• State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 24 subscribers
  • Views 976 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Alert when Wireless MAC address is seen on LAN

cthomas

I need assistance creating an alert that triggers whenever a Wireless MAC Address is seen on the LAN.  In our environment, the Wireless and LAN networks are completely segregated, so we should never see a MAC Address on the LAN, that's also been seen on the Wireless Network.  UDT has all of the information, I just need to figure out how to write this alert.  With the exception of a rouge wireless router, this should take care of any rouge access points that are connected to a network.

Thoughts, Comments?

DetectingRouteAPs.PNG

Parents
  • 0

    ASSUMPTIONS/DEPENDENCIES:

    • All of your endpoints need to be in NPM inventory
    • All of your endpoints have a True/False custom property called "Wireless"

    SELECT DISTINCT Nodes.NodeID AS NetObjectID, Nodes.Caption AS Name
    

    FROM Nodes
    

    WHERE Nodes.Wireless = 0
    

    AND Nodes.NodeID IN
    

      (SELECT NodeMACAddresses.NodeID
    

      FROM NodeMACAddresses
    

      WHERE NodeMACAddresses.NodeID IN
    

      (SELECT UDT_AllWLEndpoints.NodeID FROM UDT_AllWLEndpoints))

    This should work as a Custom SQL Alert for Nodes.

    I haven't taken a hard look at the UDT tables and views, but I am not 100% sure there will be something in there that marks devices as non-Wireless (so to speak). There are 2 main views for UDT endpoints: UDT_AllEndpoints and UDT_AllWLEndpoints...

        I *think* that the UDT_AllEndpoints holds all endpoints, not just the wired. And AllWLEndpoints holds all of the Wireless Endpoints.

    So, it isn't as easy as saying "IF Wired.MAC = Wireless.MAC THEN Alert". But the above SQL will work if you take the time to add your endpoints and mark them with a custom property.

    I'm hopeful someone in the community might be able to provide some insight into another part of UDT that might mark nodes as wired. If we can find that point, then it simplifies this considerably. emoticons_happy.png

    Good Luck!

    -ZackM

    Loop1 Systems: SolarWinds Training and Professional Services

  • 0 in reply to zackm

    Z,

      We are not monitoring endpoints.  The wireless networks are essentially treated as "Guest Networks".  UDT logs all of the MAC Addresses that are seen on the wireless and tracks which APs they have been seen on.

    Perhaps the approach is to look at each MAC address, alert if it has been both associated with an SSID, and seen on a port?

    -ct

Reply
  • 0 in reply to zackm

    Z,

      We are not monitoring endpoints.  The wireless networks are essentially treated as "Guest Networks".  UDT logs all of the MAC Addresses that are seen on the wireless and tracks which APs they have been seen on.

    Perhaps the approach is to look at each MAC address, alert if it has been both associated with an SSID, and seen on a port?

    -ct

Children
No Data

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.