cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 8

Alert when Wireless MAC address is seen on LAN

I need assistance creating an alert that triggers whenever a Wireless MAC Address is seen on the LAN.  In our environment, the Wireless and LAN networks are completely segregated, so we should never see a MAC Address on the LAN, that's also been seen on the Wireless Network.  UDT has all of the information, I just need to figure out how to write this alert.  With the exception of a rouge wireless router, this should take care of any rouge access points that are connected to a network.

Thoughts, Comments?

DetectingRouteAPs.PNG

0 Kudos
3 Replies
Level 10

Just to mention that most devices will have different MAC addresses for wireless connections and wired connections.I do not see how a wireless MAC would show up on a LAN connection...

0 Kudos
Level 15

ASSUMPTIONS/DEPENDENCIES:

  • All of your endpoints need to be in NPM inventory
  • All of your endpoints have a True/False custom property called "Wireless"

SELECT DISTINCT Nodes.NodeID AS NetObjectID, Nodes.Caption AS Name

FROM Nodes

WHERE Nodes.Wireless = 0

AND Nodes.NodeID IN

  (SELECT NodeMACAddresses.NodeID

  FROM NodeMACAddresses

  WHERE NodeMACAddresses.NodeID IN

  (SELECT UDT_AllWLEndpoints.NodeID FROM UDT_AllWLEndpoints))

This should work as a Custom SQL Alert for Nodes.

I haven't taken a hard look at the UDT tables and views, but I am not 100% sure there will be something in there that marks devices as non-Wireless (so to speak). There are 2 main views for UDT endpoints: UDT_AllEndpoints and UDT_AllWLEndpoints...

    I *think* that the UDT_AllEndpoints holds all endpoints, not just the wired. And AllWLEndpoints holds all of the Wireless Endpoints.

So, it isn't as easy as saying "IF Wired.MAC = Wireless.MAC THEN Alert". But the above SQL will work if you take the time to add your endpoints and mark them with a custom property.

I'm hopeful someone in the community might be able to provide some insight into another part of UDT that might mark nodes as wired. If we can find that point, then it simplifies this considerably.

Good Luck!

-ZackM

Loop1 Systems: SolarWinds Training and Professional Services

Z,

  We are not monitoring endpoints.  The wireless networks are essentially treated as "Guest Networks".  UDT logs all of the MAC Addresses that are seen on the wireless and tracks which APs they have been seen on.

Perhaps the approach is to look at each MAC address, alert if it has been both associated with an SSID, and seen on a port?

-ct

0 Kudos