Wireless Intrusion Prevention System
The Cisco Adaptive Wireless Intrusion Prevention System (wIPS) uses an advanced approach to wireless threat detection and performance management. It combines network traffic analysis, network device and topology information, signature-based techniques, and anomaly detection to deliver highly accurate and complete wireless threat prevention. With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both the wired and wireless networks and use that network intelligence to analyze attacks from many sources to accurately pinpoint and proactively prevent attacks, rather than wait until damage or exposure has occurred.
Cisco Adaptive wIPS is a part of the Cisco 3300 Series Mobility Services Engine (MSE), which centralizes the processing of intelligence collected by the continuous monitoring of Cisco Aironet APs. With Cisco Adaptive wIPS functionalities and Cisco Prime Infrastructure integration into the Cisco MSE, the wIPS can configure and monitor wIPS policies and alarms and report threats.
Note |
If your wIPS deployment consists of a controller, access point, and Cisco MSE, you must set all the three entities to the UTC time zone. |
Cisco Adaptive wIPS is not configured on the controller. Instead, the Cisco Prime Infrastructure forwards the profile configuration to the wIPS service, which forwards the profile to the controller. The profile is stored in flash memory on the controller and sent to APs when they join the controller. When an access point disassociates and joins another controller, it receives the wIPS profile from the new controller.
Local-mode or FlexConnect mode APs with a subset of wIPS capabilities are referred to as Enhanced Local Mode access point or ELM AP. You can configure an access point to work in the wIPS mode if the AP is in any of the following modes:
-
Monitor
-
Local
-
FlexConnect
The regular local mode or FlexConnect mode AP is extended with a subset of wIPS capabilities. This feature enables you to deploy your APs to provide protection without needing a separate overlay network.
wIPS ELM has the limited capability of detecting off-channel alarms. AN AP periodically goes off-channel, and monitors the nonserving channels for a short duration, and triggers alarms if any attack is detected on the channel. But off-channel alarm detection is best effort, and it takes a longer time to detect attacks and trigger alarms, which might cause the ELM AP to intermittently detect an alarm and clear it because it is not visible. APs in any of the above modes can periodically send alarms based on the policy profile to the wIPS service through the controller. The wIPS service stores and processes the alarms and generates SNMP traps. Cisco Prime Infrastructure configures its IP address as a trap destination to receive SNMP traps from the Cisco MSE.
This table lists all the SNMP trap controls and their respective traps. When a trap control is enabled, all the traps of that trap control are also enabled.
Note |
The controller uses only SNMPv2 for SNMP trap transmission. |
Tab Name |
Trap Control |
Trap |
---|---|---|
General |
Link (Port) Up/Down |
linkUp, linkDown |
Spanning Tree |
newRoot, topologyChange, stpInstanceNewRootTrap, stpInstanceTopologyChangeTrap |
|
Config Save |
bsnDot11EssCreated, bsnDot11EssDeleted, bsnConfigSaved, ciscoLwappScheduledResetNotif, ciscoLwappClearResetNotif, ciscoLwappResetFailedNotif, ciscoLwappSysInvalidXmlConfig |
|
AP |
AP Register |
bsnAPDisassociated, bsnAPAssociated |
AP Interface Up/Down |
bsnAPIfUp, bsnAPIfDown |
|
Client Traps |
802.11 Association |
bsnDot11StationAssociate |
802.11 Disassociation |
bsnDot11StationDisassociate |
|
802.11 Deauthentication |
bsnDot11StationDeauthenticate |
|
802.11 Failed Authentication |
bsnDot11StationAuthenticateFail |
|
802.11 Failed Association |
bsnDot11StationAssociateFail |
|
Exclusion |
bsnDot11StationBlacklisted |
|
NAC Alert |
cldcClientWlanProfileName, cldcClientIPAddress, cldcApMacAddress, cldcClientQuarantineVLAN, cldcClientAccessVLAN |
|
Security Traps |
User Authentication |
bsnTooManyUnsuccessLoginAttempts, cLWAGuestUserLoggedIn, cLWAGuestUserLoggedOut |
RADIUS Servers Not Responding |
bsnRADIUSServerNotResponding, ciscoLwappAAARadiusReqTimedOut |
|
WEP Decrypt Error |
bsnWepKeyDecryptError |
|
Rogue AP |
bsnAdhocRogueAutoContained, bsnRogueApAutoContained, bsnTrustedApHasInvalidEncryption, bsnMaxRogueCountExceeded, bsnMaxRogueCountClear, bsnApMaxRogueCountExceeded, bsnApMaxRogueCountClear, bsnTrustedApHasInvalidRadioPolicy, bsnTrustedApHasInvalidSsid, bsnTrustedApIsMissing |
|
SNMP Authentication |
agentSnmpAuthenticationTrapFlag |
|
Multiple Users |
multipleUsersTrap |
|
Auto RF Profile Traps |
Load Profile |
bsnAPLoadProfileFailed |
Noise Profile |
bsnAPNoiseProfileFailed |
|
Interference Profile |
bsnAPInterferenceProfileFailed |
|
Coverage Profile |
bsnAPCoverageProfileFailed |
|
Auto RF Update Traps |
Channel Update |
bsnAPCurrentChannelChanged |
Tx Power Update |
bsnAPCurrentTxPowerChanged |
|
Mesh Traps |
Child Excluded Parent |
ciscoLwappMeshChildExcludedParent |
Parent Change |
ciscoLwappMeshParentChange |
|
Authfailure Mesh |
ciscoLwappMeshAuthorizationFailure |
|
Child Moved |
ciscoLwappMeshChildMoved |
|
Excessive Parent Change |
ciscoLwappMeshExcessiveParentChange |
|
Excessive Children |
ciscoLwappMeshExcessiveChildren |
|
Poor SNR |
ciscoLwappMeshAbateSNR, ciscoLwappMeshOnsetSNR |
|
Console Login |
ciscoLwappMeshConsoleLogin |
|
Excessive Association |
ciscoLwappMeshExcessiveAssociation |
|
Default Bridge Group Name |
ciscoLwappMeshDefaultBridgeGroupName |
The following are the trap descriptions for the traps mentioned in the SNMP Trap Controls and Their Respective Traps table:
- General Traps
-
SNMP Authentication—The SNMPv2 entity has received a protocol message that is not properly authenticated.
Note
When a user who is configured in SNMP V3 mode tries to access the controller with an incorrect password, the authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.
-
Link (Port) Up/Down—Link changes status from up or down.
-
Link (Port) Up/Down—Link changes status from up or down.
-
Multiple Users—Two users log in with the same ID.
-
Rogue AP—Whenever a rogue access point is detected, this trap is sent with its MAC address; when a rogue access point that was detected earlier no longer exists, this trap is sent.
-
Config Save—Notification that is sent when the controller configuration is modified.
-
-
Cisco AP Traps
-
AP Register—Notification sent when an access point associates or disassociates with the controller.
-
AP Interface Up/Down—Notification sent when an access point interface (802.11X) status goes up or down.
-
-
Client-Related Traps
-
802.11 Association—Associate notification that is sent when a client sends an association frame.
-
802.11 Disassociation—Disassociate notification that is sent when a client sends a disassociation frame.
-
802.11 Deauthentication—Deauthenticate notification that is sent when a client sends a deauthentication frame.
-
802.11 Failed Authentication—Authenticate failure notification that is sent when a client sends an authentication frame with a status code other than successful.
-
802.11 Failed Association—Associate failure notification that is sent when the client sends an association frame with a status code other than successful.
-
Exclusion—Associate failure notification that is sent when a client is exclusion listed (in a blocked list).
Note
The maximum number of static blocked list entries that the APs can have is 340.
-
Authentication—Authentication notification that is sent when a client is successfully authenticated.
-
Max Clients Limit Reached—Notification that is sent when the maximum number of clients, defined in the Threshold field, are associated with the controller.
-
NAC Alert—Alert that is sent when a client joins an SNMP NAC-enabled WLAN.
This notification is generated when a client on NAC-enabled SSIDs completes Layer2 authentication to inform the NAC appliance about the client's presence. cldcClientWlanProfileName represents the profile name of the WLAN that the 802.11 wireless client is connected to, cldcClientIPAddress represents the unique IP address of the client. cldcApMacAddress represents the MAC address of the AP to which the client is associated. cldcClientQuarantineVLAN represents the quarantine VLAN for the client. cldcClientAccessVLAN represents the access VLAN for the client.
-
Association with Stats—Associate notification that is sent with data statistics when a client is associated with the controller, or roams. Data statistics include transmitted and received bytes and packets.
-
Disassociation with Stats—Disassociate notification that is sent with data statistics when a client disassociates from the controller. Data statistics include transmitted and received bytes and packets, SSID, and session ID.
Note
When you downgrade to Release 7.4 from a later release, if a trap that was not supported in Release 7.4 (for example, NAC Alert trap) is enabled before the downgrade, all traps are disabled. After the downgrade, you must enable all the traps that were enabled before the downgrade. We recommend that you disable the new traps before the downgrade so that all the other traps are not disabled.
-
-
Security Traps
-
User Auth Failure—This trap informs that a client RADIUS Authentication failure has occurred.
-
RADIUS Server No Response—This trap is to indicate that no RADIUS servers are responding to authentication requests sent by the RADIUS client.
-
WEP Decrypt Error—Notification sent when the controller detects a WEP decrypting error.
-
Rouge AP—Whenever a rogue access point is detected, this trap is sent with its MAC address; when a rogue access point that was detected earlier no longer exists, this trap is sent.
-
SNMP Authentication—The SNMPv2 entity has received a protocol message that is not properly authenticated.
Note
When a user who is configured in SNMP V3 mode tries to access the controller with an incorrect password, authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.
-
Multiple Users—Two users log in with the same ID.
-
-
SNMP Authentication
-
Load Profile—Notification sent when the Load Profile state changes between PASS and FAIL.
-
Noise Profile—Notification sent when the Noise Profile state changes between PASS and FAIL.
-
Interference Profile—Notification sent when the Interference Profile state changes between PASS and FAIL.
-
Coverage Profile—Notification sent when the Coverage Profile state changes between PASS and FAIL.
-
- Auto RF Profile Traps
-
Load Profile—Notification sent when the Load Profile state changes between PASS and FAIL.
-
Noise Profile—Notification sent when the Noise Profile state changes between PASS and FAIL.
-
Interference Profile—Notification sent when the Interference Profile state changes between PASS and FAIL.
-
Coverage Profile—Notification sent when the Coverage Profile state changes between PASS and FAIL.
-
-
Auto RF Update Traps
-
Channel Update—Notification sent when the access point dynamic channel algorithm is updated.
-
Tx Power Update—Notification sent when the access point dynamic transmit power algorithm is updated.
-
-
Mesh Traps
-
Child Excluded Parent—Notification that is sent when a defined number of failed association to the controller occurs through a parent mesh node.
-
Notification sent when a child mesh node exceeds the threshold limit of the number of discovery response timeouts. The child mesh node does not try to associate an excluded parent mesh node for the interval defined. The child mesh node remembers the excluded parent MAC address when it joins the network, and informs the controller.
-
Parent Change—Notification is sent by the agent when a child mesh node changes its parent. The child mesh node remembers previous parent and informs the controller about the change of parent when it rejoins the network.
-
Child Moved—Notification sent when a parent mesh node loses connection with its child mesh node.
-
Excessive Parent Change—Notification sent when the child mesh node changes its parent frequently. Each mesh node keeps a count of the number of parent changes in a fixed time. If it exceeds the defined threshold, the child mesh node informs the controller.
-
Excessive Children—Notification sent when the child count exceeds for a RAP and a MAP.
-
Poor SNR—Notification sent when the child mesh node detects a lower SNR on a backhaul link. For the other trap, a notification is sent to clear a notification when the child mesh node detects an SNR on a backhaul link that is higher then the object defined by 'clMeshSNRThresholdAbate'.
-
Console Login—Notification is sent by the agent when a login on a MAP console is either successful or fail after three attempts.
-
Default Bridge Group Name—Notification sent when the MAP mesh node joins its parent using the default bridge group name.
-
Note |
The remaining traps do not have trap controls. These traps are not generated too frequently and do not require any trap control. Any other trap that is generated by the controller cannot be turned off. |
Note |
In all of the above cases, the controller functions solely as a forwarding device. |