aWIPS Profiles

About aWIPS profiles

Configure aWIPS profiles to select required signatures, set thresholds for detecting denial of service (DoS) attacks, and enable forensic capture at the signature level. Adjust thresholds to control the number of alarms generated for each aWIPS signature during a specific time period.

This table lists the supported devices for aWIPS profile configuration for various versions of Catalyst Center:

Table 1. Supported devices for aWIPS profile configuration

Supported devices

IOS-XE version

Catalyst Center version

  • Cisco Catalyst 9800 Series Wireless Controller

  • Cisco Catalyst 9800-CL Cloud Wireless Controller

  • Cisco Embedded Wireless Controller on Catalyst Access Points

  • Cisco Catalyst 9800 Embedded Wireless Controller for Catalyst 9300 Series Switches

  • Cisco Catalyst 9400 Series Switches

  • Cisco Catalyst 9500 Series Switches

17.4 to 17.13

2.3.7.4

17.4 to 17.14

2.3.7.5

17.4 to 17.15

2.3.7.6

17.4 to 17.15

2.3.7.7

Note

For SD-Access use cases, for aWIPS profiles to work, you must enable the wireless module on Cisco Catalyst 9300 Series Switches, Cisco Catalyst 9400 Series Switches, and Cisco Catalyst 9500 Series Switches.

Prerequisites for aWIPS profile

  • Verify the network connectivity between the Cisco Wireless Controller and Catalyst Center.

  • Make sure that the network device is reachable from Catalyst Center and has downloaded the aWIPS profile configuration from Catalyst Center.


    Note

    To avoid aWIPS profile download failures in a Fabric in a Box SD-Access setup, ensure that the Infrastructure Virtual Network (Infra_VN) uses a routable IP subnet in the global routing table.

  • To enable forensic capture, complete these tasks:

    • Ensure there is network connectivity between APs and Catalyst Center.

    • Establish the Google Remote Procedure Call (gRPC) tunnel interface between APs and Catalyst Center. Use the show ap icap connection command to confirm that the status is READY.

    • Open the required ports between Catalyst Center and links to the network devices.

    • Configure an NTP server on the AP to prevent time lag between Catalyst Center and APs. For information, see the Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Dublin 17.12.x.

Create an aWIPS profile configuration workflow

This section explains how to create an aWIPS profile.

Procedure

Step 1

From the main menu, choose Workflows > Create an aWIPS Profile.

Alternatively, you can create an aWIPS profile by choosing Assurance > Rogue and aWIPS > aWIPS Profile > Add Profile.

The Create an aWIPS Profile window opens.

Step 2

Click Let's Do it.

The aWIPS Profile Creation window opens.

Step 3

In the Profile Name field, enter a name for the aWIPS profile.

Step 4

The Signatures table lists these parameters for the aWIPS profile:

  • Signature: Shows the standard aWIPS signatures that detect DoS attacks.

  • Default Threshold: Shows the predefined threshold value for the respective aWIPS signature.

  • Configure Threshold: Shows the manually configured threshold value for the respective aWIPS signature.

  • Time Interval (In Seconds): Shows the time interval of packets.

  • Forensic Capture: Captures the aWIPS DoS attack packets in real time for the given signature.

Step 5

In the Signature column, check the check box next to the aWIPS signature that you want to select or deselect for an aWIPS profile.

Note

 

If an aWIPS signature is not selected for an aWIPS profile, Catalyst Center does not detect the DoS attack for that particular aWIPS signature.

Step 6

In the Configure Threshold column, for the selected aWIPS signature, enter the threshold value within the specified range that appears on top of the respective Configure Threshold field.

For some signatures, the configuration threshold is not applicable. For those signatures, the threshold configuration values appear as NA on top of the respective Configure Threshold field.

Note

 

The Configure Threshold value cannot contain alphanumeric characters.

Step 7

In the Forensic Capture column, click the toggle button to enable or disable the forensic capture for a particular aWIPS signature.

Note

 

  • Catalyst Center does not allow you to edit the Default Threshold value and the Time Interval (In Seconds) value for the aWIPS profile.

  • If you enable forensic capture for an aWIPS signature, Catalyst Center allows you to download packets from the Threat 360 window.

  • If you disable forensic capture for an aWIPS signature, Catalyst Center does not capture the aWIPS DoS attack for the given signature.

  • Enabling Forensic Capture for RTS Flood and CTS Flood signatures might impact the performance of Catalyst Center.

Step 8

(Optional) Click Reset to Default to get the default aWIPS profile configuration.

Note

 

The default aWIPS profile is configured for a high-security environment and is not suitable for general-purpose deployment. Configure the aWIPS profile based on your requirements.

Step 9

Click Next.

Note

 

In the Configure Threshold column, for the selected aWIPS signature, if you enter a threshold value that is out of the specified range, an error message appears at the top of the Create an aWIPS Profile window, asking you to enter a value within the specified range.

Step 10

In the Profile Summary window, the Profile Summary table displays the summary of the profile that was configured in the aWIPS Profile Creation window.

Step 11

Click Next.

Step 12

In the Profile Creation Done window, click Assign Profile to Device(s) to assign this aWIPS profile to a device.

The Assign aWIPS Profile window opens.

You can also assign an aWIPS profile to a device in the Assurance > Rogue and aWIPS > aWIPS Profile window by checking the check box next to the aWIPS profile name and choosing More Actions > Assign.

Note

 

You cannot assign more than one aWIPS profile to a device at a time.

Step 13

In the Assigned WLCs column, click the number link to view the number of wireless controllers assigned to an aWIPS profile.

The Profile Assigned to WLC window shows these attributes of the network device:

  • Device Name: Shows the name of the network device.

  • IP Address: Shows the IP address of the network device.

  • Profile Config URL Push Status: Shows the status of pushing the profile configuration URL to the network device. The possible values are Success, Failure, or In Progress.

    If the status is Failure, hover your cursor over the i icon next to Failure to see the reason.

  • Profile Config Download Status (On Device): Shows the profile configuration download status on the device. The possible values are Success, Failure, and In Progress.

    If the status is Failure, hover your cursor over the i icon next to Failure to see the reason.

    Note

     

    • If the aWIPS subscription is disabled on Catalyst Center, an error message appears at the top of the aWIPS Profile dashboard. You must have an aWIPS subscription to see the value of Profile Config Download Status (On Device). To subscribe the aWIPS data collection, enable aWIPS from the Rogue and aWIPS overview dashboard. See Monitor the Rogue Management and aWIPS dashboard.

    • HTTP protocol reachability must be possible between the device and Catalyst Center for the device to download the profile configuration from the profile configuration URL.

  • Forensic capture config Status: Shows the forensic capture configuration status on the default-ap-profile AP Join Profile on the device. The possible values are Success, Failure, and In Progress.

    If the status is Failure, hover your cursor over the i icon next to a Failure to see the reason.

  • Forensic Capture: Shows whether the forensic capture is enabled or disabled on the default-ap-join AP Join Profile on the device. Forensic capture on a custom AP join profile is not supported.

    Hover your cursor over the i icon next to the corresponding forensic capture. This tooltip appearss: Shows the current Forensic Capture status on default-ap-profile AP Join Profile on the device.

    Note

     

    In the Profile Assigned to WLC window, you cannot enable or disable Forensic Capture.

  • Assigned On: Shows the date and time when the aWIPS profile is assigned to the wireless controller.

Step 14

Click Next.

The Profile Creation Done window opens.

View an aWIPS profile

Procedure

From the main menu, choose Assurance > Rogue and aWIPS > aWIPS Profile.

The aWIPS Profile(s) dashboard appears.

Note

 

When you navigate to the aWIPS Profile tab for the first time, a message appears on top of the aWIPS Profile dashboard. The message asks you to subscribe to the upgraded subscription, even if aWIPS is enabled in Catalyst Center. To subscribe to the upgraded subscription, you must disable and enable aWIPS from the Rogue and aWIPS overview dashboard. See Monitor the Rogue Management and aWIPS dashboard.

The aWIPS Profile dashboard displays this information:

  • Profile Name: Shows the list of aWIPS profile names.

  • Assigned WLCs: Shows the number of assigned wireless controllers to an aWIPS profile.

  • Last Changed: Shows the last created or updated date and time of an aWIPS profile.

Assign an aWIPS profile to the network device

Before you begin

If you upgrade Catalyst Center from a release earlier than Release 2.2.2.0, you must disable and enable aWIPS from the Rogue and aWIPS overview dashboard to subscribe to the additional subscription. See Monitor the Rogue Management and aWIPS dashboard.


Note

For a new installation of Catalyst Center, you do not have to disable and enable aWIPS from the Rogue and aWIPS overview dashboard to subscribe to the additional subscription.

Procedure

Step 1

From the main menu, choose Workflows > Assign an aWIPS Profile.

The Assign an aWIPS Profile window appears.

To skip this window in the future, check the Don't show this to me again check box.

Step 2

Click Let's Do it.

The Assign aWIPS Profile window appears.

Step 3

From the Profile Name drop-down list, select the aWIPS profile name that you want to assign to a device.

Step 4

In the left pane, you can search for a site by entering its name in the Find Hierarchy field. Alternatively, you can expand Global to select a site.

You can also search for a network device by entering its name in the Search Table field.

The Network Devices table shows the Device Name, IP Address, Software Version, Reachability, and Forensic Capture of the device and lists the network devices in these sections:

  • Reachable & Supported: Shows the list of reachable and supported network devices with software version 17.4, and reachability status with a green check mark.

  • Not Reachable/Not Supported: Shows the list of unreachable or unsupported network devices with software version 17.4. You cannot assign an aWIPS profile to unreachable or unsupported network devices.

Step 5

In the Reachable & Supported tab, check the check box next to the device that you want to assign to the selected aWIPS profile. You can either select all the devices or an individual device.

Note

 

You can assign an aWIPS profile to a maximum of 100 devices at a time.

Step 6

Click Next.

Step 7

In the Profile and devices Mapped Summary window, expand aWIPS Profile Details to view the configuration summary of the selected aWIPS profile, and Device Map to view the configuration summary of assigned devices.

Step 8

Click Next.

The Profile Assignment to Devices initiated successfully window appears.

Note

 

Profile assignment to the devices takes some time to complete. You must wait before retrying the assignment process.

Step 9

To view the status of the assigned aWIPS profile to the device, click the Go to Rogue and aWIPS Home Page link. For more information, see View an aWIPS profile.

Edit an aWIPS profile

This procedure describes how to edit an aWIPS profile.

Before you begin

To add an additional subscription, you must disable and enable aWIPS from the Rogue and aWIPS overview dashboard. See Monitor the Rogue Management and aWIPS dashboard.

Procedure

Step 1

From the main menu, choose Assurance > Rogue and aWIPS > aWIPS Profile.

Step 2

In the aWIPS Profile(s) table, click the profile name that you want to edit.

Step 3

In the Edit aWIPS Profile window that opens, make the necessary changes and click Save.

Note

 

The default aWIPS profile cannot be edited.

After the profile saves, it pushes to all devices assigned to the aWIPS profile.

Note

 

In the Configure Threshold column for the selected aWIPS signature, if a threshold value outside the specified range is entered, an error message appears on the top of the Edit aWIPs Profile window requesting the correct value within the specified range.

Delete an aWIPS profile

This procedure describes how to delete an aWIPS profile from Catalyst Center.

Before you begin

To subscribe the additional subscription, you must disable and enable aWIPS from the Rogue and aWIPS overview dashboard. See Monitor the Rogue Management and aWIPS dashboard.

Procedure

Step 1

From the main menu, choose Assurance > Rogue and aWIPS > aWIPS Profile.

The aWIPS Profile dashboard appears.

Step 2

In the aWIPS Profile(s) table, check the check box next to the aWIPS profile name that you want to delete. Click Delete.

Note

 

  • You cannot delete a default aWIPS profile.

  • You cannot delete an aWIPS profile that is assigned to a network device. If a device is assigned to an aWIPS profile, reassign the device to the default aWIPS profile before deleting the profile.

Step 3

In the confirmation window, click Delete.

Enable or disable aWIPS or aWIPS forensic capture

Catalyst Center allows you to enable or disable aWIPS or aWIPS forensic capture at the site level. Enable or disable aWIPS for all Cisco Catalyst 9800 Series Wireless Controllers in a network.

Procedure

Step 1

From the main menu, choose Design > Network Settings.

Step 2

Click the Wireless tab.

Step 3

In the left pane, ensure that Global is selected.

Note

 
The sites, buildings, and floors inherit the settings from the global level. Settings saved at the site, building, or floor level override the global network settings.

Step 4

Click AP Profiles.

Step 5

In the AP Profile table, hover your cursor over Add, and select AP Profile for IOS-XE.

Step 6

Click the Security tab.

Step 7

To enable aWIPS, click the aWIPS toggle button.

By default, aWIPS is enabled at the global level.

Step 8

(Optional) To disable aWIPS, click the aWIPS toggle button.

Step 9

To enable forensic capture, click the Forensic Capture toggle button.

Note

 
To enable forensic capture, aWIPS must be enabled. If you disable aWIPS when forensic capture is enabled, forensic capture also disables.

Step 10

Click Save.

Note

 
After you configure aWIPS or aWIPS Forensic Capture settings, provision or reprovision a device to apply the changes.

Step 11

(Optional) To reset the aWIPS and Forensic Capture Enablement settings, click Reset.

Note

 

If you are migrating from a Catalyst Center release earlier than Release 2.3.2.0, configure the network settings with aWIPS or aWIPS Forensic Capture settings. This ensures that configurations are updated in the wireless controllers.

AP join profiles on devices use the aWIPS or aWIPS Forensic Capture settings. When a Cisco Catalyst 9800 Series Wireless Controller device is provisioned, all AP join profiles associated with the device are fetched, and these actions take place:

  • Default AP join profiles inherit the aWIPS or aWIPS Forensic Capture settings from the site assigned to the device.

  • Custom profiles, which are created using Catalyst Center as part of row AP provisioning, inherit the aWIPS or aWIPS Forensic settings from the Country site level for which the corresponding row AP profile is created.

  • Custom profiles created using Catalyst Center as part of mesh AP provisioning inherit the settings from the floor site level for the corresponding row AP profile.

  • Custom AP join profiles created outside Catalyst Center do not inherit the settings.