3 Replies Latest reply on Oct 1, 2017 1:44 PM by wfriesn1

    Alert when Wireless MAC address is seen on LAN

    cthomas

      I need assistance creating an alert that triggers whenever a Wireless MAC Address is seen on the LAN.  In our environment, the Wireless and LAN networks are completely segregated, so we should never see a MAC Address on the LAN, that's also been seen on the Wireless Network.  UDT has all of the information, I just need to figure out how to write this alert.  With the exception of a rouge wireless router, this should take care of any rouge access points that are connected to a network.

       

      Thoughts, Comments?

       

      DetectingRouteAPs.PNG

        • Re: Alert when Wireless MAC address is seen on LAN
          zackm

          ASSUMPTIONS/DEPENDENCIES:

          • All of your endpoints need to be in NPM inventory
          • All of your endpoints have a True/False custom property called "Wireless"

           

          SELECT DISTINCT Nodes.NodeID AS NetObjectID, Nodes.Caption AS Name
          FROM Nodes
          WHERE Nodes.Wireless = 0
          AND Nodes.NodeID IN
            (SELECT NodeMACAddresses.NodeID
            FROM NodeMACAddresses
            WHERE NodeMACAddresses.NodeID IN
            (SELECT UDT_AllWLEndpoints.NodeID FROM UDT_AllWLEndpoints))
          

           

           

          This should work as a Custom SQL Alert for Nodes.

           

          I haven't taken a hard look at the UDT tables and views, but I am not 100% sure there will be something in there that marks devices as non-Wireless (so to speak). There are 2 main views for UDT endpoints: UDT_AllEndpoints and UDT_AllWLEndpoints...

              I *think* that the UDT_AllEndpoints holds all endpoints, not just the wired. And AllWLEndpoints holds all of the Wireless Endpoints.

           

          So, it isn't as easy as saying "IF Wired.MAC = Wireless.MAC THEN Alert". But the above SQL will work if you take the time to add your endpoints and mark them with a custom property.

           

          I'm hopeful someone in the community might be able to provide some insight into another part of UDT that might mark nodes as wired. If we can find that point, then it simplifies this considerably.

           

          Good Luck!

           

          -ZackM

          Loop1 Systems: SolarWinds Training and Professional Services

            • Re: Alert when Wireless MAC address is seen on LAN
              cthomas

              Z,

               

                We are not monitoring endpoints.  The wireless networks are essentially treated as "Guest Networks".  UDT logs all of the MAC Addresses that are seen on the wireless and tracks which APs they have been seen on.

               

              Perhaps the approach is to look at each MAC address, alert if it has been both associated with an SSID, and seen on a port?

               

              -ct

            • Re: Alert when Wireless MAC address is seen on LAN
              wfriesn1

              Just to mention that most devices will have different MAC addresses for wireless connections and wired connections.I do not see how a wireless MAC would show up on a LAN connection...