Posts Tagged ‘wireless’

Setting up some new Ubiquiti Wifi Access points, on reboot the Wifi SSID would show for a bit then disappear. A look at the Radio’s on the devices came up as Auto (Disabled)

By Default, the Ubiqiti controller Site Setting has  “Enable Connectivity Monitor and Wireless Uplink” enabled by default. This means if the Access points can’t connect ( ping )  the gateways defined in Network they will no enable the SSID broadcast ( and disable Wireless )

You can disable this setting, but you probably want to update the Gateway in the Network details to the correct one , and make sure DHCP is running or set static and make sure it can communicate to the gateway 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

On the Fortigate , Create a new Interface and assign it to the Uplink of your internet or DMZ with a Vlan ID and Enable DHCP

Create a policy to allow outbound

 

On the Switch ( ours GS752TP ) that the access points plug into,  Tag the ports with the Vlan ID you created above, where your access points plug into as all as the port for the Uplink from the Switch to the Router

On your access points  ( Ours WNDAP360 ) create a new SSID and Tag these to the new VLAN ID

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Finding issues in wireless networks can be hard , however there are some tools you can use before you get the Spectrum Analyser in! 

Auditing

Download and install inSSIDer Home

Great way to visualise SSID strength and channels, just to note when you run this , your Pings will go up!

Ekahau

Great Heatmapping software and paid for software for scanning

How to check to DeAuths 

Once you identify the channel, launch https://www.wireshark.org/ on that channel and listen for a minute or two.

First, apply this filter:

wlan.fc.type_subtype == 0xc

This will show you all the deauthentication frames that have been sent out.

Deauth Flood

Apply this filter next:

wlan.fc.type_subtype == 0x8 && wlan.sa == <BSSID of the SSID you are inspecting>

This will display beacon frames from your AP. Check the signal strength. In this case, we’ve got a good strong signal because we’re right next to the AP (right around -40 dBm on average).

Our Beacons

Next, apply this filter:

wlan.fc.type_subtype == 0xc && wlan.sa == <BSSID of the SSID you are inspecting>

This shows deauthentication frames from your AP. Note the signal strength on the far right…

Spoofed Deauths

The deauthentication frames are coming in much weaker than the valid beacon frames. This indicates strongly that another AP is spoofing your system.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Private Pre-Shared Key: Simplified Authentication


Organizations that are planning wireless LAN’s to support corporate devices, BYOD, guest access, may be struggling to find the balance between flexibility and security. Though using IEEE 802.1X is the most secure approach to Wi-Fi authentication, this method is typically only implemented for devices managed by IT. For BYOD, contractors, or guests, the IT staff may not have the access, time, or knowledge to provision certain devices.

  1. Configure Private PSK on Guest SSID to the below.

 

 

  1. Specify the PSK User groups
    1. You will have to create them based on daily/weekly/monthly rotation
    2. See below for details

Note: you have to use the profile attribute as your guest user profile in this instance, it is 2.

  1. Hit Save and view your Local PPSK User groups.

 

  1. If you Browse to Configuration> Authentication> Local Users you will see all the pre-generated user keys.

 

 

  1. Create a user account with guest user account and password rights.
    1. Goto Home> administrators > administrators
    2. Create new
    3. Give a username/email and password
    4. Assign to the User Manager Operator group.

 

  1. Configure email service on Hive manager.
    1. Goto Home>Hivemanager Services> check the Email Service settings
    2. Specifiy the smtp server as 127.0.0.1
    3. Specify a from email address
    4. Click update.

 

  1. Log in as the User who will be distributing the guest credentials
    1. Login to the myhive.aerohive.com portal as the new account
    2. Click create
    3. Enter details and you will have your user specific guest account details, which you can send to them.

 

 

 

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)