CISCO-WDS-IDS-MIB
This MIB is intended to be implemented on all IOS based network entities that provide Wireless Domain Services, for the purpose of providing network management stations information about the various attempts to compromise the security in the 802.11-based wireless networks. Entities that can be configured to provide Wireless Domain Services could be an 802.11 Access Point, a Switch or any other IOS network device, that allows the WDS configuration. The MIB reports the information about the MAC spoofing attempts made by wireless clients to compromise the security of the network. MAC Spoofing is detected by the WDS when clients attempt to authenticate with the WDS using the MAC address of another client while roaming from one AP to another. Upon detecting this, the WDS provides the information about the client and the username to the NMS as MIB objects. The hierarchy of the WDS, AP and MNs is as follows. +=====+ +=====+ +=====+ | | | | | | | WDS | | WDS | | WDS | | | | | | | +=====+ +=====+ +=====+ / \ \ \ / \ \ \ / \ \ \ / \ \ \ / \ \ \ \/ \/ \/ \/ +~-~-~+ +~-~-~+ +~-~-~+ +~-~-~+ + + + + + + + + + AP + + AP + + AP + + AP + + + + + + + + + +~-~-~+ +~-~-~+ +~-~-~+ +~-~-~+ .. . . . .. . . . . . . . . . . . . . . . . . . . . . . . \/ \/ \/ \/ \/ +.....+ +.....+ +-.-.-.+ +~-~-~+ +......+ + + + + + + + + + + + MN + + MN + + MN + + MN + + MN + + + + + + + + + + + +.....+ +.....+ +-.-.-.+ +~-~-~+ +......+ The WDS include authentication and registration services for the APs. An AP provides Proxy Authentication and registration services for the MNs. The wireless connections are represented as dotted lines in the above diagram. GLOSSARY Access Point ( AP ) An entity that contains an 802.11 medium access control ( MAC ) and physical layer ( PHY ) interface and provides access to the distribution services via the wireless medium for associated clients. Mobile Node ( MN ) A roaming 802.11 wireless device in a wireless network associated with an access point. Wireless Domain Services (WDS) The set of services being offered at a particular broadcast domain that may be an IP subnet or a particular VLAN, or across the L3 cloud. The services include the following. 1. MN security credential caching to provide seamless, secure intra-subnet roaming. 2. Authenticated context transfer for roaming client within the subnet. Context The mobility context for an MN includes its current mobility bindings with the APs, IP/802 address bindings, cached configuration parameters, QoS state, IP group membership, authentication state, accounting statistics, and other dynamically derived protocol state information.