TechTip: Update IEEE OUI database on AirDefense WIPS

Every once in a while you may notice an increase in "Random MAC Address Detected" messages on your AirDefense alerts/vulnerability tabs. While this may mean that someone is trying to use automated scripts to guess your MAC address ACL and bypass your security, most of the time this is actually caused by the fact that some new wireless devices were released since you have last updated the master MAC OUI database from the IEEE website (for example some customers saw an influx of these when Apple was releasing different generations of iPhones and they were starting to make their way to neighborhood access points):

To update the AirDefense OUI with the latest one from IEEE website, connect to your appliance using SSH and login using the smxmgr username (if you don't know credentials for this user which should have been setup during the appliance installation, you will need to contact Motorola/Symbol support to get them reset):

Once logged in, launch the AirDefense WIPS Admin application by using the "ADDadmin" command (this is case sensitive, so make sure you capitalize the first 3 letters):

In the WIPS Admin interface enter "D" and press Enter to access the database administration menu (this is not case sensitive):

In the database menu enter "OUI" to access the MAC address database update sub-menu and press Enter (still not case sensitive):

You will receive a warning, stating that the services will be restarted once you perform the OUI update - answer "yes" to it (don't worry the restart only takes a few seconds and you will not even lose the connection to your SSH session - the only thing that will reload is any GUI clients connected to the appliance, to refresh the list of known vendor MAC addresses):

You will have a choice to update from a file (useful if you have no outside Internet connection or a proxy that's blocking the AirDefense appliance from accessing the IEEE website), or download the database directly from IEEE website. Unless you have no Internet connection or DNS server on the network to which your appliance is connected, select "I" to update from the Internet:

The system will resolve the IEEE website, connect to it and download the latest MAC OUI file from, then automatically update it and restart the services (let me know if you actually want to manually load the file from CD-rom or USB, I will add that to the article):
You can exit back to the command line by using "Q" within the WIPS Administrator application, and then exit the SSH session by issuing the "logout" command. Unless someone was using random spoofed MAC addresses above, you should now see manufacturer names instead of numeric addresses in your GUI.

1 comment:

Anonymous said...

Update: The file layout has been changed by IEEE. In order for the file to be imported successfully into ADSP 9.x, the leading whitespace needs to be removed from each line.

Per Motorola Support:
In 9.x, the OUI update feature fails. I have determined that this is caused by the leading whitespaces in the new OUI.txt files from the IEEE. The workaround is to manually edit the file to remove the whitespace. This is easily done using Notepad++ and the following steps.
1. Download the latest OUI.txt file from IEEE
2. Open it in Notepad++
3. Ctrl+A to select all
4. Then Shift+tab (to decrease the indent. Can also be done via Edit>Indent>Decrease)
5. Save the file as oui.txt and put it in /usr/local/tmp
Now when you go to ADSPadmin>D>OUI it will ask you if you want to download from the internet or from a file. Simply enter the path to the new file: /usr/local/tmp/oui.txt and hit Enter.