Step 1
|
In the Cisco DNA Center GUI, click the Menu icon () and choose .
The Rogue and aWIPS window is displayed. By default, Cisco DNA Center displays the Overview tab.
Note
|
If a Cisco AireOS Controller does not meet the minimum software version, a notification appears at the top of the dashboard.
Click Go To Devices in the notification to upgrade to the supported version.
|
|
Step 2
|
From the Actions drop-down list, you can perform the following functions:
Choose to enable rogue detection on the Cisco Wireless Controller and Cisco Catalyst 9800 Series Wireless Controller.
The rogue management functionality is enabled by default if it is already enabled while migrating from Cisco DNA Center Release 1.3.3.x to Cisco DNA Center Release 2.2.1.0 or later.
|
Step 3
|
Choose to disable the rogue actions temporarily.
|
Step 4
|
Click Yes in the Warning dialog box that appears.
After disabling the rogue management functionality, data from the wireless controller will not be pushed to Cisco DNA Center until the rogue management functionality is enabled.
|
Step 5
|
Choose Status to view the rogue configuration job status.
|
Step 6
|
Filter the rogue configuration status by All, Failure, Success, or In Progress by clicking the respective tabs.
The Operation column shows Enable if the rogue-detection operation is enabled successfully on the wireless controller.
The Status column shows Success if the configuration changes are successfully pushed to the wireless controller.
|
Step 7
|
Choose to enable aWIPS data collection on Cisco DNA Center.
If you are migrating from Cisco DNA Center Release 1.3.3.x to Cisco DNA Center Release 2.2.1.0 or later, you must enable the aWIPS functionality in Cisco DNA Center Release 2.2.1.0 or later.
|
Step 8
|
Choose to disable aWIPS actions temporarily.
|
Step 9
|
Click Yes in the Warning dialog box that appears.
|
Step 10
|
Choose to view the aWIPS subscription status.
|
Step 11
|
Filter the aWIPS configuration status by All, Failure, Success, or In Progress by clicking the respective tabs.
The Operation column shows Enable if the aWIPS detection operation is enabled successfully on the wireless controller.
The Status column shows Success if the configuration changes are successfully pushed to the wireless controller.
|
Step 12
|
Move the timeline slider to view data about a threat that occurred at a specific time.
The Active High Threats and High Threats Over Time graphs below the timeline slider display the threat details accordingly.
|
Step 13
|
Click the
Show Map icon to get a global map view of sites in your network.
-
The Active High Threats and High Threats Over Time graphs display information about rogue APs detected in the last 3 hours by default. The graph information is based on the
time interval that you choose from the hours drop-down list.
The options are Last 3 hours, Last 24 hours, and Last 7 days.
-
The Active High Threats widget presents information about threat levels in the form of a donut graph. Hover your cursor over the graph to see the
number of rogue APs found in each threat level.
-
The High Threats Over Time graph presents information about high threats over, time based on the time interval that you choose from the time interval
drop-down list. Hover your cursor over the graph to view the number of high threats that occurred at a particular time.
-
The Threats table displays a list of rogue APs found on the network.
|
Step 14
|
Some columns are hidden in the default column view setting. To customize the columns, click the three dots at the right-end of the column heading.
|
Step 15
|
Click and choose a layout preset: Basic or All.
|
Step 16
|
Click the Filter icon at the left end of the Threats table to narrow down the rogue AP list based on the following criteria: ID, Threat Level, Threat MAC Address, Type, State, Connection, Detecting AP, Detecting AP Site, RSSI (dBM), SSID, Clients, Containment Status, Last Reported, and Vendor.
RSSI, SSID, and Clients are not displayed for aWIPS.
The following information is displayed for each rogue AP found on the network:
-
ID: Rogue AP identifier.
-
Threat Level: Color-coded classified threat level. Cisco DNA Center classifies threats into these categories:
-
High Threat
-
Potential Threat
-
Informational
-
Threat Mac Address: MAC address of the rogue AP.
-
Type: Threat types for rogue AP and aWIPS.
The available classification types for Rogue AP are:
-
Beacon DS Attack
-
AP Impersonation
-
Allowed List
-
Rogue on wire
-
Honeypot
-
Interferer
-
Allowed Vendor
-
Friendly
-
Neighbor
-
Custom Rule Name
-
The available signature types for aWIPS are:
-
EAPOL logoff flood
-
Deauthentication broadcast
-
CTS Flood
-
RTS Flood
-
Deauthentication flood
-
Disassociation broadcast
-
Disassociation flood
-
Broadcast probe
-
Association flood
-
Authentication flood
-
Deauthenticatioon Flood
-
Fuzzed Beacon
-
Fuzzed Probe Request
-
Fuzzed Probe Response
-
PS Poll Flood
-
EAPOL Start V1 Flood
-
Reassociation Request Flood
-
Beacon Flood
-
Probe Response Flood
-
Block Ack Flood
-
Airdrop Session
-
Malformed Association Request
-
Authentication Failure Flood
-
Invalid MAC OUI Frame
-
Malformed Authentication
-
CTS Virtual Carrier Sense Attack
-
RTS Virtual Carrier Sense Attack
-
State: Shows the state of the rogue AP/aWIPS attacks.
-
Source/Target: Shows whether the displayed MAC address is the source of an aWIPS attack or target of an aWIPS attack. This column is not
applicable for rogue data.
-
Connection: Whether the rogue AP is located on the wired network or wireless network. This column shows the aWIPS attacks always on
the wireless network.
-
Detecting AP: Name of the AP that is currently detecting the rogue AP. If multiple APs detect the rogue, the detecting AP with the highest
signal strength is displayed. This column is applicable for rogue AP and aWIPS attacks.
-
Detecting AP Site: Site location of the detecting AP. This column is applicable for rogue AP and aWIPS attacks.
-
RSSI (dBm): RSSI value reported by the detecting AP. RSSI (dBm) is only applicable for rogue AP.
-
SSID: Service Set Identifier that the rogue AP is broadcasting. SSID is only applicable for rogue AP.
-
Clients: Number of rogue clients associated to this access point. This column is only applicable for rogue AP.
-
Wireless Containment Status: Show the possible values (Contained, Pending, Open, & Partial) of a rogue AP. Wireless containment status is only applicable
for rogue AP.
-
Last Reported: Date, month, year, and time when the rogue AP/aWIPS attack was last reported.
-
Vendor: Rogue AP vendor information. This column is not applicable for aWIPS attacks.
|