(Mods: I decided to post in OT instead of Wireless because this doesn't relate to PPCs and more people visit this area.)

I work in a large school district's IT department, and we have about 30 schools/buildings that we support. One of the High Schools has an unauthorized Wireless Access Point in it called "TheSecretAccessPoint". We NEED to find it before school starts and remove it from our network. Sounds easy? Keep reading! :wink:

THE FACTS:
Pocket WiNc, a WAP sniffer, has found the network with a 40%-50% several times, but the signal only lasts for a few seconds and then it just disappears for a random amount of time!!

No WEP encryption, DHCP is enabled, SSID is broadcasting.

I have the MAC address but when we told our HP Procurve Switches to search for that MAC they couldn't find it.

It has internet access, but we can't stay connected long enough to run an IPCONFIG or check our leased IP.

The auditorium is very big and is in the middle of the building. Walking around the whole school yields no other signals. Rule out multipath or a directional wifi shoot, methinks.

It might be getting it's web access from a DSL or cable line.

This was set up by a high school geek (probably), so they won't have a EE degree or anything.

I'd really appreciate any help you can offer. I've spent a few hours already wandering all over the area looking for any CAT5 cables or hardware.

Thank you! Looking forward to creative ideas and links. :way to go:

It start by getting a directional antenna. Either a cantenna, or a parabolic sort. There are lots of cheap ways to make these.

Have two receivers set up, one with the omni and one with the directional. When the signal pops up, swivel the omni around to maximise the signal and that will give you a better direction ot search in. Would be great if you could have several receivers with directional antennas, to triangulate an area on one pop-up.

Is the network distributed with switches? with activity lights? When it pops up you could start a ping from your host to the server or router address and look for that activity on the switch activity lights. that would tell you what cat 5 cable the thing is on.

Are you sure this thing isn't moving? School still closed? If so, how is someone turning it on and off. I know this could be done from the network, but who has access.

Totally OT, but this seems like a case in CSI! 8)

Quick other thought. You could do an IP sweep of your subnet and see what you can't account for. If the AP is permanently connected to the network and the perp is turning the radio on an off via the cabled side, the IP it has will be seen. I have used SuperScan just to audit a network, but there are many things like this.

Thanks for the ideas and quick response! We're having a department LAN party in two days and are going to look for this WAP just beforehand.

School is currently out of session, so students cannot get physical access to it. I also have a hard time believing that a student would be sitting at his home PC all summer randomly turning it on and off for kicks.

I don't see how it would be moving, either. Only office, custodial, and IT staff should be in the building. Security is tight.

Yes, the switches have status lights and management software. We're the second largest WAN in the state, so we have some nice gear. :wink:

So, did you ever find it? :)

No, we didn't. :cry:

My boss, who came along for this last attempt, thinks that the huge attenna on the roof of the school is absorbing a point-to-point wireless shoot and radiating it downward. A little far fetched, but it's the only solution we've thought of.

There's always next year... :wink: