BeGentleWithMe-INeedHelp
asked on
How do you monitor for rogue wifi extenders or access points
A client emailed about a wifi access point that people in a remote office said stopped working.
I didn't know about its existence.
Made me wonder how others here monitor for an employee who would have legit access to the wifi SSID and password to set up a wifi extender or simply plug a wireless access point into a LAN port on the network? Yes, disconnect unused LAN ports around the office is best practice, right? But if he has 1 live port at his desk for PC and phone, he could plug a home wireless router in and use the extra ports as a switch for the PC and phone. Or again, the wifi extender doesn't need a live RJ45 port.
I don't think limiting the number of addresses in the DHCP pool would be viable. Trying to get an exact count of devices that are legit to be on the network would be hard. If someone brings in a tablet or similar, the pool is maxed out and administratively that would be a nuisance to increase the pool by 1 for that person for that day then drop it back down.and conceivably, they might know enough to set up the extender or router with a static IP.
thank you
I didn't know about its existence.
Made me wonder how others here monitor for an employee who would have legit access to the wifi SSID and password to set up a wifi extender or simply plug a wireless access point into a LAN port on the network? Yes, disconnect unused LAN ports around the office is best practice, right? But if he has 1 live port at his desk for PC and phone, he could plug a home wireless router in and use the extra ports as a switch for the PC and phone. Or again, the wifi extender doesn't need a live RJ45 port.
I don't think limiting the number of addresses in the DHCP pool would be viable. Trying to get an exact count of devices that are legit to be on the network would be hard. If someone brings in a tablet or similar, the pool is maxed out and administratively that would be a nuisance to increase the pool by 1 for that person for that day then drop it back down.and conceivably, they might know enough to set up the extender or router with a static IP.
thank you
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In my case, the wireless is ok I have control over it but applying RADIUS to the wired network is perfect for preventing unknown machines operating within our LAN.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"It's relatively simple to spoof any MAC address on most devices"
Agree, that's why I didn't think point #1 and #2 are worth the effort (at least IMO) but applying RADIUS for LAN is a good suggestion.
Agree, that's why I didn't think point #1 and #2 are worth the effort (at least IMO) but applying RADIUS for LAN is a good suggestion.
I like Andre's statement#3 of using RADIUS for the wired network.