User's Guide

AirTight Management Console Configuration

Manage Authorized WLAN Policy

Specify the Authorized WLAN policy templates for the selected location in the location hierarchy using

Configuration>WIPS>Authorized WLAN Policy.

Authorized WLAN policy for a location includes a set of one or more policy templates that define the

properties of one or more authorized wireless networks. A policy template is a collection of different

network related settings such as wireless network protocols, encryption protocol used, allowed network

SSIDs, security settings, authentication type used, allowed networks and so on. An authorized WLAN

policy also specifies what networks are restricted from having Wi-Fi APs on them. Apart from this, you

can also specify what APs to categorize as rogue or authorized APs based on their RSSI signal strength.

All these parameters together constitute an authorized WLAN policy.

The RSSI of a device is statistical parameter. Using the RSSI feature can cause legitimate neighborhood

APs to be classified as Rogues and subjected to containment if automatic prevention is enabled. This will

cause neighbor Wi-Fi disruption since clients, including the legitimate neighborhood clients, will NOT be

able to connect to the Rogue AP under containment.

Even if the intention is to use RSSI to identify APs that are within the facility, it will not always work since

low power APs such as soft APs, hotspot APs running on smart phones, USB APs, etc. or APs which are

away from RSSI measurement point will still not get classified as Rogue APs due to not meeting the RSSI

threshold.

Policy templates aid in the classification of APs. A new AP or an existing Authorized AP is compared

against the templates to determine if it is a rogue or misconfigured AP. Any AP at a location that does not

comply with the WLAN policy attached to that location, is not considered to be an authorized AP.

You must apply the templates from the available list for the WLAN policy at that location.

Authorized policy templates are used to identify authorized APs and constantly check that the actual Wi-

Fi access parameters provisioned on the authorized APs meet the security policy. You can define multiple

WLAN policy templates and assign them to each location. Any new AP that is added to a location is

verified on the basis of the WLAN policy templates attached to that location. Any mismatch is used to

detect misconfiguration of the Wi-Fi access network.

The system uses the details of the authorized Wi-Fi setup at a particular location to detect the presence

of misconfigured or rogue APs in your network.

An AP is considered as being compliant to the Authorized WLAN Policy if:

It is not connected to a No Wi-Fi network for its location

Its SSID matches with one of the templates attached at that location

Is connected to one of the networks specified in that template

x Conforms to the other settings in that template (except the Authentication Framework, as this setting

is not a property of the AP itself but of the backend authentication system).

Note: If the template specifies certain allowed AP capabilities (such as Turbo, 802.11n, and so on), the

AP may or may not have those capabilities. However, if a capability is not selected, the AP must not have

that capability to be considered as compliant.

With location-based policies, you can apply different sets of policy templates for different locations.

However, you cannot attach more than one template with the same SSID at any one location.

Only the policy templates that are applied to a location are used for AP classification at that location.

Other templates that are configured but not applied to the location, will not be used for AP classification,

as they are not a part of the WLAN policy for that location.