Configuring a Device Categorization Policy

About this task

Having devices properly classified can help suppress unnecessary unsanctioned AP alarms and allow an administrator to focus on the alarms and devices actually behaving in a suspicious manner. An intruder with a device erroneously authorized could potentially perform activities that harm your organization while appearing to be legitimate. WIPS enables devices to be categorized as access points, then defined as sanctioned or unsanctioned within the network.

Sanctioned access points are generally known to you and conform with your organization‘s security policies. Unsanctioned devices have been detected as interoperating within the managed network, but are not approved. These devices should be filtered to avoid jeopardizing data.

To categorize access points as sanctioned or unsanctioned:

Procedure

  1. Select Configuration > Security > Intrusion Prevention.
  2. Expand the Intrusion Prevention option within the Configuration > Security menu and select Device Categorization.
    Click to expand in new window
    WIPS Device Categorization Screen

    The Device Categorization screen lists those device authorization policies defined thus far.

  3. Select Add to create a new policy, Edit to modify the attributes of a selected existing policy, or Delete to remove obsolete policies from those available.
    Select Rename to change the name of a policy or Copy a policy to a different location.
    Click to expand in new window
    WIPS Device Categorization - Configuration Screen
  4. If you are creating a new Device Categorization policy, provide it a name (up to 64 characters) to distinguish this policy from others with similar configurations.
    Select OK to save the name and enable the remaining parameters on the screen.
  5. Select + Add Row to populate the Marked Devices field with parameters for adding an access point‘s MAC address, SSID, access point designation, and network authorization.
    Select the red (-) Delete Row icon as needed to remove an individual table entry.
  6. Define the following parameters to add a device to a list of devices categorized as sanctioned or unsanctioned for network operation:
    Index Use the spinner controls to set the Index number for each Device Categorization Name.
    Classification Use the drop-down menu to designate the target device as either sanctioned (True) or unsanctioned (False). The default setting is False, categorizing this device as unsanctioned. Thus, each added device requires authorization. A green check mark designates the device as sanctioned, while a red “X” defines the device as unsanctioned.
    Device Type Use the drop-down menu to designate the target device as either an access point (True) or other (False). The default setting is False, categorizing this device as other than an access point. A green check mark designates the device as an access point, while a red “X” defines the categorized device as other than an access point.
    MAC Address Enter the factory coded MAC address of the target device. This address is hard coded by the device manufacturer and cannot be modified. The MAC address will be defined as sanctioned or unsanctioned as part of the device categorization process.
    SSID Enter the SSID of the target device requiring categorization. The SSID cannot exceed 32 characters.
  7. Select OK to save the updates to the Marked Devices list.
    Select Reset to revert to the last saved configuration.