WIPS Policy Settings

Table 1. Settings for WIPS policy
Setting	Description
Name	Type a Name for the new policy.
Description	(Optional) Type a Description. Although optional, descriptions can be helpful when you are troubleshooting your network.
AirDefense Essentials	Toggle AirDefense Essentials to OFF to disable it, and then select Save. By default, AirDefense Essentials is ON (enabled). To Allow change of operating channel for air-termination, select the check box.
Rogue Access Point Detection
Rogue Access Point Detection (Legacy)	Toggle Rogue Access Point Detection (Legacy) ON to enable the feature.
Determine if detected rogue APs are connected to your wired (backhaul) network	Use Determine if detected rogue APs are connected to your wired (backhaul) network in combination with other WIPS techniques to determine if a detected rogue AP is in the same network as compliant APs. An Extreme Networks AP builds a MAC learning table from source MAC addresses in the broadcast traffic it receives from devices in its Layer 2 broadcast domain. When an AP running XOS 5.0r2 or later detects a rogue AP through any of the rogue detection mechanisms in the WIPS policy, it checks the MAC learning table for an entry within a 64-address range above or below the BSSID of the invalid SSID. If there is a match, it is assumes that both MAC addresses belong to the same device. Because one of its addresses is in the MAC learning table, the rogue is considered to be in the same backhaul network as the detecting AP, and In Net displays in the In Network column for that rogue in the list of rogue APs.
Detect rogue access points based on their MAC OUI	Select the check box to enable detection of rogue APs based on MAC OUI.
Select MAC OUIs of wireless devices that are permitted in the WLAN	Create an allow list of wireless devices allowed on the WLAN, according to MAC OUI. Choose an existing MAC OUI from the menu, or select , and then select ADD.
Detect rogue access points based on hosted SSIDs and encryption type	Select the check box to enable detection of rogue APs based on hosted SSIDs and the encryption type. Select , and then choose one of the following: For example, if you have a network security policy that requires all SSIDs to use Enterprise 802.1x, any valid SSID using Enterprise 802.1x makes the access point hosting it valid. An access point is categorized as a rogue if it hosts an SSID using WEP or no encryption at all. Select an SSID—Select the SSID from the menu. Enter an SSID Name—Type the SSID name. Select Check the type of encryption used by this SSID, and then select the type of encryption from the list. Otherwise, clear the check box. Select ADD.
Detect if wireless clients have formed an ad hoc network to identify rogue clients	Toggle Detect if wireless clients have formed an ad hoc network to identify rogue clients ON to enable the feature. Select Enable rogue client reporting and type the number of seconds, after which disconnected rogue APs drop from the reports.
Rogue Mitigation
Mitigation Mode	Select one of the following: Manual: Manually mitigate rogue APs and their clients. In manual mode, you must periodically check for rogue APs and their clients on the heat map pages in your network hierarchy. Note: Use caution when mitigating a suspected rogue AP. If your WLAN is within range of other neighboring wireless networks, the access point that might initially be considered a rogue AP, along with its clients, might be valid in another WLAN. Automatic: APs automatically mitigate rogue APs and their clients, starting and stopping the mitigation process without any administrator involvement. Note: Use only the automatic mode for rogue APs that are in-network (in the backhaul network of your organization). Otherwise, automatic mitigation can impact the normal operation of valid APs belonging to a nearby business by blocking their wireless clients from connecting to their APs. Reference the appropriate FCC regulations that prohibit Wi-Fi blocking in these cases.
Detect and Mitigate rogue clients every	After you enable rogue detection on an AP, it scans detected rogue APs for clients during the period that you specify. If you manually start mitigation against a rogue, the AP not only continues scanning for clients during this period, it also sends deauthentication frames to the rogue AP and to any detected clients during the same period. For example, if you leave this at the default setting of 1 second, the AP checks for rogues and attacks them every second. Each time an AP checks if there are clients associated with a detected rogue, it must switch channels for about 80 milliseconds (unless it happens to be using the same channel as the rogue). To minimize channel switching, choose an AP that is on the same channel as the rogue to perform the mitigation. The Rogue AP list shows which channel the rogue is using. If none of the APs are using the same channel, choose the one with the fewest clients. Finally, if all the APs are busy and on different channels from the rogue, consider reducing the amount of channel switching by increasing the period so that the associated client check occurs less frequently. You can change the duration from 1 to 600 seconds (10 minutes).
Repeat mitigation for detected rogue clients	Specify how many consecutive periods to spend attacking a rogue AP and its clients before allowing client inactivity to stop and commence a countdown to end the mitigation. If you use the default settings for both the length of the mitigation period and the consecutive number of periods, an attack lasts for 60 seconds before stopping because of client inactivity. The range is from 0 to 2,592,000 seconds (30 days). A value of 0 means that mitigatory APs send deauthentication frames for the entire amount of time that a mitigation effort is in effect.
Limit mitigation efforts per rogue AP to	The maximum length of time that an attack against a rogue AP can last. If the length of client inactivity does not cause the attack to be suspended or if you do not manually stop the attack, the AP stops it after this time limit elapses. The default duration is 14,400 seconds (4 hours), which means that an AP continues checking for clients of a detected rogue for up to four hours and mitigates them if it finds them. The mitigation might stop sooner if the period of client inactivity lasts long enough to stop it. You can change the maximum time limit between 0 and 2,592,000 seconds (30 days). In cases where the response time to detect a rogue AP would be greater than the default duration of four hours, consider increasing the duration to enable more time to locate the AP before ending the mitigation process. A value of 0 means that the client detection and mitigation continues indefinitely, unless the client inactivity period elapses.
Stop mitigation if no client activity is detected in	Set the period of time to stop the mitigation process if the AP no longer detects that clients are associated with the rogue AP. During this time, the AP stops sending DoS attacks but continues checking if any clients form new associations with the targeted AP. If the AP detects any associated clients before this period elapses, it sends a deauthentication flood attack and resets the counter. If there are no more clients associated with the AP after this period, the AP stops the mitigation process even if there is still time remaining in the maximum time limit.
Max number of mitigator APs per rogue AP	(Applies only to automatic mode.) For automatic mitigation, hive members choose one AP to be the arbitrator, which is the one to which all the detector APs send reports. The arbitrator AP also determines which detector APs perform mitigation. When they start, they become mitigatory APs. Set the number of mitigatory APs that the arbitrator AP can automatically assign to attack a rogue AP and its clients. If you set the maximum as 0, all the detector APs can be assigned to perform rogue mitigation.