The Rogue and aWIPS dashboard is displayed.

The Rogue and aWIPS window is displayed. By default, Cisco DNA Center displays the Overview tab.

Choose Rogue > Enable to enable rogue detection on the Cisco Wireless Controller and Cisco Catalyst 9800 Series Wireless Controller.

The rogue management functionality is enabled by default if it is already enabled while migrating from Cisco DNA Center Release 1.3.3.x to Cisco DNA Center Release 2.2.1.0.

After disabling the rogue management functionality, data from the wireless controller will not be pushed to Cisco DNA Center until the rogue management functionality is enabled.

The Operation column shows Enable if the rogue-detection operation is enabled successfully on the wireless controller.

The Status column shows Success if the configuration changes are successfully pushed to the wireless controller.

If you are migrating from Cisco DNA Center Release 1.3.3.x to Cisco DNA Center Release 2.2.1.0, you must enable the aWIPS functionality in Cisco DNA Center Release 2.2.1.0.

The Operation column shows Enable if the aWIPS detection operation is enabled successfully on the wireless controller.

The Status column shows Success if the configuration changes are successfully pushed to the wireless controller.

The Active High Threats and High Threats Over Time graphs below the timeline slider display the threat details accordingly.

• The Active High Threats and High Threats Over Time graphs display information about rogue APs detected in the last 3 hours by default. The graph information is based on the time interval that you choose from the hours drop-down list.

  The options are Last 3 hours, Last 24 hours, and Last 7 days.

• The Active High Threats widget presents information about threat levels in the form of a donut graph. Hover your cursor over the graph to see the number of rogue APs found in each threat level.

• The High Threats Over Time graph presents information about high threats over, time based on the time interval that you choose from the time interval drop-down list. Hover your cursor over the graph to view the number of high threats that occurred at a particular time.

• The Threats table displays a list of rogue APs found on the network.

RSSI, SSID, and Clients are not displayed for aWIPS.

The following information is displayed for each rogue AP found on the network:

• ID: Rogue AP identifier.

• Threat Level: Color-coded classified threat level. Cisco DNA Center classifies threats into these categories:

  • High Threat

  • Potential Threat

  • Informational

• Threat Mac Address: MAC address of the rogue AP.

• Type: Threat types for rogue AP and aWIPS.

  The available classification types for Rogue AP are:

  • Beacon DS Attack

  • AP Impersonation

  • Allowed List

  • Rogue on wire

  • Honeypot

  • Interferer

  • Allowed Vendor

  • Friendly

  • Neighbor

• The available signature types for aWIPS are:

  • EAPOL logoff flood

  • Deauthentication broadcast

  • CTS Flood

  • RTS Flood

  • Deauthentication flood

  • Disassociation broadcast

  • Disassociation flood

  • Broadcast probe

  • Association flood

  • Authentication flood

• State: Shows the state of the rogue AP/aWIPS attacks.

• Source/Target: Shows the threat MAC address that is source and target of aWIPS attack. This column is not applicable for rogue data.

• Connection: Whether the rogue AP is located on the wired network or wireless network. This column shows the aWIPS attacks always on the wireless network.

• Detecting AP: Name of the AP that is currently detecting the rogue AP. If multiple APs detect the rogue, the detecting AP with the highest signal strength is displayed. This column is applicable for rogue AP and aWIPS attacks.

• Detecting AP Site: Site location of the detecting AP. This column is applicable for rogue AP and aWIPS attacks.

• RSSI (dBm): RSSI value reported by the detecting AP. RSSI (dBm) is only applicable for rogue AP.

• SSID: Service Set Identifier that the rogue AP is broadcasting. SSID is only applicable for rogue AP.

• Clients: Number of rogue clients associated to this access point. This column is only applicable for rogue AP.

• Wireless Containment Status: Show the possible values (Contained, Pending, Open, & Partial) of a rogue AP. Wireless containment status is only applicable for rogue AP.

• Last Reported: Date, month, year, and time when the rogue AP/aWIPS attack was last reported.

• Vendor: Rogue AP vendor information. This column is not applicable for aWIPS attacks.

The Threat 360° pane appears.

The upper part of the pane displays the following information:

• MAC address of the rogue AP

• Threat level

• Threat type

• Status

• Vendor

• Containment

• Count

• Last reported

The middle part of the pane shows the estimated location of a rogue AP or a threat on the floor map:

• Site details and floor number.

• Floor map shows the names of the managed APs.

• Click the icon at the right-hand corner of the floor map to see the IP address of the wireless controller that manages APs along with the reachability status.

• Click the icon at the right-hand corner of the floor map to zoom in on a location. The zoom levels depend on the resolution of an image. A high-resolution image provides more zoom levels. Each zoom level comprises a different style map that is shown at different scales, each one showing the corresponding details. Some maps are of the same style, but at a smaller or larger scale.

• Click the icon to see a map with fewer details.

• Click the icon to view the map icon legend.

The following table provides descriptions of the floor map icons.

• Click the Switch Port Detail tab to get details about rogue on wire, including information such as Host Mac, Device Name, Device IP, Interface Name, Last Updated, Port Mode, and Admin Status.

  Note	Admin Status column shows interface status either as UP or as DOWN. Port Mode column shows the interface mode either as ACCESS or as TRUNK.

  Note	Cisco switches are required for rogue-on-wire detections.

• Click the Detections tab to view information such as Detecting AP, Detecting AP Site, Rogue SSID, RSSI (dBM), Channels, Radio Type, SNR, State, and Last Updated.

• Click the Filter () icon at the left end of the table to narrow down the search results based on Rogue SSID, RSSI, Radio Type, Security, and SNR.

• Click the Export icon and save it to your system.

• Click the Clients tab to view details such as MAC Address, Gateway Mac, Rogue AP Mac, IP Address, and Last Heardabout the clients that are associated with the rogue AP.

• Click the Filter () icon at the left end of the table to narrow down the results based on your search criteria.

The aWIPS Profile dashboard appears.

The aWIPS Profile dashboard displays the following information:

• Profile Name: Shows the list of aWIPS profiles names.

• Assigned WLCs: Shows the number of assigned wireless controllers to an aWIPS profile.

• Last Changed: Shows the last created or updated date and time of an aWIPS profile.

The Profile Assigned to WLC window shows the following attributes of the network device:

• Device Name: Shows the name of the network device.

• IP Address: Shows the IP address of the network device.

• Profile Config URL Push Status: Shows the status of profile configuration URL push to the network device. The possible values of push status are Success, Failure, and In Progress.

  In case of Failure status, hover your mouse over the i icon next to the Failure to see the failure reason.

• Profile Config Download Status (On Device): Shows the profile configuration download status on the device. The possible values of download status are Success, Failure, and In Progress.

  In case of Failure status, hover your mouse over the i icon next to the Failure to see the failure reason.

  Note

  If aWIPS subscription is disabled on Cisco DNA Center, an error message appears on the top of the aWIPS Profile dashboard. You must have aWIPS subscription to see the value of Profile Config Download Status (On Device). To subscribe the aWIPS data collection, enable the aWIPS from the Rogue and aWIPS overview dashboard, see Monitor the Rogue Management and aWIPS Dashboard. The HTTP protocol reachability must be present between the device and Cisco DNA Center for device to download the Profile configuration from profile config URL.

• Forensic capture config Status: Shows the forensic capture config status on default-ap-profile AP Join Profile on the device. The possible values of config status are Success, Failure, and In Progress.

  In case of Failure status, hover your mouse over the i icon next to the Failure to see the failure reason.

• Forensic Capture: Shows whether the forensic capture is enabled/disabled on default-ap-join AP Join Profile on the device. Forensic capture on custom AP join profile is not yet supported.

  Hover your mouse over the i icon next to the Forensic capture, a tooltip saying Shows the current Forensic Capture status on default-ap-profile AP Join Profile on the device appears.

  Note	In the Profile Assigned to WLC window, you cannot enable or disable the Forensic Capture.

• Assigned On: Shows the date and time of aWIPS profile assigned to wireless controller.

Threat 360 window appears.