The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure wIPS profiles and those items that must be configured in conjunction to operate wIPS.
This chapter contains the following sections:
This chapter describes how to configure wIPS profiles and those items that must be configured in conjunction to operate wIPS.
This chapter contains the following sections:
The Mobility Services Engine (MSE) can only be configured from one Prime Infrastructure.
If your wIPS deployment consists of a controller, access point, and MSE, you must set the controller and MSE to UTC timezone.
A controller is associated to a single configuration profile. All wIPS mode access points connected to that controller share the same wIPS configuration.
Before you can configure wIPS profiles, you must do the following:
Install a Mobility Services Engine (if one is not already operating in the network). See the Cisco 3350 Mobility Services Engine Getting Started Guide or Cisco 3310 Mobility Services Engine Getting Started Guide.
Add the Mobility Services Engine to the Prime Infrastructure (if not already added).
Configure access points to operate in wIPS monitor mode or Local wIPS mode.
Configuration of wIPS profiles follows a chained hierarchy starting with Prime Infrastructure, which is used for profile viewing and modification. The actual profiles are stored within the wIPS service running on the MSE.
From the wIPS service on the Mobility Services Engine, profiles are propagated to specific controllers, which in turn communicate this profile transparently to wIPS mode access points associated to that respective controller.
When a configuration change to a wIPS profile is made at Prime Infrastructure and applied to a set of Mobility Services Engines and controllers, the following occurs:
The configuration profile is modified on Prime Infrastructure and version information is updated.
An XML-based profile is pushed to the wIPS engine running on the Mobility Services Engine. This update occurs over the SOAP/XML protocol.
The wIPS engine on the Mobility Services Engine updates each controller associated with that profile by pushing out the configuration profile over NMSP.
The controller receives the updated wIPS profile, stores it into NVRAM (replacing any previous revision of the profile) and propagates the updated profile to its associated wIPS access points using CAPWAP control messages.
A wIPS mode access point receives the updated profile from the controller and applies the modifications to its wIPS software engine.
To configure an access point to operate in wIPS monitor mode, follow these steps:
By default, the Mobility Services Engine and corresponding wIPS access points inherit the default wIPS profile from the Prime Infrastructure. This profile is pre-tuned with a majority of attack alarms enabled by default, and monitors attacks against access points within the same RFGroup as the wIPS access points. In this manner, the system is pre-setup to monitor attacks against a deployment model that utilizes an integrated solution in which both the WLAN infrastructure and wIPS access points are intermixed on the same controller.
Note | Some of the following configuration steps that follow are marked as Overlay-Only and are only to be undertaken when deploying the wIPS solution to monitor an existing WLAN Infrastructure such as an autonomous or completely separate controller-based WLAN. |
To configure wIPS profiles, follow these steps:
Step 1 | Choose
Configure
>
wIPS
Profiles.
The wIPS Profiles page appears. | ||||||
Step 2 | From the Select a command drop-down list, choose Add Profile and click Go. | ||||||
Step 3 | Selecting a Profile Template
In the Profile Parameters dialog box, choose a profile template from the Copy From drop-down list.
| ||||||
Step 4 | After selecting a profile and entering a profile name, click Save and Edit. Fore more information, see the wIPS Profiles section. | ||||||
Step 5 | Configure the SSIDs to
Monitor
(Optional) Configure SSIDs in the SSID Group List page. By default, a system monitors attacks launched against the local Wireless LAN Infrastructure (as defined by APs which have the same RF Group name). If the system should also be required to monitor attacks against another network, such as when deployed in an overlay deployment model, the SSID groups feature must be utilized.
| ||||||
Step 6 | Editing the
Profile
To enable or disable attacks to be detected and reported, select the check box next to the specific attack type in question in the Select Policy pane. | ||||||
Step 7 | To edit the
profile, click the name of the attack type (such as DoS: Association flood).
The configuration pane for that attack type appears in the right pane above the policy rule description. | ||||||
Step 8 | Editing the Policy
Rules.
To modify a policy rule, select the check box next to the policy rule in the Policy Rules page and click Edit. The Policy Rule Configuration dialog box appears. Configure the following in the Policy Rule Configuration dialog box: | ||||||
Step 9 | Add Policy Rules
(Optional)
(Optional), For overlay deployments only, to add a policy rule for an SSID, do the following steps:
| ||||||
Step 10 | In the Profile
Configuration dialog box, click
Save to save
the Profile (SSID or Device Group) and then click
Next.
| ||||||
Step 11 | Select the
MSE/Controller combinations to apply the profile to and then click
Apply.
|
The wIPS Profiles > Profile List page allows you to view, edit, apply, or delete current wIPS profiles and to add new profiles.
Tip | To learn more about Cisco Adaptive wIPS features and functionality, go to http://www.cisco.com/en/US/products/ps9817/index.html |
To access the wIPS profile list for the Prime Infrastructure, choose Configure > wIPS Profiles. The page displays wIPS Profiles > Profile List. If the Profile List is not currently displayed, choose Profile List from the left sidebar menu of wIPS profiles.
The Profile List provides the following information for each profile:
Profile Name—Indicates the user-defined name for the current profile. Click the profile name to view or edit profile details.
Note | When you hover your mouse over the profile name, the Profile ID and version appear. |
MSE(s) Applied To—Indicates the number of Mobility Services Engines (MSEs) to which this profile is applied. Click the MSE number to view profile assignment details.
Controller(s) Applied To—Indicates the number of controllers to which this profile is applied. Click the controller number to view profile assignment details.
This section contains the following topics:
The profile editor allows you to create new profiles or modify current profiles. See the “Profile Editor” section on page 8-256 for more information.
A new wIPS profile can be created using the default or pre-configured profile.
Tip | To learn more about Cisco Adaptive wIPS features and functionality, go to Cisco.com to watch a multimedia presentation. Here you will also find learning modules for a variety of the Prime Infrastructure topics. Over future releases, we will add more overview and technical presentations to enhance your learning. |
Step 1 | Select Configure > wIPS Profiles. The page displays the wIPS Profiles > Profile List. |
Step 2 | From the Select a command drop-down list, choose Add Profile. |
Step 3 | Click Go. |
Step 4 | Type a profile name in the Profile Name text box of the Profile Parameters page. |
Step 5 | Select the applicable pre-defined profile, or choose Default from the drop-down list. Pre-defined profiles include the following: |
Step 6 | Select one of the following:
|
Step 1 | Choose Configure > wIPS Profiles. The page defaults to the wIPS Profiles > Profile List. | ||
Step 2 | Select the check box of the wIPS profile(s) you want to delete. | ||
Step 3 | From the Select a command drop-down list, choose Delete Profile. | ||
Step 4 | Click Go. | ||
Step 5 | Click OK to confirm the deletion.
|
Tip | To learn more about Cisco Adaptive wIPS features and functionality, access the following URL: http://www.cisco.com/en/US/products/ps6305/tsd_products_support_online_learning_modules_list.html. Here you will also find learning modules for a variety of the Prime Infrastructure topics. Over future releases, we will add more overview and technical presentations to enhance your learning. |
You cannot apply wIPS profile to WLC 7.5 and earlier release using PI 1.4.x or PI 2.x with MSE 7.6 release.
Step 1 | Choose Configure > wIPS Profiles. The page defaults to the wIPS Profiles > Profile List. | ||
Step 2 | Select the check box of the wIPS profile(s) you want to apply. | ||
Step 3 | From the Select a command drop-down list, choose Apply Profile. | ||
Step 4 | Click Go. | ||
Step 5 | Select the Mobility Services
Engine(s) and controller(s) to which the profile is applied.
| ||
Step 6 | When applicable Mobility Services Engine(s) and controller(s) are selected, choose one of the following: |
The SSID (Service Set IDentifier) is a token or key which identifies an 802.11 (Wi-Fi) network. You must know the SSID to join an 802.11 network. SSIDs can be associated with a wIPS profile as a group by using the SSID group list feature.
An SSID group can be added to a profile by importing it from the Global SSID Group List page (Configure > wIPS Profiles > SSID Group List) or by adding one directly from the SSID Groups page.
This section contains the following topics:
Tip | Tip To learn more about Cisco Adaptive wIPS features and functionality, access the following URL: http://www.cisco.com/en/US/products/ps6305/tsd_products_support_online_learning_modules_list.htmlHere you will also find learning modules for a variety of Prime Infrastructure topics. Over future releases, we will add more overview and technical presentations to enhance your learning. |
The SSID Group List page allows you to add or configure global SSID groups that you might later import into an applicable wIPS profile.
Tip | To learn more about Cisco Adaptive wIPS features and functionality, access the following URL: http://www.cisco.com/en/US/products/ps6305/tsd_products_support_online_learning_modules_list.htmlHere you will also find learning modules for a variety of the Prime Infrastructure topics. Over future releases, we will add more overview and technical presentations to enhance your learning. |
To access the SSID Group List page, choose Configure > wIPS Profiles. From the left sidebar menu, choose SSID Group List. The SSID Group List page displays the current SSID groups and their associated SSIDs.
Step 1 | Choose Configure > wIPS Profiles. | ||
Step 2 | From the left sidebar menu, choose SSID Group List. | ||
Step 3 | From the Select a command drop-down list, choose Add Group. | ||
Step 4 | Click Go. | ||
Step 5 | On the SSID configuration page, type an SSID group name in the available text box. | ||
Step 6 | Enter the SSIDs in the SSID List text box. Separate multiple SSIDs with a space. | ||
Step 7 | When finished, select one of
the following:
|
Step 1 | Choose Configure > wIPS Profiles. |
Step 2 | From the left sidebar menu, choose SSID Group List. |
Step 3 | Select the check box of the SSID group that you want to edit. |
Step 4 | From the Select a command drop-down list, choose Edit Group. |
Step 5 | Click Go. |
Step 6 | In the SSID configuration page, make the necessary changes to the SSID group name or SSID list. |
Step 7 | When finished, select one of the following: |
Step 1 | Choose Configure > wIPS Profiles. |
Step 2 | From the left sidebar menu, choose SSID Group List. |
Step 3 | Select the check box of the SSID group(s) that you want to delete. |
Step 4 | From the Select a command drop-down list, choose Delete Group. |
Step 5 | Click Go. |
Step 6 | Click OK to confirm the deletion. |
The SSID Groups page is the first page displayed when you access the profile editor. This page displays SSID groups that are included for the current wIPS profile.
From this page, you can add, import, edit, or delete an SSID group for the current profile.
Tip | To learn more about Cisco Adaptive wIPS features and functionality, access the following URL: http://www.cisco.com/en/US/products/ps6305/tsd_products_support_online_learning_modules_list.html. Here you also find learning modules for a variety of the Prime Infrastructure topics. Over future releases, we will add more overview and technical presentations to enhance your learning. |
To add an SSID Group to the current wIPS profile, follow these steps:
Step 1 | Choose Configure > wIPS Profiles. |
Step 2 | From the left sidebar menu, choose Profile List. |
Step 3 | Click the profile name of the applicable wIPS profile. |
Step 4 | From the Select a command drop-down list, choose Add Group. |
Step 5 | Click Go. |
Step 6 | On the SSID configuration page, type an SSID group name in the available text box. |
Step 7 | Enter the SSIDs in the SSID List text box. Separate multiple SSIDs with commas. |
Step 8 | When finished, select one of the following: |
SSID groups can also be added by importing them from your Global SSID Groups list. See the “Global SSID Group List” section on page 8-260 for more information on creating a global SSID groups list.
Step 1 | Select Configure > wIPS Profile. |
Step 2 | Click the profile name for the applicable profile to open the SSID Groups page. |
Step 3 | From the Select a command drop-down list, choose Add Groups from Global List. |
Step 4 | Select the check box(es) for the SSID group(s) you want to import. |
Step 5 | Click Save. |
Step 1 | Choose Configure > wIPS Profiles. |
Step 2 | From the left sidebar menu, choose Profile List. |
Step 3 | Click the applicable wIPS profile names. |
Step 4 | Select the check box of the SSID group that you want to edit. |
Step 5 | From the Select a command drop-down list, choose Edit Group. |
Step 6 | Click Go. |
Step 7 | In the SSID configuration page, make the necessary changes to the SSID group name or the SSID list. |
Step 8 | When finished, select one of the following: |
Step 1 | Choose Configure > wIPS Profiles. |
Step 2 | From the left sidebar menu, choose Profile List. |
Step 3 | Click the profile name of the applicable wIPS profile. |
Step 4 | Select the check box of the SSID group that you want to delete. |
Step 5 | From the Select a command drop-down list, choose Delete Group. |
Step 6 | Click Go. |
Step 7 | Click OK to confirm the deletion. |
Tip | To learn more about Cisco Adaptive wIPS features and functionality, access the following URL: http://www.cisco.com/en/US/products/ps6305/tsd_products_support_online_learning_modules_list.html. Here you also find learning modules for a variety of the Prime Infrastructure topics. Over future releases, we will add more overview and technical presentations to enhance your learning. |
The profile editor allows you to configure profile details including the following:
Policy inclusion—Determines the policies that are included in the profile.
Policy level settings—Configure settings for each policy such as threshold, severity, notification type, and ACL/SSID groups.
MSE/controller applications—Select the Mobility Services Engine(s) or controller(s) to which you want to apply the profile.
Step 1 | Access the profile editor. This can be done in two ways: | ||||||||||
Step 2 | From the SSID Groups page, you can edit and delete current groups or add a new group. For more information on adding, editing, or deleting SSID groups, see the “Configure > wIPS > SSID Group List” section on page 8-259 for more information. | ||||||||||
Step 3 | When SSID groups have been added or edited as needed, select one of the following: | ||||||||||
Step 4 | From the Profile
Configuration page, you can determine which policies are included in the
current profile. The check boxes in the policy tree (located in the left Select
Policy pane) indicate which policies are enabled or disabled in the current
profile. You can enable or disable an entire branch or individual policy as
needed by selecting the check box for the applicable branch or policy.
| ||||||||||
Step 5 | In the Profile Configuration
page, click an individual policy to display the policy description and view or
modify current policy rule settings.
The following options are available for each policy:
| ||||||||||
Step 6 | When the profile configuration is complete, select one of the following: | ||||||||||
Step 7 | In the Apply Profile page, select the check box(es) of the Mobility Services Engine and controller(s) to which you want to apply the current profile. | ||||||||||
Step 8 | When the applicable Mobility
Services Engine(s) and controller(s) are selected, choose one of the following:
|