Cisco Catalyst Center Rogue Management and aWIPS Application Quick Start Guide, Release 3.1.x

PDF

Information about the rogue and aWIPS event notifications

Updated: December 15, 2025

Want to summarize with AI?

Log in

Overview

To complete this procedure, ensure that you select and subscribe to a rogue event or an aWIPS event.

You can configure Catalyst Center to send a notification whenever a rogue or aWIPS attack takes place. Notifications for these events do not appear in the Catalyst Center Notification Center.

To complete this procedure, ensure that you select and subscribe to a rogue event or an aWIPS event.

Procedure

1.

To review threats that occurred before you subscribed to event notifications in the Catalyst Center GUI, click the menu icon and choose Reports > Report Templates > Rogue and aWIPS.
2.

To subscribe to a rogue event or an aWIPS event in the Catalyst Center GUI, click the menu icon and choose Platform > Developer Toolkit > Event Notifications.
3.

Click Create New and complete the Create a New Notification workflow. For more information, see the "Create an event notification" topic in the Cisco Catalyst Center User Guide.

Note

After you subscribe to a rogue event or an aWIPS event, you receive event notifications.

4.

After you subscribe to rogue threat notifications or aWIPS threat notifications, you can receive notifications through REST APIs (Webhook, PagerDuty, and Webex) or a syslog server. See these resources for procedures:

Note

Webex and PagerDuty destinations can send up to 100 event notifications every 5 minutes. If you expect to receive more than 100 events in 5 minutes, use Webhook or syslog destinations.

Rogue events

Rogue events are triggered only for these high threat-level rogues:

  • Beacon wrong channel

  • Beacon DS attack

  • AP impersonation

  • Rogue on wire

  • Honeypot

  • Custom rules created with the threat level set to high

Rogue events are triggered when:

  • A high threat-level rogue is discovered in the network for the first time (ROGUE_NEW_THREAT_DETECTED)

  • A high-threat-level rogue is deleted from the network (ROGUE_THREAT_DELETED)

  • A threat level is changed from High to Potential or Informational (ROGUE_THREAT_LEVEL_CHANGED)

  • A threat level is changed from Potential or Informational to High(ROGUE_THREAT_LEVEL_CHANGED)

  • A threat level remains High but threat type changes (ROGUE_THREAT_TYPE_CHANGED)

Rogue events payload details:

{
	"detectingApLocation": "string",
	"rssi": "int",
	"threatMacAddress": "string",
	"threatType": "string",
	"detectingApMacAddress": "string",
	"threatState": "string",
	"wlcIp": "string",
	"detectingApName": "string",
	"containmentState": "string",
	"vendorName": "string",
	"ssid": "string",
	"threatLevel": "string"
}

Commands in payload:

  • threatMacAddress: MAC address of the rogue AP

  • threatType: Type of rogue threat (Beacon DS Attack, AP Impersonation, Rogue on Wire, Honeypot, or Custom Rules created with Threat Level as High)

  • threatState: State of the rogue threat (ROGUE_NEW_THREAT_DETECTED, ROGUE_THREAT_DELETED, ROGUE_THREAT_LEVEL_CHANGED), ROGUE_THREAT_LEVEL_CHANGED, or ROGUE_THREAT_TYPE_CHANGED

  • threatLevel: State of the rogue (High, Potential, or Informational)

  • detectingApName: Name of the strongest detecting AP

  • detectingApMacAddress: MAC address of the strongest detecting AP

  • detectingApLocation: Location of the strongest detecting AP

  • rssi: RSSI value of the detecting AP that detects the rogue AP

  • containmentState: Containment state of the rogue AP (PENDING, NOTCONTAINED, or CONTAINED)

  • threatVendorName: Vendor name of the rogue AP

  • ssid: Latest SSID or Honeypot SSID

  • wlcIp: IP address of the wireless controller

aWIPS events

aWIPS events are triggered for all aWIPS threats in the network.

You receive a notification for each detecting AP. If multiple APs detect the same threat, you receive multiple event notifications.

Note

The maximum aWIPS threat notification limit per signature per day is 2500. When the notifications of a specific signature reach this limit, no more notifications are sent for that signature for that day. A warning message displays in the rogue and aWIPS Overview window.

Click View Signatures to view the details of aWIPS signatures that have reached the maximum limit.

For source-based aWIPS threats, source information is sent. Destination information is sent as Not Applicable.

For destination-based aWIPS threats, destination information is sent. Source information is sent as Not Applicable.

For pair-based aWIPS threats, both source and destination information are sent.

aWIPS events payload details:

{
	"sourceVendorName": "string",
	"detectingApLocation": "string",
	"attackType": "string",
	"sourceMacAddress": "string",
	"detectingApMacAddress": "string",
	"wlcIp": "string",
	"detectingApName": "string",
	"targetMacAddress": "string"
}

Commands in payload:

  • attackType: Type of the aWIPS attack

  • sourceMacAddress: MAC address of the attacker

  • sourceVendorName: Vendor name of the attacker

  • targetMacAddress: MAC address of the target

  • detectingApLocation: Location of the detecting AP

  • detectingApMacAddress: MAC address of the detecting AP

  • detectingApName: Name of the detecting AP

  • wlcIp: IP address of the wireless controller