Interpreting CleanAir info from WLC

Ronald Nutter · ‎11-15-2010

Just activated CleanAir at one of my remote offices. I am seeing a Video Camera showing up on one of my AP's. It tells me 100% duty cycle, RSSI of -80, DevID 0x3002 and severity of 37. This is all that I have been able to glean, no mac address, nothing else. I have compared the RSSI to everything else associated on that AP and the values dont match which tells me that it is probably an external device. Since there is so little info on Clean Air that has been documented at this point, is there anything else that I can find this interferer ? Would like to be able to at least id the manufacturer of the device and have a chance at denying it from trying to associate to any of my AP's.

Leo Laohoo · ‎11-15-2010

Would like to be able to at least id the manufacturer of the device and have a chance at denying it from trying to associate to any of my AP's.

You don't need ClearAir to accomplish this. Let's take away CleanAir from the equation for a moment. If you are using WLC alone, then if you go to the main page and click on "Clients" it will tell you the different wireless NICs trying to associate to your SSID. On the right-hand side, you'll see a drop down icon and choose "Disable". If the client you have is advertising a different SSID then you will need to "contain" the client.

Before I continue to discuss "contain" option with you, I will have to read you the "Miranda" rights in relations to the risks involve in containing a client that is deemed to be "legitimate". In some countries, containing a client (whether legitimate or not) is deemed as a offense and punishable by law. Soooooo ... you have been "Miranda-ized".

To contain a client, go to the main page and choose on the right-hand side the options of "Adhoc Rogue", "Adhoc Client" or "Rogue AP". Click on the "details", choose "Malicious", choose "Contain" and choose up to 4 APs.

So what is CleanAir?

CleanAir is a feature of the 3500i/e that allows the AP to "switch channels" an AP if interference is detected.

Ronald Nutter · ‎11-15-2010

My problem is that going on what little info that CleanAir is giving me, I cant associate the CleanAir Interference device to anything else on the AP. I am going just on RSSI at this point because I have nothing else to work with. That is why I am trying to find at least the mac address so I can give the remote office (located on the east coast) the info on trying to find the device (I am located in the midwest).

I am also trying to be proactive with a request I expect to see coming from the SarbanesOxley auditors on being able to block potential sources of interference from being able to associate to AP's on the network.

I am expecting that the device is nearby our network. Just need to prove to management that I have taken reasonable precautions to preventing a problem.

Ron

Ronald Nutter · ‎11-15-2010

Figured out how to do some debugging on the remote AP. Here is what I had come back -

*Nov 15 21:45:12.991: CleanAir: IDR: 2(27:0) Video Camera Update 2.4GHz
*Nov 15 21:45:12.991: CleanAir:      ISI=26 -77 dBm duty=100
*Nov 15 21:45:12.991: CleanAir:      c=00000001 sig(4)=1024BE50
*Nov 15 21:45:12.991: CleanAir:      on/report/seen 344194/89/53 secs ago

Still working with the various debugging commands that are available with CleanAir. Hope to be able to get some more info about this device.

Ron

Nicolas Darchis · ‎11-16-2010

I back up leolaohoo on this.

What tells you that the camera has a mac address to begin with ? If a microwave is detected, cleanair can't give you the manufacturer of it.

The duty cycle at 100 would underline that it's actually not a wifi device but a device that analogly transmits on the whole band on 2.4Ghz jamming you completely.You have to go there and start the kicking.

Hope this helps.

Nicolas

Kayle Miller · ‎11-16-2010

Ronald,

So in terms of the discussion here, your desire is to id the manufacturer and mac address of the camera detected.. Something to keep in mind here is that if it is not an IP/Network protocoled device there may not be a mac address and more importantly there maynot be a typical packet structure for anything to grab the information from. For example the X10 makes an analog camera that runs in the 2.4Ghz band, it doesn't conform to any 802.11 spec so you can't see the mac or any info but any spec analyzer will determine it's a camera based on the amplitude/modulation signature. A few years back Radio shack also made audio video senders that behaved in the samer manner, AMX Netwave makes a audio/video control panel that uses a proprietary wireless mechanism. All of these device can be indentified as either a camera or a constant transmitter operating in the band but they don't provide any other details. For reference the reason that spectrum analyzer software and cleanair can partially id cordless phones is because they are more standardized from brand to brand and many of them use 802.11 DSS rather than something proprietary.

It can be extremely tough to locate these sources the easiet way is to go on-site and use a direction antenna attached to a spectrum analyzer and make sure you have an attenuator in line. Then you can find the signal and sweep to fine tune the direction its originating from, the attenuator allows you to manually and predictably degrade the signal strength to further indentify the direction.

In terms of it connecting to your network it's unlikely that it is, it is most like something that exists around your facility and it is most likely just talking with its base station.

Hope this info helps, please rate useful or helpful posts.

Thanks,

Kayle

Leo Laohoo · ‎11-15-2010

My problem is that going on what little info that CleanAir is giving me, I cant associate the CleanAir Interference device to anything else on the AP. I am going just on RSSI at this point because I have nothing else to work with. That is why I am trying to find at least the mac address so I can give the remote office (located on the east coast) the info on trying to find the device (I am located in the midwest).

Ok. So if you are suspecting that there is a wireless device (not a client) that could be interfering with your WLAN (such as Bluetooth, microwave oven, cordless phones).

CleanAir won't tell you what the MAC address are but it will tell you what they are.

You can also try to enable the 3500 to go into "Monitor" mode so the AP can "sniff" the air out. Warning: If an AP goes into "Monitor" mode, it will stop transmitting/receiving data (including voice and video) traffic.