Deploying a new (wireless) network is just one piece of the puzzle. Maintaining that network is just as important—if not more so in the long run. And that’s where network monitoring comes in. It lets you review historical data through logs and dashboards, helps with (live) client troubleshooting, and gives you the tools to check compliance and spot potential threats.
From a CWSP perspective, the focus here is on compliance and security. You want to know what your users are doing, whether your systems are up-to-date, and if anything suspicious is happening on your network. This chapter takes a closer look at what to keep an eye on and how to stay in control.
Secure Management Protocols
The first rule when it comes to managing and monitoring your network: use secure protocols. That might sound obvious, but it’s worth repeating. Secure protocols typically include an “S” in the acronym or “secure” in their name—but don’t be fooled into thinking they’re automatically bulletproof. What they do offer is an initial layer of protection, mainly by encrypting the traffic between you and the device or system you’re managing.
Why does that matter? Because the number one risk here is eavesdropping.
Instead of exposing login credentials or other sensitive data in cleartext, these protocols encrypt the session:
- HTTPS instead of HTTP
- SSHv2 instead of Telnet or SSHv1
- SFTP or SCP instead of FTP
Let’s say you’re logging into your network’s management interface over HTTP. If someone’s listening, they could easily sniff your credentials—and now they’ve got admin access. Same story with logging into an AP or controller over Telnet. It’s not worth the risk.
Most wireless infrastructure gear comes with built-in certificates, especially for internal communication between APs and controllers. For external management, there’s usually a separate management certificate in place. These default certificates should be replaced with ones signed by your organization’s own certificate authority. Don’t leave default credentials or certs in place—you might as well open the front door.
Let’s wrap up this section with SNMP. If you’re using SNMP in your monitoring tools, always go for SNMPv3. It adds authentication and encryption, addressing the glaring weaknesses of SNMPv1 and v2c. With the older versions, anyone who knew the device’s IP address and community string could poll it—and possibly even write changes, if write access was enabled.
Yes, SNMPv1 and v2c are still out there. But just because something works doesn’t mean it’s safe. If you’re just starting out, let this be one of the first things you check and lock down.
Network Monitoring
There are plenty of options to monitor enterprise WLAN environments for performance and security. As mentioned in the introduction, monitoring ensures that a system maintains desired performance, complies with regulations, and verifies network availability. It also allows you to perform security audits and locate vulnerabilities or threats.
These checks can be done manually, but it’s better to automate most of them. Manual tasks should ideally be limited to decision-making. You don’t want everything automated to the point that actions happen without you even knowing—like a user being blocked or an AP rebooting—because of some automated trigger. It’s up to us, the professionals, to assess the risk and decide when a specific action should happen automatically and when it should remain manual.
Here are some common tools used for WLAN network monitoring:
Wireless Intrusion Detection System (WIDS)
A WIDS gathers information about a network and focuses on detection as a passive activity. Hardware sensors distributed across the network collect and report data to a central WIDS engine. This system analyzes the data and can detect anomalies, which may then trigger alerts or recommended actions.
Wireless Intrusion Prevention System (WIPS)
WIPS shares many features with WIDS but adds the ability to actively respond to threats. It can take pre-approved actions to mitigate issues. Key features include:
- Hardware sensor-based monitoring
- Threat mitigation (e.g., containment, blocking, notifications)
- Detection of attacks (e.g., DoS, rogue APs)
- Integrated RF spectrum analysis
- Compliance validation (legal and corporate)
- Location tracking of RF devices
Wireless Network Management Systems (WNMS)
A WNMS is a centralized solution that may run on hardware, virtual infrastructure, or in the cloud. It acts as the management plane for the entire WLAN, potentially controlling APs, WLAN controllers, RADIUS servers, and location services—depending on the vendor.
Most vendors build their WNMS to fit their own ecosystem. Third-party support is becoming rare, though it still exists. These more open systems are usually more general-purpose network management systems (NMS) than WLAN-specific ones.
Personally, I wouldn’t recommend mixing WLAN vendors on the same campus. If you’re using different vendors across separate locations, it makes sense to use each vendor’s own WNMS. And if you need to integrate multiple vendors into a single platform—like your own custom dashboard—you can definitely do that using APIs and some code.
Protocol Analyzers
Protocol analysis software captures 802.11 frames. While primarily used for troubleshooting, it’s also useful for validating normal operations or uncovering threats and vulnerabilities. The gold standard here is still Wireshark—it’s cross-platform, open-source, and free.
Spectrum Analyzers
Spectrum analyzers monitor the RF environment, helping identify what types of signals are present on specific frequencies and how strong they are. Like protocol analyzers, they’re used for both troubleshooting and proactive monitoring. Built-in spectrum analysis capabilities in some APs can help you detect interference sources (like that microwave at 12:00 PM) or keep an eye on normal RF behavior.
Analytics Platforms
While the WNMS handles configuration and control, it’s often not built to manage or visualize the huge amount of data coming from a WLAN. That’s where analytics platforms come in. These systems specialize in visualizing data (graphs, dashboards), capturing WLAN statistics, and providing insights—often enhanced by machine learning.
Rogue AP and Client Detection
Since the early days of 802.11, rogue devices have been seen as both a security threat and a source of RF interference. That hasn’t changed. A rogue AP is any access point operating in your physical space that hasn’t been authorized by you. These can be deployed intentionally—or unintentionally.
A common unintentional example is a SOHO printer broadcasting its own SSID (e.g., printer-<id>-wifi) to support wireless printing. One or two might be acceptable RF-wise, but if every office room has one, they start to clutter the spectrum quickly. Besides, you don’t want just anyone connecting to your printer—remember, RF has no walls.
Mobile hotspots are another concern. They’re easily configurable, and someone could create a true rogue AP by mimicking your corporate SSID and password. That would cause clients to auto-connect to the rogue device—making data capture extremely easy. Yes, it can be that simple.
That’s why you want to be alerted the moment something like this happens. Your authorized APs will detect beacons from rogue devices and know those signals aren’t originating from your infrastructure.
Another attack scenario involves someone connecting a real AP to an unprotected wired port—say, at the reception desk. If the device is small enough, it could go unnoticed. Later, the attacker sits next door in the waiting area or lobby, opens a laptop (or even just a phone), and attempts to access wired network resources. And honestly, someone working on a laptop in a hotel-style lobby doesn’t look suspicious at all.
I haven’t seen this happen in real life, but I’ve heard about these scenarios—and they don’t seem like sci-fi to me.
Best Practices for Rogue AP Detection and Prevention
- Disable unused Ethernet ports
A simple but effective way to prevent unauthorized devices from being plugged into open wall jacks. - Clearly state your acceptable use policy (AUP)
Make it clear—internally and externally—that setting up unauthorized APs is not allowed. - Implement Network Access Control (NAC)
Only allow trusted devices onto the network. 802.1X is strongly preferred over MAC address filtering. - Use enterprise WLAN solutions with rogue AP detection/mitigation
Systems like WIPS and WIDS can detect and respond to rogue APs. Some can even triangulate their physical location.
Enterprise WIPS Topology
We’ve mentioned WIPS (Wireless Intrusion Prevention System) a few times already, but let’s look at what’s actually under the hood in a typical deployment.
A WIPS is typically a network of sensors reporting to a centralized server or engine. There are two types of WIPS deployments: integrated and overlay.
Integrated WIPS
We refer to a deployment as integrated when the WIPS sensors are built into the APs. Some APs have dedicated sensor radios, while others use dual-purpose radios that both service clients and perform (off-channel) scans. APs with dedicated sensor radios are generally preferred—they’re always on and don’t have to split their time between scanning and serving clients.
The WIPS server in an integrated model could be the WLAN controller itself, or it might require a separate server or a containerized (e.g., Docker) application.
As more deployments shift to distributed cloud models (think Extreme/Aerohive, Meraki, etc.), the WIPS intelligence is increasingly cloud-based too. These cloud-native WIPS features can still be somewhat basic, and if advanced capabilities are needed, a dedicated appliance might still be the better choice.
Overlay WIPS
In an overlay deployment, the WIPS sensors are separate hardware devices, not integrated into the APs. They can be vendor-specific or vendor-agnostic solutions. Examples include AirTight SpectraGuard (source: Google) or Wyebot (which is more of a performance optimization tool than a full WIPS, though).
The key advantage of overlay deployments is that all hardware resources (CPU, memory, etc.) are fully dedicated to WIPS tasks. Even with dedicated sensor radios in APs, resources are still shared between radios and other AP functions. The trade-off with overlay models is the added installation and cabling costs, which often don’t justify the price gap between APs with and without WIPS capabilities.
A typical sensor-to-AP ratio in overlay deployments is around 1:3 to 1:5. This helps manage costs while maintaining effective coverage and functionality.
For what it’s worth, I’ve only seen integrated WIPS deployments so far—but I’m still early in my wireless journey, so who knows what lies ahead.
Defining WIPS Policies
Once you’ve chosen a deployment model, the next step is defining your WIPS policies.
Start by classifying your own APs as trusted sources. This shouldn’t be too hard if WIPS is managed through your WLAN controller or cloud platform.
Then you need to establish a baseline. What does “normal” look like in your environment? This includes expected RF coverage, common spectrum patterns, trusted client types (especially in non-BYOD environments), and known neighboring Wi-Fi networks.
During deployment, all detected networks can be categorized into:
- Internal/trusted – your infrastructure
- Neighboring/interfering – nearby offices, MDUs, etc.
- Rogue – unauthorized or malicious
- Unclassified – not yet labeled
Sensor data can then be collected, filtered, and compared to pre-defined usage thresholds set during the initial config. Most WIPS platforms also generate activity reports for statistical analysis.
Some platforms even support device location tracking, using methods like:
Triangulation
This estimates a device’s location by comparing RSSI values from three APs that detect the client. Imagine drawing a circle around each AP, with the radius based on RSSI—the point where those circles nearly overlap is your estimated client location.
Time Difference of Arrival (TDoA)
TDoA measures the difference in time it takes for a signal to reach multiple sensors. The signal hits the closest sensor first, then others slightly later. Knowing these time differences helps estimate the client’s distance from each sensor—kind of like triangulation, but based on time instead of signal strength.
Angle of Arrival (AoA)
AoA uses multiple antennas to determine the direction from which a signal arrives. Combined with signal strength, it can pinpoint client location with impressive precision—up to 10 cm in some cases. This technique is increasingly supported in newer Bluetooth specs and is where we’ll likely see it used most frequently.
Conclusion
WLAN monitoring is a critical part of maintaining both performance and security. Whether you’re deploying WIPS, running periodic protocol captures, or building dashboards from analytics data, the goal is to detect anomalies, validate configurations, and identify threats as early as possible.
Defining trusted devices, understanding normal RF behavior, and enforcing policy through detection and, where appropriate, mitigation, are all part of this process. Automation can help reduce manual workload, but it should be configured carefully—especially when mitigation actions are involved. Not every alert should trigger an automatic response.
The effectiveness of your monitoring setup depends on proper tool integration, baseline accuracy, and ongoing tuning. A misconfigured WIPS or unused analytics engine won’t do much. When done right, monitoring adds an essential layer of intelligence to your WLAN operations and improves both visibility and control.
Source(s):
Carpenter, T., et al. (2023). CWSP-207: Certified Wireless Security Professional Study Guide (1st ed.). Durham NC, USA: Certitrek Publishing