start AirDefense Mobile. Turn on the target device (Access Point, soft Access Point, or laptop/PDA with Station card). AirDefense Mobile should detect the target device. Identify the target device in the AirDefense Mobile device tree and use your mouse to right-click on it to display a list of options. Use AirDefense Mobile Options to Lock On the channel on which the target device is discovered. Right-click select the device in the Dashboard tree; select LiveView. Focus on Signal Strength in the Decode tab in LiveView. Verify that the target device is being tracked by AirDefense Mobile. When a Station card is being used as a target, significant peaks and valleys are observable in Signal Strength as the Station card rotates through channels probing for an Access Point. The peaks are indicative of the effective signal strength relative to AirDefense Mobile. Move the target device to the anticipated fringe where a neighboring Sensor would become primary. At the fringe of coverage, signal strength should be no less than 25% to assure termination ability. Move AirDefense Mobile to the anticipated location of the next Sensor and use the same procedure to ensure that its anticipated coverage area is valid. If the above Sensor placement proves adequate from an coverage and cost of placement perspective, factors observed during this analysis may be extrapolated to other locations of like construction.
3 4 5 6 7 8 9 10 11
12 13 14 15
142
Chapter 9
Configuring Enterprise Features
143
10 Configuring Enterprise Features

This chapter is provided to help you properly configure the AirDefense enterprise and adapt it to optimally serve your diverse network needs.

This chapter contains the following topics: Topic About Air Termination About Policy-based Termination About Termination Controls About Domain Based Partitioning About VLAN Device Synchronization Configuration Page 144 145 147 148 151 152
144
Chapter 10
10.1
About Air Termination
Use Air Termination to terminate the connection between your wireless LAN and any associated authorized or unauthorized Access Point or Station. Devices must be associated. To use this feature, you must be a user with the role of Admin or Manager. You can use Air Termination to terminate the connection of any authorized or unauthorized Access Point or Station that appears either in the hierarchical trees or in information panels throughout AirDefense programs. This includes the Dashboard, Manage Alarms, Policy Manager, and Reports. Air Termination supports:
Single Device Termination, in which the Access Point connection is terminated and all Stations
associated to the Access Point are de-authenticated, or the connection between a Station and an Access Point is terminated Multiple Device Termination, allows security administrators to terminate connectivity for multiple stations and devices simultaneously.
10.1.1 Using Air Termination

When Air Termination is first enabled, see Air Termination on page 94, it is executed by right-clicking on a device icon and selecting Air Terminate/Disconnect from the drop-down selection options. The Terminate selection is only visible if you are a user with the role of Admin or Manager. If Terminate is grey, the device cannot be terminated. Additionally, AirDefense will immediately indicate if your Sensor is not enabled for termination, or if you cannot terminate the device because the Sensor is not capable of termination. Air Termination is managed using the Terminations management sub-window, which is accessed via the View > Terminations drop down menu. For more information on how to determine if a Sensor is Air Termination-ready and to configure and use Air Termination, refer to the Help Contents from the Help Menu.
145
10.2
About Policy-based Termination
Policy-based Termination is the automated form of AirDefense Air Termination. Using Policy-based Termination, you can formulate an action plan to automatically terminate the connection between your wireless LAN and any authorized or unauthorized Access Point or Station, based on alarms. Devices must be associated. To use this feature, you must be an AirDefense user with the role of Admin or Manager. You can use Policy-based Termination to automatically terminate the connection of any authorized or unauthorized Access Point or Station that receives any alarm you specify, and for any Sensor you specify. Because Policy-based Termination is based on alarm selection, you must use the Manage Alarms program area in the AirDefense GUI to manage Policy-based Termination Action Plans (also see Managing Alarms on page 43).
10.2.1 Prerequisites for Using Policy-based Termination

To use Policy-based Termination, you must configure all necessary settings in the GUI to enable the system for Air Termination, and in addition, configure some additional settings to enable Policy-based Termination. Once enabled for use, see Policy-based Air Termination System Enabled on page 94, you formulate policies using a Termination Policy Editor in the Manage Alarms program area. AirDefense automatically terminates any device that violates a set policy. For more information on how to configure and use Policy-based Termination, go to the Manage Alarms program area in the GUI, click on Quick Help from the Help Menu, and then click the Quick Help cursor (question mark) over the Termination Policies button.
10.2.2 Managing Policy-based Terminations

Because Policy-based Termination is based on alarm selection, you must use the Termination Policies subwindow in the AirDefense GUI to manage Policy-based Termination Action Plans. To access this function you must go to: Tools > Configuration > Policy Manager > Termination Policies.
146
Chapter 10
Use this editor to formulate an Action Plan that, based on alarms, automatically terminates the connection between your wireless LAN and any authorized or unauthorized Access Point or Station. You can do this for any single alarm and for any single Sensor.
For complete steps on how to use the GUI to activate Air Termination and Policy-based Termination in AirDefense, and how to formulate Action Plans for Policy-based Terminations, go to the Alarms program area in the GUI and click on Quick Help in the Help Menu.
147
10.3
About Termination Controls
AirDefense r7.2 Air Termination and Policy-based Termination have internal controls that prevent AirDefense users from indiscriminately terminating devices. AirDefense only allows targeted termination of the specific devices that fall into one of the following categories: Unauthorized APs detected as physically attached to your private wired network Unauthorized clients attacking (known signature) or improperly connecting to your authorized wireless network of APs Authorized clients and authorized APs; to handle internal policy or misuse scenarios, including cases where authorized clients are improperly attaching to unauthorized APs
148
Chapter 10
10.4
Domain-Based Partitioning
Domain-Based Partitioning allows a user with Administrator privileges to partition the Locations by user and restrict the data each user can view to the domain defined for that user. Each domain can include multiple Locations and corresponding Groups. After you enable Domain Partitioning, users with admin permissions can define Domains, and then assign them to other users. This feature is particularly important to Managed Security Services Providers who offer a Managed Service and host multiple customers on the same appliance. Only users with Administrative privileges can assign the domain for a user. Note: The Domain Management window does not appear in the Appliance Manager list unless Domain Partitioning Enabled is first activated on the System window.
10.4.1 Enabling Domain Based Partitioning

1 2 Select Tools > Configuration > Appliance Manager > System Select Enable Domain Based Partitioning
10.4.2 Assigning Domains to Users

Step 1 Action From the AirDefense Dashboard, click on the Tools > Configuration drop down menu to open the System Configuration window. Select the Appliance Manager button. Then click on the Users button. Select an existing user under the View tab (or if creating a new user go straight to configure). Select the Configure tab and click on the Edit button or the Add button when creating a new user. Under Domain, select one of the pre-defined domains from the drop down menu (System is the default domain for the whole Enterprise system). Click Apply to save, or Cancel to exit without saving.
2 3 4 5 6
10.4.3 Establishing Domains

Only a user account with Administrative privileges can establish Domain Based Partitioning. Step 1 Action Log in to the AirDefense GUI. The GUI is accessible by Logging in remotely from a secure web browser. It is not accessible from the AirDefense Server. From the top Control Panel, click on the Tools > Configuration drop down menu to open the AirDefense System Configuration program area. Click on the Appliance Manager icon button to access the Appliance Manager program area.

4
149
Click on the System icon button to open the System Settings window. A Domain consists of one or more Locations. You can edit, add or delete a domain under the General tab. Under the Locations tab, you can edit, add or delete a Location to a Domain.
Use the following buttons for both the General and Location tabs to complete an operation. Button Add Delete Description Select to add a new profile record. Select to delete a profile on record.
10.4.4 Adding Domains on the General Tab

On the General Tab, enter information for domain locations by using the following steps: Step 1 2 Action Select the Add button to activate the tabs features. In the Select Domain drop down list, choose an existing domain as defined by the Administrator or in the Domain Name text box, enter a new domain name. 3 Enter a description of the domain in the Description text box; this is not a mandatory field. 4 The Applied to Users area contains a list of user names belonging to that domain and is read-only. Domains are assigned to a user when editing or adding a user under User Management (See: Config > Appliance Manager > User Mgt). 5 You must then click the Locations tab because you must have at least one Location to which the Domain applies. If you try to select Apply without adding a Location, you will get the following message. 6 Once you have selected one or more locations on the Location tab, click the Apply button. As soon as you have added a Domain you can then proceed to the User Management window and select the Configure tab to add a Domain to a user.
150
Chapter 10
10.4.5 Using the Locations Tab

This tab allows administrators to add, edit or delete Locations as part of a domain. The Locations that appear on this window are added on the Sensor Manager window's tree panel. You must first add Locations in the Sensor Manager window in order to have any selections on this tab.
Select the Apply button in order to activate the features on the Locations tab and use the arrow buttons to move Domains from the All Locations section to the Locations In This Domain section and vice versa.
151
10.5
About VLAN
AirDefense enables you to monitor the use of VLANs that are partitioned on the Access Point by an SSID. If the VLAN is not used correctly, AirDefense generates an alarm.
10.5.1 Policy
The Policy program area has full support for VLAN configuration. You can do the following in Policy:
Indicate an AP is a VLAN. Authorize SSIDs. Configure the Configuration Policy for each SSID. Configure the Vendor Policy for each SSID. Authorize Stations per VLAN.
10.5.2 Station Authorization

Station Authorization per VLAN has been implemented fully through the system.
An authorized Station associating to an authorized SSID generates no alarm (Equivalent to autho

rized Station associating to an authorized AP). An authorized Station associating to an unauthorized SSID generates no alarm (Equivalent to authorized Station associating to an Rouge AP). An unauthorized Station associating to an unauthorized SSID generates no alarm (Equivalent to an unauthorized Station associating to a Rouge AP). A unauthorized Station associating to an authorized SSID will generate an alarm (Equivalent to an unauthorized Station associating to an authorized AP). A Station whose SSID is currently not known will only generate an alarm if it is not authorized on at least one authorized SSID.
10.5.3 Other VLAN Information

VLAN Performance alarms behave the same as with a normal AP. An AP configured as VLAN will not generate the AP Mode Change: ESS ID Change alarm. When a customer system is upgraded to the first Service Module, any VLAN configurations for Configuration and Vendor policy will begin to take effect.
152
Chapter 10
10.6
Device Synchronization Configuration
AirDefense Enterprises Device Synchronization Configuration window allows you to configure devices automatically by extracting information from third party wireless management systems such as Cisco, WLSE, and AirWave. This window contains the following three tabs,
10.6.1 Common Settings Tab

This tab allows you to specify a different configuration for a device originating from the external system depending on the device's SSID. The supported configurations are authorize/unauthorize or ignore. Example: A user might want to specify on the Common Settings tab that all devices using SSID "Guest" should be ignored while the ones using "CORP" should be automatically authorized.
10.6.2 To add a new device SSID configuration:

Step 1 2 Action Click the Edit button to activate the Common Settings tabs features. In the text box adjacent to the SSID List column, enter the SSID number of the device you wish to synchronize on the system. Then select the appropriate radio button to designate the device SSID to be Authorized, Unauthorized or Ignored on the system. Use the Reset button to discard any changes made in this text box and/or radio button without saving any changes. Select the Add SSID button. The new SSID is saved and added to the SSID List column.
3 4
Note: Once you have added new device entries to the SSID List, you can go to the Action column and double-click on it, opening a drop down list with the same options to Authorize, Unauthorize or Ignore the device on the AirDefense system.

5 6
153
To remove SSID devices that have been added to the SSID List, highlight the device row and select the Remove SSID(s) button. The device is immediately removed from the list. To commit the device(s) that you have added to the SSID List to the AirDefense system, select the Apply button. The devices are then detectable by AirDefense and all options on the Common Settings tab are disabled.
10.6.3 WLSE Tab

Use the WLSE tab configuration options to synchronize information between a Cisco Systems, Inc. CiscoWorks WLSE (Wireless LAN Solution Engine) Server and the AirDefense Server so that they can interface with each other. Note: A user with proper credentials is required to access the WLSE functions. Once you configure the AirDefense Server for WLSE, it will periodically synchronize itself with a WLSE Server.
154
Chapter 10
To create a new WLSE synchronization configuration:

Step 1 Action On the WLSE tab, select the Add button to activate the tabs features. At any time use the Cancel button (located in the lower-right corner of the GUI) to discard any changes made without saving or committing them to the AirDefense Server. Choose a synchronization period from the available drop down list: Your choice determines how often your AirDefense Server will retrieve information from a WLSE Server. Recommendation: AirDefense, Inc. recommends that you use this parameter with caution. In large networks the synchronization could become very expensive and time consuming. The recommended settings are 24 hours or 2 hours. Choose a period lower than that only if you are certain that it will not affect the performance of the server. It is also recommended that you run a test synchronization (using the Run button) to determine how long the AirDefense Server takes to perform this operation. 3 4 5 6 For the WLSE Host or IP Address text box, enter the DNS host name or IP address of the WLSE Server. Enter the User name and Password in their pertinent text boxes, then reenter the password in the Confirm Password text box. In the Protocol drop down, enter whether the protocol is http or https and in the Port text box, select 443 as the default for https and 1741 as the default for http. For Sync AP Wireless IP Address, select either of its radio buttons to: Yes: Use the wireless interface IP to import the AP. No: Do not use the wireless interface IP to import the AP. For Sync AP Wired IP Address, select either of its radio buttons to: Yes: Use the wired interface IP to import the AP if the wireless IP is disabled or not present. No: Do not use the wired interface IP to import the AP. For Sync AP Hostname, select this radio button option if you want the DNS name of the Access Point to have the value of the host name in WLSE. Yes: Import the Access Point with its host name. No: Do not import the Access Point with its host name. For Sync Station Authorization, select this radio button option if you want Stations associated with managed APs to be considered authorized in AirDefense. The reason for taking this action is that Stations associated with managed APs probably went through proper authentication, and can therefore be considered authorized. However, this may not always be true. Yes: Enable automatic Station authorization. No: Disable automatic Station authorization. Once you have entered the WLSE configuration settings you wish to implement, select the Apply button to save and apply them to the AirDefense Server.
10
Configuring Enterprise Features To Troubleshoot WLSE Connectivity
155
If you are having difficulties synchronizing AirDefense with WLSE, select the WLSE tabs Run button, which allows you to request a synchronization immediately. When the Run button is selected, an Import Status window appears, displaying devices imported into the system. The imported devices are represented by blue icons until the devices are actually detected by any of the sensors.
10.6.4 AirWave Tab

The AirWave tab provides configuration management for AirWave servers, and enables AirDefense to detect station and AP devices that reside on it. Use this function to add server parameters so that devices can be imported and monitored by AirDefense.
156
Chapter 10
Managing Switches
157
11 Managing Switches
This chapter is provided to help you properly configure the AirDefense enterprise and adapt it to optimally serve your diverse network needs. This chapter contains the following topics:

This chapter contains the following topics. Topic Adding/Configuring a Switch About Port Lookup About Port Suppression Page 158 164 165
158
Chapter 11
11.1
Adding/Configuring a Switch
The Add Switch and Import Switches buttons on the Sensor Manager window control the addition of switch devices to the AirDefense appliance so that devices (such as APs and stations) that are connected to that switch can be detected. When switches are added, they will appear as icons in the tree panel branching off the major Groups from the Enterprise system to which they are assigned. In networks, a switch is a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs. For more information on the icon designations of switches that are found in the tree-panel, refer to the online help topic for Icons, Switches.
11.1.1 Requirements for Port Lookup and Port Suppression

Adding known managed switches to the Enterprise system allows the user to suppress wireless devices connected to a switch port if they pose a threat to your network. The following is a list of requirements that must exist on your AirDefense system in order for the Port Lookup and Port Suppression functions to work.
The switch needs to support SNMPv2c or SNMPv3. The switch's SNMP agent needs to be enabled and accepting SNMPv2 or SNMPv3 requests. The switch needs to 'correctly' and 'fully' implement RFC 1213, also known as MIB-II. This is a very
common MIB that most network devices implement. The switch needs to 'correctly' and 'fully' implement RFC 1493, also known as BRIDGE-MIB. This is a MIB that most high-end ethernet managed switches support. If the SNMP agent of the switch supports security views, the community configured in AirDefense to communicate with the switch needs to have full read-access to all objects (variables and tables) of both MIBs, MIB-II and BRIDGE-MIB. If it is desired to use not only the port-look up feature but also the port suppression feature, read-write access to those MIBs will have to be provided as well. AirDefense will use the Read Community for read access and the Write Community for write access (shutting down the port). UDP connectivity between the AD server and the switch is necessary. The standard port for SNMP agents is 161 (configurable in AirDefense, some switches will also allow you to configure this as well). If there is a firewall in between, that port needs to be open.
11.1.2 Trapeze Integration

The user can synchronize devices between AirDefense Enterprise and Trapeze, by importing a list of authorized Access Points from the Trapeze MX switch. The Trapeze switches must be added in a similar fashion to standard switches for suspicious device discovery. Go to Add Switch or Import Switches under Sensor Manager to add a Trapeze switch and make sure to select Trapeze MIB under MIB Support. Once the Trapeze MX switches are added, the Enterprise system will recognize all Trapeze Access Points as authorized devices.
Managing Switches
159
11.1.3 Accessing the Switch Configuration GUIs

To access and configure Switch GUIs: Step 1 2 3 Action Click on the Config button to open the AirDefense System Configuration program area. Click on the Sensor Manager icon button to access the Sensor Manager window. From the Sensor Manager window, click on the Add Switch or Import Switches buttons to open their respective GUIs. Note: If you transition from Add Switch to Import Switches you may need to select Commit or Reset changes buttons before proceeding.
11.1.4 Adding Switches

Select the Add Switch button to open the Switch Information panel tab (you remain on the Sensor window). The following table describes the functions and options found in the Switch Information tab. Function Edit Reset Commit Description Select this button in order to activate the fields and features for editing. Returns to the previous settings without making changes. Saves changes to the AirDefense database when selected. Once you have saved changes the new Switch will appear in the AirDefense tree panel when you select the Display Order drop down list (1st one) and select Switch. Selecting this button detects whether the switch is connected to the network. If you are testing a Trapeze networked switch, and it is properly connected and/or imported, a popup dialogue window appears stating: "Import successful. Devices Imported". If you are testing a Bridge MIB switch, then selecting this button causes the Port Status window to appear, showing the MAC Address table.
Test Switch
Name IP Address
Enter the name of the Switch. Enter the IP address of the Switch. Note: This entry is mandatory.
SNMP Port SNMP Version Read Community
Enter the Simple Network Management Protocol number for this Switch. This is normally 161, but it can be different. In this drop down list choose between v2c or v3 as the SNMP version used. Enter the Read Community string, which is used for the SNMP authentication.
160
Chapter 11
Function Write Community SNMP User Authentication Algorithm Authentication Passphrase Privacy Algorithm Privacy Passphrase MIB Support
Description Enter the Write Community string, which is used for the SNMP authentication. This is the name of the v3 user, which is configured on the switch for SNMP v3 access.
These are all SNMP v3 parameters that have to match what is set on the switch.
Choose the checkbox for which type of Management Information Base (MIB) support the switch has. Bridge MIB - When selected, designates the switch as a source of wired-side MACs. Trapeze MIB - When selected, designates the switch for importing Trapeze Access Points.
Enabled Yes/No
Select the Yes or No radio buttons for the Switch to be enabled/disabled for MAC Address lookups in AirDefense. When the switch is enabled (Yes), the switch icon graphic in the tree panel will be green. When the switch is not enabled (No), the switch icon graphic in the tree panel will be red.
Description Online (read-only) Manufacturer (read-only) Model (read-only)
Add any miscellaneous information about the Switch in this text. The online status is determined by the server's communication with the switch, and cannot be accessed by an AirDefense user. The manufacturer of the Switch is automatically added if the system is able to connect to the Switch. The specific model of the Switch is automatically added if the system is able to connect to the Switch.
Managing Switches
161
Note: Once you have added a few switches into AirDefense they will appear in the tree panel when you go to the Display Order drop down list (top one) and select Switch. The list will appear similar to the following:
Color Coding for Switch Icons

The settings made enable the switch to search for MAC Address lookups and the status of the server's condition. These adjustments also make the switches change color and appearance (red/green/gray/blue) to reflect their status on the Enterprise system. Online (read-only) Yes Yes No Tree-panel Icon Color Green Gray Red
Enabled Yes No Yes
11.1.5 Importing Switches

Select the Sensor Manager window's Import Switches button to open the function panel and import an external Switch into the AirDefense appliance.
Imported Switches List

The following table describes the functions and options found in the Switch Information tab. Function Import Description Select the Import button to open the file Open window, browse to the location of the appropriate Switch file to import and select the Open button.
162
Chapter 11
Function Import Status Number of Switches Imported
Description This read-only field indicates whether you have successfully or unsuccessfully imported a Switch file into AirDefense. This read-only field lists the number of Switches that have been imported.
This read-only list displays columns for the Switch Name and the Host. Once you have successfully imported a Switch, these columns will appear as the following:
Importing Access Points and Stations require specific file formats.
11.1.6 File Format for Importing Switches

The file for importing Switches should contain rows of data, one row for each Switch being imported into your AirDefense wireless LAN. Each row is separated by a carriage return or new line character. If the Switch being imported is already in the system, the import overwrites the field values, based on the address. The text field values are overwritten, regardless of letter case. The fields must include the following information:
Switch Name Switch IP Address SNMP Port SNMP Version Read Community Write Community SNMP User Authentication Algorithm Authentication Passphrase Private Algorithm Private Passphrase Bridge MIB Support (True or False) Trapeze MIB Support (True or False) Enabled (True or False) Description Group Location
Managing Switches
163
Important! If you are not going to use a field in a Switch file, or specify any detail in it, enter null for its value. If you import a Switch to a Location/Group that does not exist in the system, the system will import switches into the Default Location/Group.
11.1.7 Imported Switch Files:

Example 1:
myswitch_01,192.168.0.70,161,v3,public,private,myuser,MD5,ABC12345,DES, 87654CBA,true,true,true,mydescription,Default Group, Default Location
Example 2:
myswitch_02,192.168.0.81,161,v2c,public,private,null,null,null,null, null,false,true,true,mydescription,Main Building[Group],New York[Location]
164
Chapter 11
11.2
About Port Lookup
This window, which is accessed from either the AirDefense tree panel or by right-clicking individual devices on window table lists, allows for a convenient method to quickly locate the physical port that an authorized/unauthorized device is using to connect to your network. The following table provides detail on the Port Lookup window's functions and features. Function Device MAC Address MAC Address List Add MACs In Range checkbox Description A read-only line that provides the device type icon (typically an Access Point) and its MAC Address. Lists the MAC Addresses of devices that are connected to the device you are performing Port Lookup on. Use this checkbox option to perform a range lookup of MAC addresses for devices in order to find a hacker/intruder or unauthorized device. Select the up/down arrows to add/remove additional ranges of device returns. For example suppose you are performing Port Lookup for a device whose last 2 characters are:04, when you select 3 for Add MACs In Range, 3 tiers of MAC Addresses above and below the 04 address appear: 07, 06, 05 -- 04 -- 03, 02, 01. When this option is de-selected, nothing will appear in the MAC Address List. Note: Range default is 1, maximum is 10. Add Associated Stations checkbox Additional MACs Add/Remove buttons Start Lookup When this checkbox is selected, Port Lookup searches for any stations associated with the selected device and lists them with their MAC Addresses below the devices that it finds. In the Additional MACs text box, enter the MAC Address for any additional devices you wish to look up the status of their ports. Click this button to open the Port Status window. This window lists all devices that match the MAC Address List column and any additional MAC Addresses you entered manually. If any unauthorized devices are connected to the device's ports, they will appear here, with their address and the switch port number.
Once you have determined that you have an unauthorized device accessing your network through a port, you can then go to the Manage Sensors sub-window on the Sensor Management window, and access the Port Suppression features to disconnect the port.
Managing Switches
165
11.3
About Port Suppression
The Port Suppression feature enables you to suppress the communications port for any network device. The Port Suppression feature turns off the port on the network switch through which a device is communicating. You can suppress the communications port for any network device, effectively shutting down the communication port for the device. You must enable (or disable) Port Suppression using the GUI (Config>Appliance Manager>System). Then you must set up configuration for switches that manage the servers (Config>Sensor Manager>Add Switch).
11.3.1 Managing Port Suppressions

To manage Port Suppressions, you must use the GUIs Manage Sensors utility in Sensor Manager. The Manage Sensors utility in Sensor Manager has a Port Suppressions screen that lists all port suppressions in the database, past and present. For more information on how to configure and use Port Suppression, go to the Admin program area in the GUI, open the System program, click on Quick Help from the Help Menu, and then click the Quick Help cursor (question mark) on the Configuration panel.
166
Chapter 11
Location Tracking
167
12 Location Tracking
This chapter is provided to help you properly configure AirDefense Enterprise server and adapt it to optimally serve your diverse network needs.

This chapter contains the following topics. Topic About Location Tracking Location Tracking (Triangulation) Location Tracking (Signature) Page 168 169 175
168
Chapter 10
12.1
About Location Tracking
Location tracking is a critical tool in wireless security management as it enables the network security administrator to locate and remove rogue devices. AirDefense offers different methods for location tracking, RF Triangulation and RF Fingerprinting (or Signature).
The RF Triangulation option is built into the Enterprise 7.0 product. It only requires the user to
import location maps and place the sensors on the map. The RF Fingerprinting or Signature option is an add-on module that requires additional hardware and software. With the same number of sensors used, the RF Fingerprinting method will generally yield better results, however accurate calibration of each floor plan is required.
12.1.1 RF Triangulation
The RF triangulation method uses the RSSI to estimate the distance between transmitter and receiver, based on a typical power loss curve. However, the actual direction is still unknown. To uniquely identify the source's location in a space (for example, the distance to receiver and the direction from where it originated), RSSI data points from at least three independent receivers at fixed locations are required. Therefore, the transmitting source needs to be in the coverage area of at least three independent sensors at any point within the building.
12.1.2 RF Fingerprinting or Signature

The RF Fingerprinting method also relies on measurement of an RSSI data point by several receivers. However, in this case the system takes these measurements and finds the closest 'match' from a set of sample RSSI values that were acquired during calibration. These sample RSSI values are stored in an areaspecific positioning model, and the closest RSSI match can be related to a particular location in that model. A site calibration is required to determine the RF fingerprint of a reference client at specific locations in the building. Each site is unique in terms of actual signal propagation, due to environmental factors that cause scattering and attenuation. Typically, an engineer would walk through the building with a wireless-enabled laptop and record sample RSSI values at specified locations, which are then stored in the positioning model.
Location Tracking
169
12.2
Location Tracking (Triangulation)
Location Tracking is a technology that enables you to locate and track rogue devices that may be threatening your wireless LAN. Location Tracking (Triangulation) uses the RSSI (Received Signal Strength Indications) of the device as seen by at least 3 sensors to triangulate a position relative to the sensor locations. To use this feature, the user must first import a building map and place at least 3 sensors on their corresponding location.
12.2.1 Implementing Location Tracking in AirDefense

AirDefense Location Tracking enables you to locate and track rogue devices that may be threatening your wireless LAN. Note: In order for Location Tracking to open and function properly you must have:
One (minimum) AirDefense Enterprise Server (running r7.2 or later) Three (minimum) AirDefense Sensors (running r4.4.x or later) per map loaded
Accessing Location Tracking (Triangulation)

You can open the Location Tracking window anywhere in the application when you select the Binoculars button from the control panel. This window can also be accessed from the network tree panel by right-clicking on a device and selecting Locate (Triangulation). To track a device (provided the map has been loaded and sensors positioned on the map). From the Forensic Analysis Wizard's Locate Device tab: Step 1 2 Action Access the Location Tracking window by clicking the Locate (Triangulation) button. The Location Tracking window will appear. If you have properly incorporated and initialized the location map file, a map diagram of your building's layout will appear displaying sensor locations and status, enabling you to start tracking devices. Notice that the Location Tracking window has its own tree panel. In that tree panel, navigate to the device you are wishing to locate and right-click on it.
Importing Maps
To use the built-in Location Tracking (Triangulation) feature, you will need to import a map first and place the sensors at their specific locations. Note: Each map can be loaded by Location or Group. You may have to re-arrange the sensors in the Sensor Manager to accommodate a map for each Location or Group (go to Config > Sensor Manager). You will also need a minimum of three sensors per map.
170
Chapter 10
Example: Location Atlanta HQ has 2 Floors with 3 Sensors on each floor for Location:
Step 1 2
Action Click on the Binoculars button to open the Location Tracking (Triangulation) application: Select the Group or Location where you want to add a map, right-click and hit Create Map.
Note: Selecting the Create Map button will activate the windows, buttons and functions at the top of the window (Set Scale, Set Image and Advanced). 3 4 5 Click on the Set Image button (see Set Image function) to import a map. Click on the Select Scale button (see Set Scale function) to set the scale of your map with a known distance. Select at least three sensors from the same Location or Group and place these on the map. You can drag the sensor and place the sensor on the map corresponding to its exact location. Select the Advanced button to modify the Loss Factor and Smoothing Factor (see Advancedfunction).
Location Tracking
171
12.2.2 Location View Functions

Function Zoom Tools Description Use these tools to zoom in and examine greater detail in a particular location of the map.
Refresh Tools
Select the time interval for when the Location Tracking data is refreshed in its window, which can be 15 min, 5 min, 1 min, 30 seconds, 10 seconds or switched off. Select the undo and redo buttons to apply to actions made in the Location Tracking map. Use your mouse to click and drag devices from the AirDefense tree panel into the Location Tracking map.
Undo/Redo
Click & Drag
12.2.3 Scale Tool Functions

Select the Scale Tool button to set the scale of the map in order to calculate a device's precise location. To set tracking scale: Step 1 2 3 Action Select the Scale Tool button. Move your cursor onto the Location Tracking map. Click from one spot and drag the distance you wish to use. The Set Scale sub-window appears. Select a known distance on the imported map (e.g. cube length, door width, building width) and enter the exact distance in the Length text box with the appropriate units selected in the adjacent drop down list.
Click OK to save the scale measurements.
12.2.4 Setting Images

Click the Set Image button to import a map. This will open a sub-window and you can select the appropriate map, which can be in .gif, .jpg, or .png files (less than 500kb in size). Select the desired floor plan and select Open. The map is then displayed in the Location Tracking window.
Important! File sizes of imported maps cannot exceed 500kb per map.
172
Chapter 10
Floor Plan Prerequisite

One or more maps or floor plans of the tracking coverage area, in .jpg format are needed for this to work. You can obtain floor plans from any source, including producing your own by using drawing tools. Most applications will require multiple maps, for example, if you are setting up multiple buildings. Each map must be stored in a separate location or group.
Advanced Settings
Click the Advanced... button to open the Advanced Settings sub-window which contains the following two setting options: Function Loss Factor Description Loss Factor represents the density of the network environment which affects the power levels measured by the sensors. Use the slide button to compensate for loss factor values which are caused by environment, work area and other spatial factors. The smoothing value is the number of power measurements averaged together to get the final power level and is a global setting which applies to the entire location tracking system. Use the slide button to set a high smoothing value which creates a more accurate power level for a stationary device, or a low smoothing value which is more responsive to handle devices in motion.
Smoothing
Device Tracking Information

The Tracking information panel, located on the right side of the Location Tracking window, provides the basic stats and information on the device that is being tracked. Click the Feature Device drop down list Status MAC Channel SSID button to open this panel, which reveals the following features: Description This drop down list contains all of the devices that are to be found on the map and are viewable. Displays the status of locating the device. Displays the Media Access Control address of the device being tracked. Displays which wireless channel the device is operating on. Displays the device's Service Set Identifier, which is a 32- character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS and are the logical groups that Access Points belong.
Location Tracking
173
Feature Protocol
Description Lists one of the three protocols for 802.11 WLAN traffic: 802.11a, 802.11b, and 802.11g. Protocols can differ based on their frequency range, radio channels, and data rates. Lists the date/time group when the device was last seen in AirDefense. This field area lists the name of the sensors that are detecting the device. There need to be at least 3 sensors in order for devices to be detected. If you have fewer than 3 sensors per map, you will not see any devices on the Location Tracking map. When this button is selected, it removes the device from your tracking window. Note: You can also right-click on a device in the map and cancel tracking from there.
Last Seen Sensors
Stop Tracking
174
Chapter 10
Location Tracking Right-Click Options

Right click on... To access the following options...
Location Level At the Location and Group levels, you can... Group Level Create a new device locationing map Delete a map that is already stored in that group Load a new device locating map from a file external from the application
Sensor Level
At the Sensor level, you can... Add a sensor to the device locationing map Remove a sensor on the device locating map
Access Point At the Access Point and Station levels... Stations Add a Device to the device locationing map Remove a Device from the map Initiate device tracking Stop device tracking
Location Tracking
175
12.3
Location Tracking (Signature)
Signature-based Location Tracking is a tracking technology available as an option to your AirDefense Enterprise system. It enables you to locate and track rogue devices that may be threatening your wireless LAN. AirDefense Location Tracking is a collaboration of two technologies: AirDefense Enterprise and the AirDefense Positioning Platform, which contains the ADLT Positioning Engine and the ADLT Manager. The combination of these technologies enables you to efficiently and accurately pinpoint the real-time location of rogue Stations and Access Points from a centralized location. Location Tracking (Signature) uses RF fingerprinting technology. Each map must first be calibrated to store the sample RSSI values for each location. Alternatively, you can use Location Tracking (Triangulation), which requires no calibration. The following instructions give a brief overview of the steps necessary to implement Location Tracking (Signature) in AirDefense.
12.3.1 How Location Tracking (Signature) Works

AirDefense Location Tracking uses three integral components: 1) the ADLT Positioning Engine (r1.0 or later), 2) the ADLT Manager (r1.0 or later), and 3) AirDefense Enterprise (r6.2 or later).
The role of the ADLT Positioning Engine

The ADLT Positioning Engine is the central component of Location Tracking. The Positioning Engine resides on a single desktop PC or Server. From the AirDefense Enterprise Server, the Positioning Engine receives signal strength information from each device that AirDefense Sensors see in a designated floor plan area. The Positioning Engine must have a calibrated floor plan, called a positioning model, from the AirDefense Manager. When Location Tracking is invoked from the AirDefense Enterprise Graphical User Interface (GUI), the Positioning Engine uses the positioning model calibrated by the AirDefense Manager and signal strength information from AirDefense Enterprise to pinpoint the device's exact position within the floor plan. The Positioning Engine then sends this information back to the AirDefense Server, where it displays in the AirDefense GUI.
The role of the ADLT Manager

The ADLT Manager resides on one or more wireless laptop PCs that are designed as calibration laptops and registered in AirDefense Enterprise. The ADLT Manager takes a loaded floor plan and divides it into x-y coordinates. On administrator request from the AirDefense GUI, the ADLT Manager calibrates the floor plan into a positioning model, and then stores this model in the ADLT Positioning Engine.
The role of AirDefense Enterprise

AirDefense Enterprise (r6.2 or later) is Location-Tracking ready. AirDefense Enterprise resides on an AirDefense Server. The Admin program area in the AirDefense GUI enables you to register the calibration laptops used to calibrate mapped floor-plans into x-y coordinates, to set up communications with the ADLT Positioning Engine, to start and stop the calibration sessions necessary to turn floor plans into positioning models, and to track calibration sessions. AirDefense Sensors detect all Stations and Access Points within the boundaries of the floor plan and sends signal strength information from each device to the AirDefense Server, which in turn
176
Chapter 10
communicates this information to the ADLT Positioning Engine. The AirDefense Server then receives exact location coordinates for the selected device back from the ADLT Positioning Engine, and displays the floor plan and device location in the AirDefense GUI.
Location Tracking
177
12.3.2 Location Tracking Prerequisites

Hardware Prerequisites
Implementing AirDefense Location Tracking requires that you set up and configure independent hardware and software components. You must have:
One (minimum) AirDefense Enterprise Server (running r6.2 or later) Three (minimum) AirDefense Model 400 Sensors (running r4.2.0.24 or later) One Windows XP machine, which will run the ADLT Positioning Engine. Recommendation: Since the Positioning Engine is a server application, AirDefense recommends that this machine be a desktop PC. Minimum requirements: 1Gz, 256 Mb RAM, 500 Mb HD. You must have one or more wireless laptop PCs, equipped with Windows XP or 2000 and a 802.11 a/b/g wireless network adapter. These laptops, which will each run the ADLT Manager, will serve as the approved, registered laptops that you will use to devise your positioning model (calibrated floor plan) for your tracking area. This process is called calibration. Minimum requirements: Pentium III, 256 Mb RAM, 500 Mb HD.
Software Prerequisites
AirDefense Location Tracking Installation CD-ROM and a set of license files. (supplied by AirDefense, Inc.). The license files are:
ADLT Positioning Engine license ADLT Manager license AirDefense JAVA SDK license
AirDefense Enterprise r6.2 or later (on the AirDefense Server) AirDefense Sensor firmware r4.1.1-0 or later (installed on AirDefense Sensors) The ADLT Positioning Engine, r1.0 or later (to install on the Windows XP desktop) The ADLT Manager, r1.0 or later (to install on one or more wireless Windows XP or 2000 laptop PCs)
For complete step-by-step procedures on how to install and set up Location Tracking in AirDefense, see the standalone.pdf document: AirDefense Location Tracking User Guide.
12.3.3 Using Location Tracking (Signature)

Signature Location Tracking can be accessed one of two ways if it has been added as an installed option to your AirDefense Enterprise system:
On the Forensic Analysis Wizard window's Locate Device tab and select Locate (Signature).
178
Chapter 10
By right-clicking on either an Access Point or Station in the AirDefense tree panel and selecting
Locate (Signature).
Location Tracking Tracking Options window

The Tracking Options window opens and enables you to enter a description and choose a duration for the tracking session. Function Device to Locate Description This is the color-coded icon and valid MAC address or other AirDefense Device Identifier of the Station or Access Point you are locating. Enter the name of the Location Tracking session you are performing. Select a time for how long you want Location Tracking for this device to continue. OK Minimum: 5 min. Maximum: 120 min. Default: 30 min.
179
Tracking Name Tracking Duration
Click OK. The AirDefense Server connects to the ADLT Positioning Engine and receives the x-y coordinates of the device. The Device Location View window appears, displaying a location dot on a floor plan, indicating the device location.
Cancel
Click Cancel to cancel the operation without changes.
180
Chapter 10
Reporting
179
13 Reporting
AirDefense Enterprise's dual approach to reporting consists of a web interface for populating report templates with data, and a flexible interface for creating additional custom report templates. data you want to include, then view the resulting report in a selection of formats. You can also save reports, share them with others, and schedule reports to run automatically. The Report Builder application within the GUI lets more advanced users create report templates, either basing them on the templates delivered with AirDefense or designing them from scratch. Reports you create with the report builder become available as templates in the Web Reporting interface. AirDefense Enterprise features a web-based reporting interface that lets you create reports from templates using data you specify. You can also save reports, share them with others, and schedule reports to run automatically. You access Web Reporting from the same page as the AirDefense Enterprise GUI application download.
The Web Reporting interface makes it easy to choose report templates and define the scope of
180
Chapter 13
13.1
Using Web Reporting
13.1.1 Accessing Web Reporting

To access the Web Reporting web site: 1 2 Log in with your Enterprise Username and Password. Click Manage Reports to access the reporting options.
13.1.2 Web Reporting Navigation

The Web Reporting application consists of four pages, described below. To move from one page to another, click the page name.
Report types
The Report Types page is the default page; it lists standard and custom report templates by type. You can select a report, specify applicable settings, and then load the report with data.
Scheduled Reports
The Scheduled Reports page lists reports that have been scheduled to run automatically.
Saved Reports
The Saved Reports page lists the reports that you created and saved. You cannot view reports saved by other users unless the other users Share the reports (see below). You can delete a report by selecting its checkbox and clicking Delete. You can share a report by selecting its checkbox and clicking Share. You can view report data by clicking on the report's name.
Shared Reports
The Shared Reports page lists reports that you or other users created, saved, and then shared. If you do not share a report, only you can view it.
13.1.3 Creating a Report

To create a report:
1 2 3 4
Select a report from the Report Type list. The Report Settings page for that report appears. Complete the settings so that the data in the report reflects the format, scope, and time frame you want. If you want to email the report to someone, type the email address in the Mail to box. Click Preview to load the report with data. The report appears.
Buttons along the top let you:
Create a printer-friendly version of the report Save the report on the server Schedule the report to run automatically later
A control area on the left lets you:
List the current report settings Change the settings and re-run the report
You can view additional information about devices listed in the report in one of two ways:
Reporting
181
When the cursor hovers over a device, a popup lists basic information including MAC address, IP
address, vendor, channel, SSID, signal strength, and last seen time. If you select the Run Device Report link next to a device, a device-specific report is launched in a new window.
13.1.4 Scheduling a Report

There are two ways to schedule reports:
You can schedule reports to run automatically by clicking the Schedule link to the right of the report
name on the Report Types page.
After running a report, you may decide to schedule it to run automatically again later.
1 2 3 4 When you are viewing the report, click Add to Scheduled. The scheduling page appears. Type a Name for the report and choose the report format. Choose one or both of the following destinations for the report: To save the report to a file, select Save to File. To email the report, type the email addresses of report recipients. Select the Enable Report checkbox to make this schedule active. If you want to deactivate this schedule later, clear the checkbox. Use the tree in the Display Settings area to make sure the scope of the report reflects the part of your network you want to include. In the Scheduled Execution area, type the time of day you want the report to run and the number of days, hours, or minutes you want the report to cover. Choose the frequency for the report: If you want the report to run weekly, select the Weekly radio button and then select the day of the week you want it to run. If you want the report to run monthly, select the Monthly radio button, and then select the day of the month you want it to run.
5 6 7 8 9 10
13.1.5 Saving a Report

After you run a report, you can save it to the Saved Reports tab. Only the user who created and saved a report can view it from the Saved Reports tab. To save a report, make sure the format you want is selected in the report settings area, click the Save button, and then type a report name. The Web Reporting application saves the report in the currently selected format to the Saved Reports tab.
182
Chapter 13
13.2
Using the Report Builder

Accessing the Report Builder
1 In AirDefense Enterprise, select Tools, and then select Report Builder. The Report Builder window appears. Note: this may take a few minutes to load the first time you use it.
Report Builder lets you create, edit, and copy report templates.
Creating and Saving a report

1 2 Click New Report on the tool bar. Choose from the available templates. For single devices, select the Blank single device report. For multiple devices, select the Blank multiple device report. NOTE: After you select the number of devices, you cannot change it on the same report; you must create a new report. 3 Type the name you want to use for this report. NOTE: the name must start with a letter and cannot have any spaces or symbols, with the exception of _ Click OK. Click Save.
4 5
Editing and Saving a report

1 2 3 4 5 6 Click Open. A confirmation window appears. If you havent already done so, save the report. Click Yes. Scroll through the report list and select the report you want. Click OK. Make your changes. When you are done, click Save.
Cloning/Copying and Saving a report

1 2 3 4 Click New on the tool bar. A confirmation window appears. If you havent already done so, save the report. Click Yes. Scroll through the report list and select the report you want to copy. Type a name for the new report. NOTE: the name must start with a letter and cannot have any spaces or symbols, with the exception of _ Click OK. Make your changes. When you are done, click Save. NOTE: Be sure to change the report title and any other items that retain the name of he original report.
5 6 7
Reporting Deleting a report

1 2 3 4 Open the report you want to delete. Click Delete in the tool bar. A confirmation Window appears. Click Yes to delete. Inserting an item into a new report from Tool Bar button
183
Creating a new report.

1 2 3 4 5 Click the tree icon at the top of the report. Click Insert on the tool bar. Select the item you want to insert. The contents of the item appear in the panel on the right. Fill in the information and/or make selections. Click Save on the tool bar.
Inserting an item into a report from Tool Bar button

1 2 3 4 5 6 Open a report. Click the tree icon at the top of the report. Click the Insert on the tool bar. Select the item you want to insert. The contents of the item appear in the panel on the right. Fill in the information and/or make selections. Click Save on the tool bar.
Inserting an item into a report from Right Click

1 2 3 4 5 6 7 Open a report. Click the tree icon at the top of the report. Right Click the mouse. Select the item you want to insert. The contents of the item appear in the panel on the right. Fill in the information and/or make selections. Click Save on the tool bar.
Removing an item from a report from Tool Bar Button

1 2 3 4 Open a report. From the tree, select the component you want to remove from the report. Click Remove on the tool bar. Click Save on the tool bar.
Removing an item from a report from Right Click

1 2 3 4 Open a report. From the tree, select the component you want to remove from the report. Right Click the mouse and select Remove. Click Save on the tool bar.
184
5 6 7 8 9
Chapter 13
Changing the order of items in the report Open a report. In the tree, select the item you want to move. Use the up and down arrows at the top of the tree to move the item where you want it to appear in the report. Click Save on the tool bar.
System Setup Wizard
185
14 System Setup Wizard

The AirDefense Enterprise GUI includes a System Setup wizard that guides you through typical settings required for an effective AirDefense system configuration. All configuration steps are optional and can be finished at any time. The System Setup wizard starts automatically after you install or upgrade the system. You can also start the System Setup wizard at any time thereafter by selecting Tools > Configuration > Configuration Wizard.
14.1
Configuration Wizard Navigation

Use the Back and Next buttons to let the wizard guide you through the tasks sequentially, or select a link from the menu of pages on the left side of the wizard to navigate directly to that page. This chapter is organized in the same order as the Wizards pages. The System Setup Wizard contains the following pages: Topic Setup System Settings Define Network Structure Create User Accounts Define Policies Configure Alarms Schedule Auto Classification Enable Notifications Import Devices Page 185 186 186 187 187 187 188 188
You can exit the wizard at any time and use it again later. As you make changes to the pages, the wizard displays blue asterisks next to the page names to help you track which pages you have worked on. When you are finished working in the wizard, click the Finish button in the top right corner.
14.2
System Setup Wizard Pages

Setup System Settings
The Setup System Settings page lets you set the system name and enable key system features. Alternative navigation: Tools > Configuration > Configuration Wizard > Setup System Settings 1 System NameType the system name that you want to appear in the tree as your highest level system domain. The default name is WIPS.
186
2
Chapter 14
Enable active termination You can select the Active termination check box to enable users with admin privileges to disable the connection between wireless devices (Air Termination). Enable policy-based terminationYou can select the Enable policy-based termination check box to allow users with admin privileges to create policies that automatically terminate wireless devices based on specific alarms or policy violations. Enable port suppressionYou can select the Enable port suppression check box to allow users to suppress communication on the network switch port that a device is using to communicate with the network, if inappropriate activity is detected.
Define Network Structure

The System Setup Wizard lets you quickly define Locations and Groups in the tree structure and place sensors in them. Alternative navigation: Tools > Configuration > Configuration Wizard > Define Network Structure Use the buttons along the top of the tree window to:
Add a new Location. Add a new Group. Delete a Location, Group, or Sensor. Select a Location, Group, or Sensor, and move it up in the tree. Select a Location, Group, or Sensor, and move it down in the tree.
To add a name or description for a Location or Group in the tree, select the Location or Group, and then type the name or description. You can use the Sensor Manager to make additional changes to the network structure. Select Tools > Configuration > Sensor Manager
Create User Accounts

Use this page to Add, Edit, or Remove User Accounts. Alternative navigation: Tools > Configuration > Configuration Wizard > Create User Accounts To add a user account: 1 2 3 1 2 3 4 1 2 Click the Add button. Type or select values for user account settings. Click OK. Select the account in the list. Click Edit. Edit the user account settings. Click OK. Select the account in the list. Click Delete.
To edit a user account:
To delete a user account:
System Setup Wizard
187
You can make additional changes to User Accounts by selecting Tools > Configuration > User Management
Define Policies
The privacy policy defines the security configurations you require for stations to be authorized in your wireless LAN. Settings you choose on this page update the default privacy policy. Alternative navigation: Tools > Configuration > Configuration Wizard > Define Policies Select or clear checkboxes in the following areas to define the privacy policy:
Base Authentication Extended Authentication Key Generation Encryption
You can use the Policy Manager to create additional policies with alternative settings. Select Tools > Configuration > Policy Management
Configure Alarms
The Configure alarms page provides three pre-defined Security Sensitivity modes to let you quickly specify the alarms you want to enable. You can use the pre-defined policies as-is or customize them. Alternative navigation: Tools > Configuration > Configuration Wizard > Configure Alarms The Alarms you choose and their criticality may depend on your wireless environment. For example: an unauthorized station alarm would be considered critical and deserve immediate attention in a no-wireless zone, but it could be safely ignored in a public place in a congested area with many transient devices, such as a university campus. Select the pre-defined Security Sensitivity mode that best suits your organization, and then click Advanced if you want to customize it. Pre-defined modes include:
Monitored WLANgenerally for networks where both performance and security are
concerns Monitored WLAN Security Onlygenerally for networks where security is the top priority Monitored WLAN congested areasgenerally for networks that are more tolerant of transient or neighboring devices To customize the sensitivity level, select the checkboxes next to the alarms you want to enable and clear the checkboxes next to the alarms you want to disable. At that point, the Custom Sensitivity radio button automatically becomes selected to indicate that you have customized one of the pre-defined modes. You can make additional changes to the Alarm criticality by selecting Tools > Configuration > Alarm Manager
Schedule Auto Classification

The AirDefense application classifies devices it detects in your wireless network as Authorized, Unauthorized, Ignored, or to be deleted. You should periodically have the application reclassify devices. In environments with many transient devices, this can help you limit the alarm count
188
Chapter 14
caused by unauthorized devices. This page lets you define the rules that the system will use to automatically classify each device. It also lets you schedule auto classification to occur on a regular basis. Alternative navigation: Tools > Configuration > Configuration Wizard > Schedule Auto Classification To schedule Auto Classification: Select the Enable scheduled classification checkbox. Select the Reclassify authorized and ignored devices checkbox if you want to enable that option. 3 Use the Scope drop-down to choose the part of the network for which you want to schedule auto classification. 4 Indicate the interval at which you want the classification to occur and the time and day you want to start. 5 Type the Rule Set Name of the rule set that contains the classification rules you want to use to classify devices. You can make additional changes to Auto Classification by selecting Tools > Configuration > Policy Manager > Auto Classification 1 2
Enable Notifications
Configure the notification engine to send E-Mail messages, SNMP traps, or Syslog messages when alarms occur. Alternative navigation: Tools > Configuration > Configuration Wizard > Enable Notifications To add a notification: 1 2 3 4 Click Add. Choose the type of notification you want to add. Some of the controls on this page change to reflect the notification type you chose. Type or choose the settings you want the notification to use. Click OK.
To Edit a notification, select the notification, and then click Edit. Make changes to the settings, and then click OK. To Delete a notification, select the notification, and then click Delete. You can make additional changes to the Notifications by selecting Tools > Configuration > Notification Manager
Import Devices
You can import a list of access points or stations, including device information, from an external file. Alternative navigation: Tools > Configuration > Configuration Wizard > Import Devices 1 2 To import a file, select Load AP File or Load Station File. Browse to the file location, select the file, and then click Open. A status window appears, displaying the number of lines processed and any error messages. Click Close.
You can import additional devices by selecting Tools > Configuration > Policy Manager
System Setup Wizard
189
190
Chapter 14
ADDadmin Utilities
191
Appendix A: ADDadmin Utilities

This appendix lists and gives a brief description of each ADDadmin utility in the Command Line Interface. The utilities are arranged by ADDadmin program area.
A.0.1 Manage
ADDadmin Utility STATUS SYSLOG Use this utility to... Display the process and disk status of the system. Display system log entries resulting from authentication and sendmail failures.You can either display the logs on screen, or write logs to a text file (syslogdata.txt). Clear rotated system logs if /var partition is approaching 100% usage; clear overly large postgresql log. To access captured packets (pcapture files) in the pcaptures directory of the AirDefense Server (usr/local/smx/pcaptures) and save them as either a peek or a pcap formatted file. Clear frame capture files to free up space in the directory /usr/local/smx/pcaptures on the AirDefense Server. Delete a Sensor firmware update that you have loaded into the GUI (via Manage Sensor Updates). Manage AirDefense GUI Web User names and passwords. Use this utility to: PASSWD Add a Web User for the AirDefense GUI. Delete a Web User for the AirDefense GUI. Change a password for a Web User for the AirDefense GUI.
CLRLOG SAVECAP
CLRCAP DELFU WEBU
Change the password of a Command Line User (smxmgr and smxarchive). (For more information on smxarchive, see Appendix B, Automated Data Retrieval) Restart AirDefense processes (not a full reboot!). Reboot AirDefense (full reboot). Halt AirDefense (stop processes).
RESTART REBOOT HALT
192
Appendix A
A.0.2 Dbase
ADDadmin Utility ALARMS CLRU CLRALL BUDBCFG RCDBCFG BCKUPDB RCVRDB INTCK OUI Use this utility to... Enable / disable automatic alarm management. Clear databases, except user data. Clear databases of all data. Backup database configuration information. Recover database configuration information. Backup databases. Recover databases. Check integrity of databases. Update vendor MAC address information in the database.
A.0.3 Software
ADDadmin Utility CURRLIC LICENSE KEYPKG SERVMOD RESCUE Use this utility to... Display the current AirDefense license. Install a new AirDefense license. Create a package of AirDefense system keys that can be used by AirDefense support to repair corrupt licenses. Update the current version of AirDefense software with feature enhancements or improvements. Perform AirDefense rescue of a troubled upgrade. Hint: All data will be lost in this process! ADPKG Install AirDefense supplemental packages.
ADDadmin Utilities
193
A.0.4 Config
ADDadmin Utility IP NETPORT DNS HNAME DNAME MRELAY ARP HALLOW HDENY PING CAD TIME TZ NTP UIPORT FALLOW Use this utility to... Change the IP address, subnet mask, and default gateway of the AirDefense Server you are logged into. Change the network interface connections, and to toggle the Autonegotiation feature On or Off. Add or delete a DNS nameserver (Domain Name Server). Change the name of the AirDefense Server. Change the domain to which the AirDefense Server belongs. Configure the AirDefense Server to point to a Mail Relay Host. Configure a permanent ARP table. Configure which systems are allowed to connect to the AirDefense Server. Identify which laptops and workstations are not allowed to connect to the AirDefense Server. Change the ping setting for the AirDefense Server (ping enable, ping disable). Enable or Disable [Ctrl] [Alt] [Del] for reboot. Change the AirDefense Servers operating time and date. Change the time zone in which the AirDefense Server is operating. Enable or disable a specific network time server (NTP). Change the network port number over which the GUI is running. Use FALLOW to allow a specific client, which is an external PC with the Advanced Forensic application, to connect to the AirDefense server on the Advanced Forensic Analysis Engine. See page 93 of Chapter 7 for more information. The ADDadmin utility FDENY is the direct opposite of FALLOW. Use this utility to deny a specific Forensic Client PC from connecting to the AirDefense Enterprise Server. See page 93 of Chapter 7 for more information.
FDENY
194
Appendix A
Automated Data Retrieval
195
Appendix B: Automated Data Retrieval

This appendix gives detailed instructions on how to set up automated retrieval of data from the AirDefense Server, using a local backup server running UNIX.
B.0.1 Introduction
To automatically retrieve archived data from the AirDefense Server, you must log in to the AirDefense Server from a local backup server. Additionally, the login must be secure, using SCP or SSH. For example, you may want to write a script that you run via Cron.
B.0.2 SMXARCHIVE Command Line User

The AirDefense Server is administered by the smxmgr Command Line User. The smxmgr has full access to the ADDadmin utilities on the AirDefense Server, including the ability to set the password for the smxarchive Command Line User. The smxarchive account is a limited access account that is intended for use in automated data retrieval. The smxarchive has limited access privileges to the AirDefense Server, but can set up and perform automated retrieval. AirDefense highly recommends that you designate an smxarchive for retrieval operations. For information on setting the password for a smxarchive account, see Chapter 5, Managing Users on page 33.
B.0.3 Retrievable Data

AirDefense enables you to export data as report files, to backup the data, or to archive raw data packets (frames) into specified directories on the AirDefense Server that are separate from the database. You can set up automated retrieval of these archive files from the AirDefense Server to a backup local server. You can set up automated retrieval of the following:
Export Datareports
Using the Data Mgmt program in Admin, you can export data to the AirDefense Server as report files. Files export in a tab-delimiter format to a.txt file and are placed in a specific directory on the AirDefense Server (/usr/local/smx/reports).
Backup Databackups
Using the Data Mgmt program in Admin, you can backup the database. Database backup files back up to a specific directory on the AirDefense Server (/usr/local/smx/backups).
196
Appendix B
B.0.4 Capture Datapcaptures

Using the Frame Capture Mode in the Sensor program area, you can capture raw data packets for viewing and archiving. The Sensor captures and sends all traffic, including management, control, and data frames, to the AirDefense Server. The frames are archived in capture files (pcaptures) in a specific directory on the AirDefense Server (/usr/local/smx/pcaptures).
B.0.5 Setting Up for Retrieval

Follow the steps below to set up certificate authenticated SSH access from the AirDefense Server to your local backup server. These instructions assume you are the smxarchive Command Line User. The following abbreviations are used in the instructions:
ADServer = IP address or hostname of your AirDefense Server LocalServer = IP address or hostname of the local server that will retrieve the files LocalUser = the username used on LocalServer
Step 1 2 Action On LocalServer, log in as LocalUser. Run the following command to generate the keys for the LocalUser: /usr/bin/ssh-keygen -d -f $HOME/.ssh/id_dsa At the passphrase prompts, do not enter a passphrase. Hit Return. This action creates the keys for the LocalUser: id_dsa and id_dsa.pub, in the LocalUsers.ssh directory. These keys must keep these names while on this server. 3 Transfer the LocalUsers public key to your AirDefense Server. (It is a good idea to change the name of the key in the process, so it does not become confused with any other keys on the AirDefense Server.) /usr/bin/scp $HOME/.ssh/id_dsa.pub smxarchive@ADServer:LocalUser.pub Log on the AirDefense Server via SSH as smxarchive: /usr/bin/ssh smxarchive@ADServer Enter your password at the prompt. 5 Install the public key as an authorized entry. To do this, add the new public key to the authorized key file: /bin/cat $HOME/LocalUser.pub >> $HOME/.ssh/authorized_keys Ensure the permissions are correct on the key file by modifying the permissions on authorized_keys file: /bin/chmod 600 $HOME/.ssh/authorized_keys Exit the SSH session: exit Verify that the logon works correctly. From LocalServer run: /user/bin/ssh smxarchive@ADServer
7 8
LocalUser@LocalServer can now ssh and scp to and from smxarchive@ADServer. You should be able to log on without using a password, using only certificate authentication. LocalUser@LocalServer now has all of the access privileges of the smxarchive@ADServer. Once automated retrieval is set up, you can use the scp UNIX utility to copy files from the AirDefense Server to your local server. AirDefense does not support FTP or telnet.
Software License Agreement

i.1 MASTER LICENSE AGREEMENT FOR THE AIRDEFENSE SYSTEM
IMPORTANT - THIS MASTER LICENSE AGREEMENT (THIS "AGREEMENT") GOVERNS THE USE OF THE AIRDEFENSE SYSTEM. READ THIS MASTER LICENSE AGREEMENT CAREFULLY PRIOR TO USING THE AIRDEFENSE SYSTEM (OR ANY PORTION THERETO). IN ORDER TO USE THIS AIRDEFENSE SYSTEM (OR ANY PORTION THERETO), YOU MUST INDICATE YOUR ACCEPTANCE OF THIS AGREEMENT, AND THE ACCEPTANCE OF THE CORPORATE OR BUSINESS ENTITY WHICH PURCHASED THE AIRDEFENSE SYSTEM (the "Licensee"), TO THESE TERMS AND CONDITIONS BY CLICKING ON THE "Accept" BUTTON ON YOUR SCREEN. BY INDICATING YOUR AGREEMENT, YOU ALSO REPRESENT AND WARRANT THAT YOU ARE A DULY AUTHORIZED REPRESENTATIVE OF THE LICENSEE AND THAT YOU HAVE THE RIGHT AND AUTHORITY TO ENTER INTO THIS AGREEMENT ON ITS BEHALF. By using the AirDefense System, Licensee expressly agrees with AirDefense, Inc., a Georgia corporation ("AirDefense"), to be bound by all of the terms and conditions of this Agreement. If Licensee does not agree with any of the terms or conditions of this Agreement, Licensee is not authorized to use the AirDefense System (or any part thereto) for any purpose whatsoever; please immediately cease use and contact AirDefense immediately at airdefensemla@airdefense.net. Please print a copy of this Agreement for Licensee's records.
1. Definitions.
a) "Hardware" means AirDefense remote sensors or server appliances. b) "Products" mean any Hardware, Software, or Third Party Vendor Items provided by AirDefense under this Agreement. c) "Software" means computer programs in object code form or firmware which is owned or licensed by AirDefense, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. d) "Third Party Vendor Item" includes "Third Party Hardware" and "Third Party Software" and means any non-AirDefense hardware and/or software supplied or used by the Licensee under this Agreement.
2. General. AirDefense grants Licensee a non-exclusive, non-transferable, non-assignable license to use a copy of the Software in operating an approved configuration of the Products to the extent of the activation or authorized usage level. This Agreement also authorizes Licensee to use the related written materials and "online" or electronic documentation ("Documentation") solely in conjunction with Licensee's authorized use of the Products. AirDefense and its suppliers retain title to all copyright, trademarks, trade names and other intellectual property rights in the Software, Hardware, and Documentation. Licensee is not granted any right, title, or interest in the Software, Hardware, and Documentation, except the right to use them in accordance with this Agreement. Licensee may use the Products only to process Licensee's own data and may not rent or sell the Products or use thereof to any third party. Any other individual or company, including any of Licensee's parent, subsidiary, or affiliate entities, shall require a separate license to use the Products
ii
(or any part thereof). Licensee may not transfer any part of the Products or any rights hereunder to any third party without the express written consent of AirDefense. Licensee further agrees that the terms contained in any AirDefense or third party "shrink wrap" or "click" licenses shall govern the use of such software. 3. Term. The License of the Products (and each part thereof) and Documentation is effective upon effectiveness of this Agreement and will continue in effect until terminated: (i) by Licensee at any time by notifying AirDefense in writing; (ii) automatically and immediately upon Licensee's breach of any material term or condition of this Agreement which is not corrected within ten (10) days following the breach; or (iii) automatically upon Licensee's failure to make any payment due to AirDefense under any agreement to do so within ten (10) days of receipt of written notice that the amount is past due. In the event of termination, Licensee must return the Products to AirDefense and destroy all copies of the Software and Documentation. 4. Copyright. The Software and Documentation are owned by AirDefense or its suppliers and are protected by United States and other applicable copyright and other laws. Therefore, Licensee may not copy (except as otherwise expressly permitted by this Agreement or by applicable copyright law) the Software or Documentation. Except as expressly permitted by this Agreement or required under applicable law, Licensee may not modify, adapt, translate, decompile, disassemble, or reverse engineer the Software in any manner; Licensee may not merge or embed the Software into any other computer program or work; Licensee may not create derivative works of the Software or the Documentation; and Licensee may not use the Software on any computer hardware except the AirDefense Hardware on which it is installed. 5.Specific Restrictions. Licensee may not remove or alter AirDefense's or its suppliers' copyright notices and other intellectual property rights notices included in the Products or Documentation. 6.Government Use. If any Software or Documentation is acquired by or on behalf of a unit or agency of the United States Government, such Software or Documentation is "commercial computer software" or "commercial computer software documentation" and, absent a written agreement to the contrary, the Government's rights with respect to such Software or Documentation are limited by the terms of this Agreement, pursuant to FAR 12.212(a) and its successor regulations and/or DFARS 227.7202-1(a) and its successor regulations, as applicable. 7.Limitation of Warranties. Licensee assumes responsibility for the selection of the Products to achieve Licensee's intended results and for the installation and use of, and the results obtained from, the Products. Neither AirDefense nor any of its suppliers warrants that the functions or features contained in the Products will meet Licensee's requirements or that the operation of the Products will be uninterrupted or error free.
EXCEPT AS PROVIDED HEREIN, THE PRODUCTS ARE BEING PROVIDED "AS IS" WITHOUT ANY WARRANTY OF ANY KIND. AIRDEFENSE AND ITS SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT RELATED TO THE PRODUCTS PROVIDED HEREUNDER. THIS SECTION SHALL SURVIVE TERMINATION OR EXPIRATION OF THIS AGREEMENT.
iii
8.Limitation Remedies and Damages. The remedies provided in this Agreement are the sole and exclusive remedies available to Licensee for any breach to which such remedy pertains. The aggregate liability of AirDefense to Licensee for any and all costs, liabilities, losses, and expenses (including, but not limited to, reasonable attorneys' fees) (each a "Loss" and collectively, "Losses") resulting from any claim, suit, action, or proceeding arising out of or related to this Agreement for all claims of every kind and nature that arise or accrue, regardless of the form of action that imposes liability, whether in contract, indemnity, equity, negligence, intended conduct, tort or otherwise, will be limited to and will not exceed, in the aggregate, the amount actually paid by Licensee for the Products purchased pursuant to a specific purchase order out of which the Loss arises. In any event AirDefense shall have no liability for any Loss arising (x) after the expiration of twelve (12) months from the date of the purchase order for the Products out of which the Loss arises or (y) upon termination of this Agreement or any support services agreement between AirDefense and Licensee. IN NO EVENT SHALL AIRDEFENSE OR ITS SUPPLIERS BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, CONSEQUENTIAL, OR EXEMPLARY DAMAGES WHATSOEVER, INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION ARISING OUT OF THE USE OF OR INABILITY TO USE ALL OR PART OF THE PRODUCTS OR THE PROVIDING OF OR FAILURE TO PROVIDE SUPPORT SERVICES, EVEN IF AIRDEFENSE OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IF LICENSEE'S PRODUCTS INCLUDES THE AIRTERMINATION FEATURE, AIRDEFENSE SHALL NOT BE LIABLE WITH RESPECT TO ANY FIRSTOR THIRD-PARTY CLAIMS, LOSSES AND EXPENSES WHATSOEVER RELATED THERETO AND LICENSEE SHALL INDEMNIFY AIRDEFENSE AND HOLD AIRDEFENSE HARMLESS FROM ALL SUCH CLAIMS, LOSSES AND EXPENSES RELATED THERETO. THIS SECTION SHALL SURVIVE TERMINATION OR EXPIRATION OF THIS AGREEMENT. 9.Taxes. Licensee agrees to be responsible for and to pay, or to reimburse AirDefense on written request if AirDefense is required to pay or collect, any sales, use, or other tax (excluding any tax that is based solely on AirDefense's net income), duty, or other charge of any kind or nature that is levied or imposed by any governmental authority on Licensee's purchase/license of the Products, this Agreement or Licensee's use of the Products or Documentation. 10.Export Restrictions. THIS AGREEMENT IS SUBJECT TO ALL LAWS, REGULATIONS, ORDERS OR OTHER RESTRICTIONS WHICH MAY BE IMPOSED FROM TIME TO TIME BY THE GOVERNMENT OF THE UNITED STATES OF AMERICA ON THE EXPORT OF THE PRODUCTS OR COMPONENTS THEREOF OR OF INFORMATION ABOUT THE AIRDEFENSE PRODUCTS. NOTWITHSTANDING ANYTHING CONTAINED IN THIS AGREEMENT TO THE CONTRARY, LICENSEE SHALL NOT EXPORT OR REEXPORT, DIRECTLY OR INDIRECTLY, THE PRODUCTS, THE SOFTWARE, OR THE DOCUMENTATION OR ANY AIRDEFENSE PRODUCT (OR COMPONENT THEREOF) OR PROPRIETARY INFORMATION PERTAINING THERETO TO ANY COUNTRY TO WHICH SUCH EXPORT OR RE-EXPORT IS RESTRICTED OR PROHIBITED, OR AS TO WHICH SUCH GOVERNMENT OR ANY AGENCY THEREOF REQUIRES AN EXPORT LICENSE OR OTHER GOVERNMENTAL APPROVAL AT THE TIME OF EXPORT OR RE-EXPORT WITHOUT FIRST OBTAINING SUCH LICENSE OR APPROVAL. ADDITIONALLY, LICENSEE AGREES TO COMPLY WITH ALL LAWS, REGULATIONS, ORDERS OR OTHER RESTRICTIONS WHICH MAY BE IMPOSED BY ANY GOVERNMENTAL AUTHORITY WHICH HAS JURISDICTION OVER LICENSEE'S USE OF THE PRODUCTS, SOFTWARE OR DOCUMENTATION OR ANY AIRDEFENSE PRODUCT (OR COMPONENT THEREOF) OR PROPRIETARY INFORMATION PERTAINING THERETO.
iv
11.Purchases from Resellers. LICENSEE UNDERSTANDS THAT IF LICENSEE PURCHASED THE PRODUCTS OR SERVICES FROM AN AUTHORIZED RESELLER OF AIRDEFENSE, THAT RESELLER IS NOT AIRDEFENSE'S AGENT AND IS NOT AUTHORIZED TO MAKE ANY REPRESENTATIONS OR WARRANTIES ON AIRDEFENSE'S BEHALF OR TO VARY ANY OF THE TERMS OR CONDITIONS OF THIS AGREEMENT. IN ADDITION, LICENSEE ACKNOWLEDGES THAT, UNLESS OTHERWISE AGREED UPON BY THAT RESELLER IN WRITING OR PROHIBITED BY LAW, THE LIMITATIONS OF WARRANTIES AND LIABILITY SET FORTH IN THIS AGREEMENT ALSO APPLY TO AND BENEFIT THAT RESELLER.
12.Indemnification.
(a) AirDefense will indemnify and hold harmless Licensee and Licensee's directors, officers, employees or agents (each an "Indemnified Party" and collectively the "Indemnified Parties"), against all third-party claims, actions and demands (each a "Claim" and collectively, "Claims") brought against any Indemnified Party including, without limitation, judgments, settlements and reasonable costs and expenses, including reasonable attorneys' fees, incurred by an Indemnified Party in connection with a Claim that the use of the Products by Licensee violates any patents, copyrights or other intellectual property rights of a third party. (b) In the event that any such intellectual property in the opinion of AirDefense is likely to or does become the subject of a Claim, AirDefense may, at its sole option and expense, either (i) procure for the Indemnified Party the right to continue using such intellectual property, (ii) modify the intellectual property to make it non infringing, (iii) substitute intellectual property of similar capability, or (iv) terminate this Agreement and refund a pro-rata portion of the purchase price of the Products based on a three-year useful life. (c) The obligations of AirDefense under this Section are conditioned on the Indemnified Party's giving AirDefense: (i) prompt written notice of any Claim for which indemnification is sought; (ii) complete control of the defense and settlement of such Claim if requested by AirDefense; and (iii) assistance and cooperation in such defense as AirDefense may reasonably request provided that reasonable out of pocket expenses incurred by the Indemnified Party shall be reimbursed promptly by AirDefense. (d) Notwithstanding the foregoing, AirDefense assumes no liability for (i) infringement resulting from the use, operation or combination of the Products or any part thereof with any non-AirDefense product (that is not provided by AirDefense) if such liability would have been avoided but for such use, operation or combination; (ii) infringement involving the modification or servicing of the Products or any part thereof, by an entity other than AirDefense; (iii) failure of Licensee to implement any updates to the Software (which updates must be purchased separately under a support services agreement with AirDefense), if the infringement would have been avoided by the use of the update; and (iv) infringement arising from uses of the Products which do not comply with the uses permitted under this Agreement. (e) Licensee shall indemnify and defend AirDefense and hold it harmless against any claims asserted by third parties that arise out of Licensee's use of the Products (or any part thereof). (f) The indemnities in this Section 11 shall survive the termination or expiration of this Agreement.
13.Confidential Information. Licensee acknowledges that the Products (including Hardware, Software and Documentation), and Products and support services pricing, limitation of liability, indemnification and warranty terms are confidential and constitute valuable trade secrets of AirDefense. Licensee agrees to take all reasonably necessary action to protect such confidential and proprietary information, including appropriate instruction and agreement with employees and agents of Licensee. In the event of any breach of this Section each party acknowledges that the non-breaching party would suffer irreparable harm and shall therefore be entitled to seek injunctive relief. This Section shall survive termination or expiration of this Agreement.

14.General.
This Agreement is the complete and exclusive statement of the agreement between Licensee and AirDefense, and this Agreement supersedes any prior proposal, agreement, or communication, oral or written, pertaining to the subject matter of this Agreement and there are no inducements to enter into this Agreement which are not set forth herein. This Agreement shall be governed by the laws of the State of Georgia and of the United States of America, excluding (i) its conflicts of law principles and (ii) the United Nations Convention on Contracts for the International Sale of Goods. All questions concerning the terms and conditions of this Agreement should be directed to AirDefense in writing addressed to airdefensemla@airdefense.net. 15.Audit Rights. Licensee grants AirDefense the right, which AirDefense will exercise at its own expense and no more than once per year, to enter Licensee's premises during business hours for the sole purpose of examining Licensee's records and other information relating to the Licensee's use of the Products. If this examination reveals that Licensee has improperly used the Products, AirDefense shall invoice Licensee for such unauthorized use based upon AirDefense's standard fees in effect at the time the examination is completed. If the underpaid fees exceed five percent (5%) of the fees actually paid, then Licensee shall also pay AirDefense's reasonable costs of conducting the examination 16.Dispute Resolution. All disputes arising out of or relating to this Agreement shall be finally settled by arbitration conducted in Atlanta, Georgia, United States under the rules of commercial arbitration of the American Arbitration Association. The parties shall bear equally the cost of the arbitration (exclusive of legal fees and expenses of the parties, all of which each party shall bear separately). All decisions of the arbitrator(s) shall be final and binding on both parties and enforceable in any court of competent jurisdiction. Notwithstanding the foregoing, in the event of breach by a party of its obligations hereunder, the non-breaching party may seek injunctive or other equitable relief in any court of competent jurisdiction. Licensee acknowledges that infringement of intellectual property of AirDefense or unauthorized copying would cause irreparable harm to AirDefense. 17.Publicity. Licensee agrees that during the term of this Agreement AirDefense may publicly refer to Licensee, orally and in writing, as a customer of AirDefense. Any other written reference to Licensee by AirDefense requires the prior approval of Licensee.
vi
Index
Symbols
/usr/local/smx/backups 75 /usr/local/smx/pcaptures 102, 103 /usr/local/smx/reports 72
A
About Location Tracking (Signature) 174 About Termination Controls 147 Accessing the Command Line Interface 9 Accessing the Sensor CI 31 Active Termination 94 ADDadmin 89, 92 ADDadmin main screen 9, 10 ADDadmin program areas 9 ADDadmin utilities 9 ADDadmin utility 56 Adding Switches 159 Adjust Alarm Configurations 45 Admin (GUI program area) 60, 72 Admin, Sensor Web User 30, 31, 108 Admin, Web User 60, 72 Admin, Web User Role 4, 34 ADPKG 192 AirDefense certificate 60 AirDefense License Management panel 59 AirDefense Quick Start 5 AirDefense Sensor 4 AirDefense Server 4 AirDefense system keys (also see KEYPKG) 58 AirDefense system time 6, 29 AirDefense user interfaces 7 airdefense, Sensor CI login password 122 AiroPeek 102 AirTermination 144, 145 AirTermination, RF jamming Method 94 AirTermination, Single and Multiple Device 144 AirTermination, Standard Method 94 AirWave Tab 155 Alarm Manager (GUI program area) 44 Alarm Manager window 44
Alarm notifications 49, 65 ALARMS 192 ALARMS (ADDadmin utility--also see Dbase program area) 47 Alarms, GUI program area 16 Allow list screen 89 Appliance Manager (GUI program area) 74 Appliance Manager, GUI program area 21 ARP 193 ARP (ADDadmin utility--also see Config program area) 86, 88 ARP table 86
B
Back Up Database Configuration Information 74 Backup Now 74 Backup the Database 73 BCKUPDB 192 BCKUPDB (ADDadmin utility--also see Dbase program area) 72, 73 Blue, Icon Color--Also see Icons 25 BUDBCFG 73, 192 Building a new report 182
C
CAD 90, 193 CAD (ADDadmin utility-also see Config program area) 90 Certificate Authority 60, 61 Certificate Security Alerts 61 Check the Current Sensor Version 129 Checking the Integrity of the Databases 81 Clear an alarm 44 Clearing the Database 70 CLRALL 192 CLRALL (ADDadmin utility--also see Dbase program area) 70, 71 CLRALL (ADDadmin utility-also see Dbase program area) 63 CLRCAP 191 CLRCAP (ADDadmin utility-also see Manage program area) 103 CLRLOG 191 CLRLOG (ADDadmin utility-also see Manage
Index program area) 98 CLRU 192 CLRU (ADDadmin utility--also see Dbase program area) 70 Colors 11 Command Line Interface 4, 9 Command Line Interface, local access to 9 Command Line Interface, remote access to 10 Command Line User 4, 42 Common Settings Tab 152 Config (ADDadmin program area-also see ADDadmin utilities) 66, 193 Config (Addmin program area-also see ADDadmin utilities) 64, 86 Config screen 66 Config settings screen 86 Configuration (GUI program area) 59 Configuring a Switch 158 Configuring the Model 500 Series Sensor 109 Connecting Sensors, Model 400 Sensor 110 Connection Termination 138 Create, report template 182 Creating Reports 180 CURRLIC 192 CURRLIC (ADDadmin utility-also see Software program area) 57 DNAME (ADDadmin utility-also see Config program area) 66, 67 DNS 193 DNS (ADDadmin utility--also see Config program area) 86, 88 DNS name--Also see Display Preferences 29 DNS servers 66, 88 Domain Name 64, 66, 67, 89 Domain Name Server 86
E
Email (notifications) 65 Encryption Mode 108 Ethereal 102 Exporting Report Data From the Database 72
F
FALLOW 193 FDENY 93, 193 File for importing Access Points 78 File Format for Importing Stations 79 File Format for importing Switches 162 Frame Capture Filter 102 Frame Capture Mode 102, 135 Fully qualified Host Name 89
D
Dashboard Preferences tab 37 Dashboard, GUI program area 13 Data Mgmt program 72, 73, 74 Data Port 136 Dbase (ADDadmin program area-also see ADDadmin utilities) 69, 73, 76, 81, 82, 192 Dbase (ADDadmin utility--also see Dbase program area) 47 Dbase screen 81, 82 Dbase settings screen 47, 70, 73, 74, 76, 77 DELFU 191 DELFU (ADDadmin utility--also see Manage program area) 129 Deny list 89 Device Identifiers 29 Device Synchronization Configuration 152 DHCP 111 DNAME 193
G
Graphical User Interface (GUI) 4 Graphical User Interface--Also see GUI 11 Green, Icon Color--Also see Icons 26 Grey, Icon Color--Also see Icons 25 Guest, Web User Role 34 GUI, Current User Information tab 37 GUI, Dashboard Preferences tab 37 GUI, Navigation Icons 12 GUI, Preferences tab 37 GUI, Refresh and Activity Icons 17 GUI, Status Indicators 18 GUI, User Management panel 35 GUI, User Mgmt 35
H
HALLOW 193 HALLOW (ADDadmin utility--also see Con-
AirDefense Operations Guide fig program area) 86, 89 HALT 191 HALT (ADDadmin utility-also see Manage program area) 101 Halt AirDefense 101 HDENY 193 HDENY (ADDadmin utility--also see Config program area) 86, 89 HHMM format 91 HHMMSS format 91 HNAME 193 HNAME (ADDadmin utility-also see Config program area) 66, 67 Host Name 64, 66, 67, 68 How Location Tracking (Signature) Works 175 Live View 27 local system time 6 Location Tracking 138, 169 Location Tracking Right-Click Options 174 Lock On Channel 134 Lost Sensor IP address 31
M
MAC address 29 Mail Relay Host 64 Mail Relay host screen 68 Manage (ADDadmin program area-also see ADDadmin utilities) 98, 99, 100, 101, 102, 103 Manage (Addmin program area-also see ADDadmin utilities) 98 Manage screen 41 Manager, Web User Role 34 Managing Policy-based Terminations 47 Managing the Database 69 Manual backup of data 74 Maximum alarm count 47 midnight 72 Minimum Bandwidth Mode 137 Minute 6 MMDDYYYY format 91 Model 400 Sensor 106 Model 510 Sensor 106 Model 510 Sensor LED Functionality 118 Model 520 Sensor 106 Model 520 Sensor LED Functionality 120 Monitor, Sensor Web User 30, 31, 108 MRELAY 193 MRELAY (ADDadmin utility-also see Config program area) 66, 68
I
Icons 11, 25 IEEE MAC address--Also see Display Preferences 29 Importing Switches 161 Installing a License 57 INTCK 192 IP 193 IP ((ADDadmin utility--also see Config program area) 87 IP (ADDadmin utility--also see Config program area) 86 IP address 29, 68, 89, 92
K
Keyboard and monitor 9 KEYPKG 192 KEYPKG (ADDadmin utility-also see Software program area) 58
N
Name--Also see Display Preferences 29 NETPORT 86, 87, 193 Network Operator, Web User Role 34, 41 Notification (GUI program area) 65 Notification, GUI program area 20, 21 NTP 193 NTP (ADDadmin utility--also see Config program area) 86, 92
L
LEAP, username--Also see Display Preferences 29 Left antenna 134 LICENSE 192 LICENSE (ADDadmin utility-also see Software program area) 57 Link Speed Control 136
Index
O
Obtain the Sensor Upgrade File 129 OUI 192 OUI (ADDadmin utility--also see Dbase program area) 81, 82
P
PASSWD 42, 191 pcapture files 102 pcaptures directory 102, 103 PING 193 PING (ADDadmin utility--also see Config program area) 86, 90 Policy Enforcement 138 Policy, GUI program area 20 Policy-based Termination 145 Policy-based Termination System Enabled 94 Port 443 136 Port 80 136 Port Lookup 164 Port Lookup and Port Suppression Requirements 158 Port Suppression 165 Port Suppression System Enabled 95 ports, Sensor connections 108 Precedence, of HALLOW over HDENY 89
Recover Database Configuration Information 76 Recovering the Database 76 Red, Icon Color--Also see Icons 26 Report Data Export 72 Reports, building 182 Reports, creating 180 Reports, scheduling 181 Reports, templates 182 RESCUE 192 RESTART 191 RESTART (ADDadmin utility-also see Manage program area) 63, 99 Retrievable Data 195 Right antenna 134 Rogue Detection 138 Root-signed certificate 60, 61
S
Save, Command Icon 17 SAVECAP 102, 191 SAVECAP (ADDadmin utility-also see Manage program area) 102 Scale Tool Functions 171 Scan Channels 134 Scanning Mode 134 Scheduling reports 181 Self-signed certificate 60 Sendmail failures 98 Sensor CI--Also see Sensor Console Interface 31, 122 Sensor Console Interface (Sensor CI) 4 Sensor Console Interface--Also see Sensor CI 31, 122 Sensor Console User 4 Sensor Coverage Survey Process 140 Sensor Deployment Considerations 137 Sensor IP address 122 Sensor Manager, GUI program area 19 Sensor Netmask 111 Sensor Network settings, Model 500 Sensor 112 Sensor Quantity, Location, and Installation 138 Sensor Reboot 136 Sensor Syslog window 116 Sensor UI 108
Q
Quick Scan Mode 134
R
Radio 1 134 Radio 2 134 Radio Settings 134 RCDBCFG 192 RCVRDB 192 RCVRDB (ADDadmin utility--also see Dbase program area) 76 RCVRDB (ADDadmin utility-also see Dbase program area) 63 REBOOT 191 REBOOT (ADDadmin utility-also see Manage program area) 63, 100 Rebooting AirDefense 100
AirDefense Operations Guide Sensor UI for the Model 500 Series 112 Sensor UI Web User login password 110 Sensor UI--Also see Sensor User Interface 30 Sensor Upgrades window 129 Sensor User Interface (Sensor UI) 4 Sensor User Interface--Also see Sensor UI 30 Sensor, GUI program area 128 Sensors 4 SERVMOD 192 SERVMOD (ADDadmin utility-also see Software program area) 56 Setting the Domain Name 67 Setting the Host Name 67 Setting Up for Retrieval 196 Shutdown routine 101 smxarchive, Command Line User 9, 195 smxarchive, Command Line User password 42 smxmgr, Command Line User 9, 195 smxmgr, Command Line User password 4, 10, 42 SNMP (notifications) 65 Soft reboot 100 Software (ADDadmin program area-also see ADDadmin utilities) 55, 57 Software (GUI program) 59 Software screen 56, 57, 58 SSH 56 SSH Protocol 2 9 stateful color-coded icons 22 Station Authorization 151 STATUS 191 STATUS (ADDadmin utility-also see Manage program area) 98, 103 Subnet 89 Subnet, class A, B, and C 89 support, Sensor CI login name 122 Switch Configuration Access 159 SYSLOG 191 SYSLOG (ADDadmin utility-also see Manage program area) 98 Syslog (notifications) 65 syslogdata.txt 98 System log entries 98 System reboot 10 System Setup Wizard 185
T
tcpdump 102 The 158 TIME 193 TIME (ADDadmin utility--also see Config program area) 86, 91 Time Stamp 6, 29 TLS encryption 60 To set the Mail Relay Host 68 Tomcat certificate 60 Tracking Options window 178 Trapeze Integration 158 Trusted certifying authority 62 TZ 193 TZ (ADDadmin utility--also see Config program area) 86, 91
U
UIPORT 92, 193 UIPORT (ADDadmin utility--also see Config program area) 86 Updating Vendor MAC Address Information 82 Upgrading Sensor Firmware 129 Upgrading Sensor Firmware Using the Sensor UI 132 Using the Sensor CI 122 Using the Sensor CI for Model 400 Sensor 122 Using the Sensor Manager (GUI) 128 Using the Sensor Upgrades window 130 usr/local/smx/pcaptures 103
V
View Certificate 62 VLAN 151
W
Web Reporting Interface 180 Web User 60, 72 Web User, changing the password of 148 WEBU 41, 191 WEBU (ADDadmin utility-also see Manage program area) 41 Wizard, System Setup 185
Index WLSE 21, 99 WLSE Tab 153
Z
Zero-Configuration Option 123
Notes
Operations Guide
AirDefense Operations Guide Release 7.2, Issue 1.0, December, 2006
Copyright 2003, 2004, 2005, 2006 by AirDefense, Inc. All Rights Reserved Worldwide.
4800 North Point Parkway Alpharetta, Georgia 30022 770-663.8115 www.airdefense.net info@airdefense.net

Operations Guide

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Operations Guide

Uploaded by

Copyright:

Available Formats

Anywhere, Anytime Wireless Protection

Call Center Support

AirDefense Operations Guide

Chapter 1 Using the Interfaces

Chapter 2 Managing Users

Chapter 3 Managing Alarms

Chapter 4 Managing Software

Chapter 5 Managing Notifications

Chapter 6 Managing the Database

Chapter 7 Configuring the System

AirDefense Operations Guide

Chapter 8 Managing the System

Chapter 9 Managing Sensors

Chapter 10 Configuring Enterprise Features

Chapter 11 Managing Switches

Chapter 12 Location Tracking

Chapter 14 System Setup Wizard

AirDefense Operations Guide

1.0.1 In This Chapter

About this Guide

1.1.2 Warnings and Important Information

AirDefense Operations Guide

1.2.1 Integration with AirDefense Mobile

1.2.2 Integration with AirDefense Personal

About the User Interfaces

User Interfaces Enterprise Command Line Interface

Program areas ADDadmin (utilities)

User Command Line User

Enterprise Graphical User Interface (GUI)

AirDefense Enterprise Wireless Intrusion Prevention System

Enterprise thin client web page

Sensor Console User

1.3.1 Required Accounts

AirDefense Operations Guide

AirDefense and Time

Using the Interfaces

1 Using the Interfaces

This chapter explains what each of these interfaces is used for.

1.0.1 In This Chapter

AirDefense Enterprise Server 7.2 Operations Guide

1.1 Thin Client Web Download and Reporting Interface

1.1.1 Downloading the Installation Programs

1.1.2 Web Reporting

Using the Interfaces

Command Line Interface

Manage Dbase Software Config Help

1.2.1 Accessing the ADDadmin utilities

Note: AirDefense does not allow telnet sessions.

Information About Rebooting

Using the Interfaces

Graphical User Interface (GUI)

1.3.1 GUI Features

1.3.2 AirDefense GUI Minimal Resolution Requirements

1.3.3 About Multiple Versions

AirDefense Enterprise Server 7.2 Operations Guide

1.3.4 Accessing the GUI

1.3.5 GUI Command Strip

1.3.6 GUI Program Areas

Using the Interfaces

Program Area/ Window Dashboard

AirDefense Enterprise Server 7.2 Operations Guide

Program Area/ Window Rogue

The severity of the device threat by color coded Threat Level