The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco Mobility Express enables all options under Best Practices except those that need manual configuration, for example, NTP, WLAN with 802.1x/WPA2, and High SSID counts.
Description—When the user fails to authenticate, the controller excludes the client. The client cannot connect to the network until the exclusion timer expires or is manually overridden by the administrator.
Client exclusion detects authentication attempts made by a single device. When the device exceeds a maximum number of failures, that MAC address is not allowed to associate any longer to the controller.
Client exclusion is enabled by default on the master AP allowing it to exclude clients from joining the controller during the above events.
CLI Option—Enable client exclusion for all events by entering this command:
(Cisco Controller) >config wps client-exclusion all enableDescription—The Cisco Mobility Express controller performs WLAN IDS analysis using all the connected APs and reports detected attacks on to the virtual controller. The Wireless IDS analysis is complementary to any analysis that may otherwise be performed by a wired network IDS system. The embedded Wireless IDS capability of the Cisco Mobility Express controller analyzes 802.11- and Cisco Mobility Express controller-specific information that is not available to a wired network IDS system.
Enables wireless IDS feature and 17 built-in signatures to avoid intrusion attacks.
CLI Option—Enable signature check by entering this command:
(Cisco Controller) >config wps signature enable
When the controller is upgraded from an old version, all the old passwords are maintained even though the passwords are weak. After the system upgrade, if the strong password checks are enabled, the same is enforced from that time and the strength of previously added passwords will not be checked or altered.
Depending on the settings done in the Password Policy page, the local management and access point user configuration is affected.
case-check—Checks the occurrence of same character thrice consecutively
consecutive-check—Checks the default values or its variants are being used
default-check—Checks either username or its reverse is being used
all-checks—Enables/disables all the strong password checks
position-check—Checks four-character range from old password
case-digit-check—Checks all four combinations to be present: lower, upper, digits, and special characters
CLI Option—Enable all strong password policies by entering this command:
(Cisco Controller) >config switchconfig strong-pwd all-checks enable
Description—This criterion normally indicates that unknown rogue APs are inside the facility perimeters, and can cause potential interference to the wireless network.
This rule is not recommended for retail customers or venues that are shared by various tenants, where WiFi signals from all parties normally bleed into each other.
Specifies the minimum RSSI value that rogues should have for APs to detect them and for the rogue entries to be created in the controller. Recommended value is –80 dBm.
CLI Option—Set the minimum RSSI value that rogues should have by entering this command:
(Cisco Controller) >config rogue detection min-rssi rssi-in-dBm
Description—Rogue wireless devices are an ongoing threat to corporate wireless networks. Network owners need to do more than just scanning the unknown devices. They must be able to detect, disable, locate, and manage rogue/intruder threats automatically and in real time.
Rogue APs can disrupt wireless LAN operations by hijacking legitimate clients and using plain text, denial-of-service attacks, or man-in-the-middle attacks. That is, a hacker can use a rogue AP to capture sensitive information, such as passwords and usernames. The hacker can then transmit a series of clear-to-send (CTS) frames, which mimics an AP informing a particular wireless LAN client adapter to transmit and instruct all others to wait. This scenario results in legitimate clients being unable to access the wireless LAN resources. Thus, wireless LAN service providers look for banning rogue APs from the air space.
The best practice is to use rogue detection to minimize security risks, for example, in a corporate environment. However, there are certain scenarios in which rogue detection is not needed, for example, in OEAP deployment, open venues/stadium, citywide, and outdoors. Using outdoor mesh APs to detect rogues would provide little value while incurring resources to analyze. Finally, it is critical to evaluate (or avoid altogether) rogue auto-containment, as there are potential legal issues and liabilities if left to operate automatically.
Policy should be at least High.
Set the rogue detection security level to High by entering this command:
(Cisco Controller) >config rogue detection security-level high