This MIB is intended to be implemented on all
IOS based network entities that provide Wireless
Domain Services, for the purpose of providing network
management stations information about the various
attempts to compromise the security in the
802.11-based wireless networks. Entities that can be
configured to provide Wireless Domain Services
could be an 802.11 Access Point, a Switch or any
other IOS network device, that allows the WDS
configuration.
The MIB reports the information about the MAC
spoofing attempts made by wireless clients to
compromise the security of the network.
MAC Spoofing is detected by the WDS when clients
attempt to authenticate with the WDS using the MAC
address of another client while roaming from one
AP to another. Upon detecting this, the WDS
provides the information about the client and the
username to the NMS as MIB objects.
The hierarchy of the WDS, AP and MNs is as follows.
+=====+ +=====+ +=====+
| | | | | |
| WDS | | WDS | | WDS |
| | | | | |
+=====+ +=====+ +=====+
/ \ \ \
/ \ \ \
/ \ \ \
/ \ \ \
/ \ \ \
\/ \/ \/ \/
+~-~-~+ +~-~-~+ +~-~-~+ +~-~-~+
+ + + + + + + +
+ AP + + AP + + AP + + AP +
+ + + + + + + +
+~-~-~+ +~-~-~+ +~-~-~+ +~-~-~+
.. . . .
.. . . .
. . . . .
. . . . .
. . . . .
. . . . .
\/ \/ \/ \/ \/
+.....+ +.....+ +-.-.-.+ +~-~-~+ +......+
+ + + + + + + + + +
+ MN + + MN + + MN + + MN + + MN +
+ + + + + + + + + +
+.....+ +.....+ +-.-.-.+ +~-~-~+ +......+
The WDS include authentication and registration
services for the APs. An AP provides Proxy
Authentication and registration services for the
MNs.
The wireless connections are represented as dotted
lines in the above diagram.
GLOSSARY
Access Point ( AP )
An entity that contains an 802.11 medium access
control ( MAC ) and physical layer ( PHY ) interface
and provides access to the distribution services via
the wireless medium for associated clients.
Mobile Node ( MN )
A roaming 802.11 wireless device in a wireless
network associated with an access point.
Wireless Domain Services (WDS)
The set of services being offered at a particular
broadcast domain that may be an IP subnet or a
particular VLAN, or across the L3 cloud. The
services include the following.
1. MN security credential caching to provide
seamless, secure intra-subnet roaming.
2. Authenticated context transfer for roaming
client within the subnet.
Context
The mobility context for an MN includes its current
mobility bindings with the APs, IP/802 address
bindings, cached configuration parameters, QoS state,
IP group membership, authentication state, accounting
statistics, and other dynamically derived protocol
state information. |