Consolidated Platform Configuration Guide, Cisco IOS XE 3.7E and Later (Catalyst 3650 Switches)

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: June 9, 2015

Chapter: Configuring Adaptive Wireless Intrusion Prevention System

Finding Feature Information
Prerequisites for Configuring wIPS
How to Configure wIPS on Access Points
- Configuring wIPS on an Access Point (CLI)
- Configuring wIPS on an Access Point (GUI)
Monitoring wIPS Information
Configuration Examples for Configuring wIPS on Access Points
- Displaying the Monitor Configuration Channel Set: Example
- Displaying wIPS Information: Examples

Configuring Adaptive Wireless Intrusion Prevention System

Finding Feature Information

Your software release may not support all of the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Configuring wIPS

The regular local mode access point has been extended with a subset of Wireless Intrusion Prevention System (wIPS) capabilities. This feature enables you to deploy your access points to provide protection without needing a separate overlay network.

How to Configure wIPS on Access Points

Configuring wIPS on an Access Point (CLI)

SUMMARY STEPS

1. ap name Cisco_AP mode local

2. ap name Cisco_AP dot11 5ghz shutdown

3. ap name Cisco_AP dot11 24ghz shutdown

4. ap name Cisco_AP mode monitor submode wips

5. ap name Cisco_AP monitor-mode wips-optimized

6. show ap dot11 24ghz monitor

7. ap name Cisco_AP no dot11 5ghz shutdown

8. ap name Cisco_AP no dot11 24ghz shutdown

DETAILED STEPS

Command or Action

Purpose

Step 1

ap name Cisco_AP mode local

Example:

Switch# ap name AP01 mode local

Configures an access point for monitor mode.

A message appears that indicates that changing the AP's mode causes the access point to reboot. This message also displays a prompt that enables you to specify whether or not you want to continue with changing the AP mode. Enter y at the prompt to continue.

Step 2

ap name Cisco_AP dot11 5ghz shutdown

Example:

Switch# ap name AP01 dot11 5ghz shutdown

Disables the 802.11a radio on the access point.

Step 3

ap name Cisco_AP dot11 24ghz shutdown

Example:

Switch# ap name AP02 dot11 24ghz shutdown

Disables the 802.11b radio on the access point.

Step 4

ap name Cisco_AP mode monitor submode wips

Example:

Switch# ap name AP01 mode monitor
 submode wips

Configures the wIPS submode on the access point.

Note

To disable wIPS on the access point, enter the ap name Cisco_AP modemonitor submode none command.

Step 5

ap name Cisco_AP monitor-mode wips-optimized

Example:

Switch# ap name AP01 monitor-mode
 wips-optimized

Enables wIPS optimized channel scanning for the access point.

The access point scans each channel for 250 milliseconds. It derives the list of channels to be scanned from the monitor configuration. You can choose the following options:

All—All channels supported by the access point’s radio.
Country—Only the channels supported by the access point’s country of operation.
DCA—Only the channel set used by the dynamic channel assignment (DCA) algorithm, which by default includes all of the nonoverlapping channels allowed in the access point’s country of operation.

Step 6

show ap dot11 24ghz monitor

Example:

Switch# show ap dot11 24ghz monitor

Displays the monitor configuration channel set.

Note

The 802.11b Monitor Channels value in the output of the command indicates the monitor configuration channel set.

Step 7

ap name Cisco_AP no dot11 5ghz shutdown

Example:

Switch# ap name AP01 no dot11
 5ghz shutdown

Enables the 802.11a radio on the access point.

Step 8

ap name Cisco_AP no dot11 24ghz shutdown

Example:

Switch# ap name AP01 no dot11
 24ghz shutdown

Enables the 802.11b radio on the access point.

Configuring wIPS on an Access Point (GUI)

Step 1	Choose Configuration > Wireless > Access Points > All APs The All APs page is displayed.
Step 2	Click the access point name. The AP > Edit page is displayed.
Step 3	From the AP Mode drop-down list, choose one of the following options to configure the AP mode parameters: Local Monitor
Step 4	From the AP Sub Mode drop-down list, choose WIPS.
Step 5	Click Apply.
Step 6	Click Save Configuration.

Monitoring wIPS Information

Note

The procedure to perform this task using the switch GUI is not currently available.

SUMMARY STEPS

1. show ap name Cisco_AP config general

2. show ap monitor-mode summary

3. show wireless wps wips summary

4. show wireless wps wips statistics

5. clear wireless wips statistics

DETAILED STEPS

	Command or Action	Purpose
Step 1	show ap name Cisco_AP config general Example: Switch# show ap name AP01 config general	Displays information on the wIPS submode on the access point.
Step 2	show ap monitor-mode summary Example: Switch# show ap monitor-mode summary	Displays the wIPS optimized channel scanning configuration on the access point.
Step 3	show wireless wps wips summary Example: Switch# show wireless wps wips summary	Displays the wIPS configuration forwarded by NCS or Prime to the switch.
Step 4	show wireless wps wips statistics Example: Switch# show wireless wps wips statistics	Displays the current state of wIPS operation on the switch.
Step 5	clear wireless wips statistics Example: Switch# clear wireless wips statistics	Clears the wIPS statistics on the switch.

Configuration Examples for Configuring wIPS on Access Points

Displaying the Monitor Configuration Channel Set: Example

This example shows how to display the monitor configuration channel set:

Switch# show ap dot11 24ghz monitor
Default 802.11b AP monitoring
802.11b Monitor Mode........................... enable
802.11b Monitor Channels....................... Country channels
802.11b AP Coverage Interval................... 180 seconds
802.11b AP Load Interval....................... 60 seconds
802.11b AP Noise Interval...................... 180 seconds
802.11b AP Signal Strength Interval............ 60 seconds

Displaying wIPS Information: Examples

This example shows how to display information on the wIPS submode on the access point:

Switch# show ap name AP01 config general
Cisco AP Identifier.............. 3
Cisco AP Name.................... AP1131:46f2.98ac
...
AP Mode ......................... Monitor
Public Safety ................... Disabled Disabled
AP SubMode ...................... WIPS

This example shows how to display the wIPS optimized channel scanning configuration on the access point:

Switch# show ap monitor-mode summary
AP Name       Ethernet MAC   Status   Scanning
                                      Channel
                                      List
------------- -------------- -------- ---------
AP1131:4f2.9a 00:16:4:f2:9:a WIPS     1,6,NA,NA

This example shows how to display the wIPS configuration forwarded by WCS to the switch:

Switch# show wireless wps wips summary
Policy Name.............. Default
Policy Version........... 3

This example shows how to display the current state of wIPS operation on the switch:

Switch# show wireless wps wips statistics
Policy Assignment Requests............ 1
Policy Assignment Responses........... 1
Policy Update Requests................ 0
Policy Update Responses............... 0
Policy Delete Requests................ 0
Policy Delete Responses............... 0
Alarm Updates......................... 13572
Device Updates........................ 8376
Device Update Requests................ 0
Device Update Responses............... 0
Forensic Updates...................... 1001
Invalid WIPS Payloads................. 0
Invalid Messages Received............. 0
CAPWAP Enqueue Failed................. 0
NMSP Enqueue Failed................... 0
NMSP Transmitted Packets.............. 22950
NMSP Transmit Packets Dropped......... 0
NMSP Largest Packet................... 1377

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)