Every once in a while you may notice an increase in "Random MAC Address Detected" messages on your AirDefense alerts/vulnerability tabs. While this may mean that someone is trying to use automated scripts to guess your MAC address ACL and bypass your security, most of the time this is actually caused by the fact that some new wireless devices were released since you have last updated the master MAC OUI database from the IEEE website (for example some customers saw an influx of these when Apple was releasing different generations of iPhones and they were starting to make their way to neighborhood access points):
Once logged in, launch the AirDefense WIPS Admin application by using the "ADDadmin" command (this is case sensitive, so make sure you capitalize the first 3 letters):
In the WIPS Admin interface enter "D" and press Enter to access the database administration menu (this is not case sensitive):
In the database menu enter "OUI" to access the MAC address database update sub-menu and press Enter (still not case sensitive):
You will receive a warning, stating that the services will be restarted once you perform the OUI update - answer "yes" to it (don't worry the restart only takes a few seconds and you will not even lose the connection to your SSH session - the only thing that will reload is any GUI clients connected to the appliance, to refresh the list of known vendor MAC addresses):
You will have a choice to update from a file (useful if you have no outside Internet connection or a proxy that's blocking the AirDefense appliance from accessing the IEEE website), or download the database directly from IEEE website. Unless you have no Internet connection or DNS server on the network to which your appliance is connected, select "I" to update from the Internet:
The system will resolve the IEEE website, connect to it and download the latest MAC OUI file from http://standards.ieee.org/regauth/oui/oui.txt, then automatically update it and restart the services (let me know if you actually want to manually load the file from CD-rom or USB, I will add that to the article):
You can exit back to the command line by using "Q" within the WIPS Administrator application, and then exit the SSH session by issuing the "logout" command. Unless someone was using random spoofed MAC addresses above, you should now see manufacturer names instead of numeric addresses in your GUI.