Lightweight Access Point Configuration Guide, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)
Configuring Adaptive Wireless Intrusion Prevention System
Downloads: This chapterpdf (PDF - 1.29MB) The complete bookPDF (PDF - 2.73MB) | The complete bookePub (ePub - 302.0KB) | Feedback

Configuring Adaptive Wireless Intrusion Prevention System

Configuring Adaptive Wireless Intrusion Prevention System

Finding Feature Information

Prerequisites for Configuring wIPS

  • The regular local mode access point has been extended with a subset of Wireless Intrusion Prevention System (wIPS) capabilities. This feature enables you to deploy your access points to provide protection without needing a separate overlay network.

How to Configure wIPS on Access Points

Configuring wIPS on an Access Point (CLI)

SUMMARY STEPS

    1.    ap name Cisco_AP mode local

    2.    ap name Cisco_AP dot11 5ghz shutdown

    3.    ap name Cisco_AP dot11 24ghz shutdown

    4.    ap name Cisco_AP mode monitor submode wips

    5.    ap name Cisco_AP monitor-mode wips-optimized

    6.    show ap dot11 24ghz monitor

    7.    ap name Cisco_AP no dot11 5ghz shutdown

    8.    ap name Cisco_AP no dot11 24ghz shutdown


DETAILED STEPS
     Command or ActionPurpose
    Step 1 ap name Cisco_AP mode local


    Example:
    Switch# ap name AP01 mode local
     

    Configures an access point for monitor mode.

    A message appears that indicates that changing the AP's mode causes the access point to reboot. This message also displays a prompt that enables you to specify whether or not you want to continue with changing the AP mode. Enter y at the prompt to continue.

     
    Step 2ap name Cisco_AP dot11 5ghz shutdown


    Example:
    Switch# ap name AP01 dot11 5ghz shutdown
     

    Disables the 802.11a radio on the access point.

     
    Step 3ap name Cisco_AP dot11 24ghz shutdown


    Example:
    Switch# ap name AP02 dot11 24ghz shutdown
     

    Disables the 802.11b radio on the access point.

     
    Step 4ap name Cisco_AP mode monitor submode wips


    Example:
    Switch# ap name AP01 mode monitor
     submode wips
     

    Configures the wIPS submode on the access point.

    Note   

    To disable wIPS on the access point, enter the ap name Cisco_AP modemonitor submode none command.

     
    Step 5ap name Cisco_AP monitor-mode wips-optimized


    Example:
    Switch# ap name AP01 monitor-mode
     wips-optimized
     

    Enables wIPS optimized channel scanning for the access point.

    The access point scans each channel for 250 milliseconds. It derives the list of channels to be scanned from the monitor configuration. You can choose the following options:
    • All—All channels supported by the access point’s radio.

    • Country—Only the channels supported by the access point’s country of operation.

    • DCA—Only the channel set used by the dynamic channel assignment (DCA) algorithm, which by default includes all of the nonoverlapping channels allowed in the access point’s country of operation.

     
    Step 6show ap dot11 24ghz monitor


    Example:
    Switch# show ap dot11 24ghz monitor
     

    Displays the monitor configuration channel set.

    Note   

    The 802.11b Monitor Channels value in the output of the command indicates the monitor configuration channel set.

     
    Step 7ap name Cisco_AP no dot11 5ghz shutdown


    Example:
    Switch# ap name AP01 no dot11
     5ghz shutdown
     

    Enables the 802.11a radio on the access point.

     
    Step 8ap name Cisco_AP no dot11 24ghz shutdown


    Example:
    Switch# ap name AP01 no dot11
     24ghz shutdown
     

    Enables the 802.11b radio on the access point.

     

    Configuring wIPS on an Access Point (GUI)


      Step 1   Choose Configuration > Wireless > Access Points > All APs

      The All APs page is displayed.

      Step 2   Click the access point name.

      The AP > Edit page is displayed.

      Step 3   From the AP Mode drop-down list, choose one of the following options to configure the AP mode parameters:
      • Local
      • Monitor
      Step 4   From the AP Sub Mode drop-down list, choose WIPS.
      Step 5   Click Apply.
      Step 6   Click Save Configuration.

      Monitoring wIPS Information


      Note


      The procedure to perform this task using the switch GUI is not currently available.


      SUMMARY STEPS

        1.    show ap name Cisco_AP config general

        2.    show ap monitor-mode summary

        3.    show wireless wps wips summary

        4.    show wireless wps wips statistics

        5.    clear wireless wips statistics


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 show ap name Cisco_AP config general


        Example:
        Switch# show ap name AP01 config general
         

        Displays information on the wIPS submode on the access point.

         
        Step 2show ap monitor-mode summary


        Example:
        Switch# show ap monitor-mode summary
         

        Displays the wIPS optimized channel scanning configuration on the access point.

         
        Step 3show wireless wps wips summary


        Example:
        Switch# show wireless wps wips summary
         

        Displays the wIPS configuration forwarded by NCS or Prime to the switch.

         
        Step 4show wireless wps wips statistics


        Example:
        Switch# show wireless wps wips statistics
         

        Displays the current state of wIPS operation on the switch.

         
        Step 5clear wireless wips statistics


        Example:
        Switch# clear wireless wips statistics
         

        Clears the wIPS statistics on the switch.

         

        Configuration Examples for Configuring wIPS on Access Points

        Displaying the Monitor Configuration Channel Set: Example

        This example shows how to display the monitor configuration channel set:

        Switch# show ap dot11 24ghz monitor
        Default 802.11b AP monitoring
        802.11b Monitor Mode........................... enable
        802.11b Monitor Channels....................... Country channels
        802.11b AP Coverage Interval................... 180 seconds
        802.11b AP Load Interval....................... 60 seconds
        802.11b AP Noise Interval...................... 180 seconds
        802.11b AP Signal Strength Interval............ 60 seconds

        Displaying wIPS Information: Examples

        This example shows how to display information on the wIPS submode on the access point:

        Switch# show ap name AP01 config general
        Cisco AP Identifier.............. 3
        Cisco AP Name.................... AP1131:46f2.98ac
        ...
        AP Mode ......................... Monitor
        Public Safety ................... Disabled Disabled
        AP SubMode ...................... WIPS

        This example shows how to display the wIPS optimized channel scanning configuration on the access point:

        Switch# show ap monitor-mode summary
        AP Name       Ethernet MAC   Status   Scanning
                                              Channel
                                              List
        ------------- -------------- -------- ---------
        AP1131:4f2.9a 00:16:4:f2:9:a WIPS     1,6,NA,NA

        This example shows how to display the wIPS configuration forwarded by WCS to the switch:

        Switch# show wireless wps wips summary
        Policy Name.............. Default
        Policy Version........... 3

        This example shows how to display the current state of wIPS operation on the switch:

        Switch# show wireless wps wips statistics
        Policy Assignment Requests............ 1
        Policy Assignment Responses........... 1
        Policy Update Requests................ 0
        Policy Update Responses............... 0
        Policy Delete Requests................ 0
        Policy Delete Responses............... 0
        Alarm Updates......................... 13572
        Device Updates........................ 8376
        Device Update Requests................ 0
        Device Update Responses............... 0
        Forensic Updates...................... 1001
        Invalid WIPS Payloads................. 0
        Invalid Messages Received............. 0
        CAPWAP Enqueue Failed................. 0
        NMSP Enqueue Failed................... 0
        NMSP Transmitted Packets.............. 22950
        NMSP Transmit Packets Dropped......... 0
        NMSP Largest Packet................... 1377