Configure Authorized WLAN Policy
The Authorized WLAN Policy is how WIPS determines what is considered an Authorized AP on your network. The Authorized WLAN Policy specifies the SSIDs allowed to be broadcast, allowed AP vendor types, required security and encryption settings, and other settings that allow an AP to be considered “Authorized”.
WIPS identifies and continually monitors Authorized APs and makes sure they conform to the access parameters you specify in your security policy.
There are two ways you can define your policy for authorized Wi-Fi access points:
- Use SSID Profile to verify configuration (default) — This option uses the settings of your SSID Profiles to validate the configuration of your APs. We recommend you use this option to simplify the security settings of your Wi-Fi deployment if you are protecting a WatchGuard AP network.
- Use Authorized WLAN Policy — If you want to provide specific policy settings such allowed AP vendors or allowed networks, you can also create an Authorized WLAN Policy for each SSID you use. You must disable the Use SSID Profile to verify configuration option to apply a new policy. We recommend you use Authorized WLAN Policies when you use WatchGuard APs as dedicated WIPS Sensors in a third-party AP network.
A policy template comprises properties of the authorized SSIDs or networks. It is a collection of different network-related settings such as wireless network protocols, the encryption protocol used, allowed network SSIDs, security settings, the authentication type used, and allowed networks. You can have multiple templates based on the number of authorized networks in your deployment.
Policy templates help classify APs, identify authorized APs, and constantly check that the actual Wi-Fi access parameters provisioned on the authorized APs meet your security policy. Any new AP that is added to a location is verified on the basis of the policy templates attached to that location.
You can apply different Authorized WLAN Policy templates for different locations, but you cannot apply more than one template with the same SSID at any one location. A child location automatically inherits the authorized WLAN policy from its parent location. You can also customize the WLAN policy for a child location.
Configure an Authorized WLAN Policy
To configure an Authorized WLAN Policy for a location:
- From Manage, select Configuration > WIPS > Authorized WLAN Policy.
- Select a location from the location tree to which to apply the policy. You cannot apply more than one policy with the same SSID at any one location.
A child location automatically inherits the authorized WLAN policy from its parent location.
- If wireless has been deployed at the location, select the Wi-Fi is deployed at this location check box.
- Click Add New Policy Template.
- From the Authorized SSID drop-down list, select an existing SSID to which to apply the policy. You can also type in the name of a new SSID (case sensitive).
- In the Template Name text box, type a name for this Authorized WLAN Policy template.
- In the Description text box, type a description for the policy.
- If this network is intended for guest wireless users, select the This is Guest Network check box.
- You can configure these properties for your security policy:
- Network Protocol — The network protocol of the SSID. "Any" is the default value. You can select one or more protocols from 802.11a, 802.11b, and 802.11b/g after you deselect "Any".
- Security Settings — Security protocol for the SSID. "Any" is the default value. You can select one or more protocols from 802.11i, Open, WPA, WEP after you deselect "Any".
- Encryption Protocol — Encryption protocol for the SSID. This field is enabled only when the security protocol for the SSID is WPA or 802.11i.
- Authentication Framework — Authentication protocols for the SSID. This field is enabled only when the security protocol for the SSID is WPA or 802.11i.
- Authentication Type — Higher layer authentication types that clients can use while connecting to the SSID. Authentication types do not determine the classification of APs, but are used to generate an event if a client uses a non-allowed authentication type. Wi-Fi Cloud generates this event it it can detect authentication protocol handshake frames. "Any" is the default value. You can select one or more options from PEAP, EAP-TLS, LEAP, EAP-TTLS, EAP-FAST, and EAP-SIM after you deselect "Any".
- AP Capabilities — Additional capabilities of the APs. If you select any of these advanced capabilities, the classification logic allows APs with and without these capabilities. "Any" is the default value. You can select one or more Turbo/Super techniques used by Atheros chipsets to get higher throughput (Turbo, 802.11n, and SuperAG) after you deselect "Any".
- MFP/802.11w — Indicates whether MFP/802.11w is enabled or disabled on the SSID. "Any" is the default value. You can select an option from MFP/802.11w enabled or MFP/802.11 disabled, after you deselect "Any".
- Allowed Networks — Select the networks where wireless traffic on the SSID is to be mapped through Authorized APs. Select "Any" to allow wireless traffic on this SSID to be mapped to any network. Alternatively, you can deselect "Any" and choose from networks that are discovered automatically or add new networks that are not yet discovered.
- Allowed AP Vendors — AP vendors that are allowed to be connected to the SSID or network. "Any" is the default value that allows all devices. To select one or more vendors from a predefined list of AP vendors, clear the "Any" check box. If you used WatchGuard Go to create your Wi-Fi networks, the Allowed AP Vendors setting is set to "WatchGuard" that allows only WatchGuard-branded devices on the network.
- Select the Apply this Policy Template to current location check box.
- Click Save to save the policy template.
Configure No Wi-Fi Networks
If there are any networks at the location that are not allowed to have APs connected to them, you can add them to the "No Wi-Fi" Networks configuration in the Authorized WLAN Policy.
If an AP at this location is connected to a "No Wi-Fi" network, the device is classified as a Rogue AP, even if it matches an Authorized WLAN Policy applied at the location. The "No Wi-Fi" network selection at a location takes precedence over any Authorized WLAN Policy templates applied at the location.
To configure "No Wi-Fi" networks:
- Go to the Select "No Wi-Fi" Networks section on the Authorized WLAN Policy page.
- Click Add.
- Type a network address to add to the list.
For example, 192.168.1.0/24 refers to a 192.168.1.x network with a subnet mask of 255.255.255.0.
- Click Save to save the Authorized WLAN Policy configuration.
Configure RSSI-based Classification
You can further classify unmanaged APs based on their RSSI signal strength.
- Select the Preclassify APs connected to monitored subnets as Rogue or Authorized APs option.
- Type the threshold RSSI value to use for preclassification of APs with a signal strength stronger than this value as Rogue or Unauthorized APs.
We recommend you do not use this option in high-density business environments. This feature can result in legitimate neighborhood APs being classified as Rogue and subject to intrusion prevention containment if you have enabled intrusion prevention.