Configuring wIPS

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http:/​/​www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About wIPS

The Cisco Adaptive Wireless Intrusion Prevention System (wIPS) uses an advanced approach to wireless threat detection and performance management. It combines network traffic analysis, network device and topology information, signature-based techniques, and anomaly detection to deliver highly accurate and complete wireless threat prevention. With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both the wired and wireless networks and use that network intelligence to analyze attacks from many sources to accurately pinpoint and proactively prevent attacks, rather than wait until damage or exposure has occurred.

Cisco Adaptive wIPS is a part of the Cisco 3300 Series Mobility Services Engine (MSE), which centralizes the processing of intelligence collected by the continuous monitoring of Cisco Aironet APs. With Cisco Adaptive wIPS functionalities and Cisco Prime Infrastructure integration into the Cisco MSE, the wIPS can configure and monitor wIPS policies and alarms and report threats.


Note

If your wIPS deployment consists of a Cisco WLC, access point, and Cisco MSE, you must set all the three entities to the UTC time zone.

Cisco Adaptive wIPS is not configured on the Cisco WLC. Instead, the Cisco Prime Infrastructure forwards the profile configuration to the wIPS service, which forwards the profile to the Cisco WLC. The profile is stored in flash memory on the Cisco WLC and sent to APs when they join the Cisco WLC. When an access point disassociates and joins another Cisco WLC, it receives the wIPS profile from the new Cisco WLC.

Local-mode APs with a subset of wIPS capabilities are referred to as Enhanced Local Mode access point or ELM AP. You can configure an access point to work in the wIPS mode if the AP is in any of the following modes:

  • Monitor

  • Local

The regular local mode AP is extended with a subset of wIPS capabilities. This feature enables you to deploy your APs to provide protection without needing a separate overlay network.

wIPS ELM has the limited capability of detecting off-channel alarms. AN AP periodically goes off-channel, and monitors the nonserving channels for a short duration, and triggers alarms if any attack is detected on the channel. But off-channel alarm detection is best effort, and it takes a longer time to detect attacks and trigger alarms, which might cause the ELM AP to intermittently detect an alarm and clear it because it is not visible. APs in any of the above modes can periodically send alarms based on the policy profile to the wIPS service through the Cisco WLC. The wIPS service stores and processes the alarms and generates SNMP traps. Cisco Prime Infrastructure configures its IP address as a trap destination to receive SNMP traps from the Cisco MSE.

This table lists all the SNMP trap controls and their respective traps. When a trap control is enabled, all the traps of that trap control are also enabled.


Note

The Cisco WLC uses only SNMPv2 for SNMP trap transmission.

Table 1 SNMP Trap Controls and Their Respective Traps

Tab Name

Trap Control

Trap

General

Link (Port) Up/Down

linkUp, linkDown

Spanning Tree

newRoot, topologyChange, stpInstanceNewRootTrap, stpInstanceTopologyChangeTrap

Config Save

bsnDot11EssCreated, bsnDot11EssDeleted, bsnConfigSaved, ciscoLwappScheduledResetNotif, ciscoLwappClearResetNotif, ciscoLwappResetFailedNotif, ciscoLwappSysInvalidXmlConfig

AP

AP Register

bsnAPDisassociated, bsnAPAssociated

AP Interface Up/Down

bsnAPIfUp, bsnAPIfDown

Client Traps

802.11 Association

bsnDot11StationAssociate

802.11 Disassociation

bsnDot11StationDisassociate

802.11 Deauthentication

bsnDot11StationDeauthenticate

802.11 Failed Authentication

bsnDot11StationAuthenticateFail

802.11 Failed Association

bsnDot11StationAssociateFail

Exclusion

bsnDot11StationBlacklisted

NAC Alert

cldcClientWlanProfileName, cldcClientIPAddress, cldcApMacAddress, cldcClientQuarantineVLAN, cldcClientAccessVLAN

Security Traps

User Authentication

bsnTooManyUnsuccessLoginAttempts, cLWAGuestUserLoggedIn, cLWAGuestUserLoggedOut

RADIUS Servers Not Responding

bsnRADIUSServerNotResponding, ciscoLwappAAARadiusReqTimedOut

WEP Decrypt Error

bsnWepKeyDecryptError

Rogue AP

bsnAdhocRogueAutoContained, bsnRogueApAutoContained, bsnTrustedApHasInvalidEncryption, bsnMaxRogueCountExceeded, bsnMaxRogueCountClear, bsnApMaxRogueCountExceeded, bsnApMaxRogueCountClear, bsnTrustedApHasInvalidRadioPolicy, bsnTrustedApHasInvalidSsid, bsnTrustedApIsMissing

SNMP Authentication

agentSnmpAuthenticationTrapFlag

Multiple Users

multipleUsersTrap

Auto RF Profile Traps

Load Profile

bsnAPLoadProfileFailed

Noise Profile

bsnAPNoiseProfileFailed

Interference Profile

bsnAPInterferenceProfileFailed

Coverage Profile

bsnAPCoverageProfileFailed

Auto RF Update Traps

Channel Update

bsnAPCurrentChannelChanged

Tx Power Update

bsnAPCurrentTxPowerChanged

Mesh Traps

Child Excluded Parent

ciscoLwappMeshChildExcludedParent

Parent Change

ciscoLwappMeshParentChange

Authfailure Mesh

ciscoLwappMeshAuthorizationFailure

Child Moved

ciscoLwappMeshChildMoved

Excessive Parent Change

ciscoLwappMeshExcessiveParentChange

Excessive Children

ciscoLwappMeshExcessiveChildren

Poor SNR

ciscoLwappMeshAbateSNR, ciscoLwappMeshOnsetSNR

Console Login

ciscoLwappMeshConsoleLogin

Excessive Association

ciscoLwappMeshExcessiveAssociation

Default Bridge Group Name

ciscoLwappMeshDefaultBridgeGroupName

The following are the trap descriptions for the traps mentioned in the SNMP Trap Controls and Their Respective Traps table:

  • General Traps
    • SNMP Authentication—The SNMPv2 entity has received a protocol message that is not properly authenticated.

      Note
      When a user who is configured in SNMP V3 mode tries to access the Cisco WLC with an incorrect password, the authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.
    • Link (Port) Up/Down—Link changes status from up or down.
    • Link (Port) Up/Down—Link changes status from up or down.
    • Multiple Users—Two users log in with the same ID.
    • Rogue AP—Whenever a rogue access point is detected, this trap is sent with its MAC address; when a rogue access point that was detected earlier no longer exists, this trap is sent.
    • Config Save—Notification that is sent when the Cisco WLC configuration is modified.
  • Cisco AP Traps
    • AP Register—Notification sent when an access point associates or disassociates with the Cisco WLC.
    • AP Interface Up/Down—Notification sent when an access point interface (802.11X) status goes up or down.
  • Client-Related Traps
    • 802.11 Association—Associate notification that is sent when a client sends an association frame.
    • 802.11 Disassociation—Disassociate notification that is sent when a client sends a disassociation frame.
    • 802.11 Deauthentication—Deauthenticate notification that is sent when a client sends a deauthentication frame.
    • 802.11 Failed Authentication—Authenticate failure notification that is sent when a client sends an authentication frame with a status code other than successful.
    • 802.11 Failed Association—Associate failure notification that is sent when the client sends an association frame with a status code other than successful.
    • Exclusion—Associate failure notification that is sent when a client is exclusion listed (blacklisted).

      Note

      The maximum number of static blacklist entries that the APs can have is 340.

    • Authentication—Authentication notification that is sent when a client is successfully authenticated.

    • Max Clients Limit Reached—Notification that is sent when the maximum number of clients, defined in the Threshold field, are associated with the Cisco WLC.

    • NAC Alert—Alert that is sent when a client joins an SNMP NAC-enabled WLAN.

      This notification is generated when a client on NAC-enabled SSIDs completes Layer2 authentication to inform the NAC appliance about the client's presence. cldcClientWlanProfileName represents the profile name of the WLAN that the 802.11 wireless client is connected to, cldcClientIPAddress represents the unique IP address of the client. cldcApMacAddress represents the MAC address of the AP to which the client is associated. cldcClientQuarantineVLAN represents the quarantine VLAN for the client. cldcClientAccessVLAN represents the access VLAN for the client.

    • Association with Stats—Associate notification that is sent with data statistics when a client is associated with the Cisco WLC, or roams. Data statistics include transmitted and received bytes and packets.

    • Disassociation with Stats—Disassociate notification that is sent with data statistics when a client disassociates from the Cisco WLC. Data statistics include transmitted and received bytes and packets, SSID, and session ID.

  • Security Traps
    • User Auth Failure—This trap informs that a client RADIUS Authentication failure has occurred.
    • RADIUS Server No Response—This trap is to indicate that no RADIUS servers are responding to authentication requests sent by the RADIUS client.
    • WEP Decrypt Error—Notification sent when the Cisco WLC detects a WEP decrypting error.
    • Rouge AP—Whenever a rogue access point is detected, this trap is sent with its MAC address; when a rogue access point that was detected earlier no longer exists, this trap is sent.
    • SNMP Authentication—The SNMPv2 entity has received a protocol message that is not properly authenticated.

      Note
      When a user who is configured in SNMP V3 mode tries to access the Cisco WLC with an incorrect password, authentication fails and a failure message is displayed. However, no trap logs are generated for the authentication failure.
    • Multiple Users—Two users log in with the same ID.
  • SNMP Authentication
    • Load Profile—Notification sent when the Load Profile state changes between PASS and FAIL.
    • Noise Profile—Notification sent when the Noise Profile state changes between PASS and FAIL.
    • Interference Profile—Notification sent when the Interference Profile state changes between PASS and FAIL.
    • Coverage Profile—Notification sent when the Coverage Profile state changes between PASS and FAIL.
  • Auto RF Profile Traps
    • Load Profile—Notification sent when the Load Profile state changes between PASS and FAIL.
    • Noise Profile—Notification sent when the Noise Profile state changes between PASS and FAIL.
    • Interference Profile—Notification sent when the Interference Profile state changes between PASS and FAIL.
    • Coverage Profile—Notification sent when the Coverage Profile state changes between PASS and FAIL.
  • Auto RF Update Traps
    • Channel Update—Notification sent when the access point dynamic channel algorithm is updated.
    • Tx Power Update—Notification sent when the access point dynamic transmit power algorithm is updated.
  • Mesh Traps
    • Child Excluded Parent—Notification that is sent when a defined number of failed association to the Cisco WLC occurs through a parent mesh node.
    • Notification sent when a child mesh node exceeds the threshold limit of the number of discovery response timeouts. The child mesh node does not try to associate an excluded parent mesh node for the interval defined. The child mesh node remembers the excluded parent MAC address when it joins the network, and informs the Cisco WLC.
    • Parent Change—Notification is sent by the agent when a child mesh node changes its parent. The child mesh node remembers previous parent and informs the Cisco WLC about the change of parent when it rejoins the network.
    • Child Moved—Notification sent when a parent mesh node loses connection with its child mesh node.
    • Excessive Parent Change—Notification sent when the child mesh node changes its parent frequently. Each mesh node keeps a count of the number of parent changes in a fixed time. If it exceeds the defined threshold, the child mesh node informs the Cisco WLC.
    • Excessive Children—Notification sent when the child count exceeds for a RAP and a MAP.
    • Poor SNR—Notification sent when the child mesh node detects a lower SNR on a backhaul link. For the other trap, a notification is sent to clear a notification when the child mesh node detects an SNR on a backhaul link that is higher then the object defined by 'clMeshSNRThresholdAbate'.
    • Console Login—Notification is sent by the agent when a login on a MAP console is either successful or fail after three attempts.
    • Default Bridge Group Name—Notification sent when the MAP mesh node joins its parent using the default bridge group name.

Note

The remaining traps do not have trap controls. These traps are not generated too frequently and do not require any trap control. Any other trap that is generated by the Cisco WLC cannot be turned off.


Note

In all of the above cases, the Cisco WLC functions solely as a forwarding device.

Configuring wIPS on an Access Point (CLI)

SUMMARY STEPS

    1.    ap name name mode submode wips

    2.    end

    3.    show wireless wps wips summary

    4.    show wireless wps wips statistics


DETAILED STEPS
     Command or ActionPurpose
    Step 1ap name name mode submode wips


    Example: 
    Switch# ap name ap1 mode local wips
     

    Configure an access point for local or monitor mode and then set the submode to wIPS.

     
    Step 2end


    Example:
    Switch(config)# end
     

    Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

     
    Step 3show wireless wps wips summary


    Example: 
    Switch# show wireless wps wips summary
     

    View the wIPS configuration on the access point.

     
    Step 4show wireless wps wips statistics


    Example: 
    Switch# show wireless wps wips statistics
     

    View the current state of wIPS configuration.

     

    Configuring wIPS on an Access Point (GUI)

      Step 1   Choose Configuration > Wireless > Access Points > All APs.

      The All APs page appears with a list of all access points that are associated with the switch.

      Step 2   Click the name of the access point for which you want to configure wIPS.

      The AP > Edit page appears.

      Step 3   In the General area, set the AP Mode parameter. To configure an access point for wIPS, you must choose one of the following modes from the AP Mode drop-down list:
      • Local
      • Monitor
      Step 4   Set the AP Sub Mode to wIPS by choosing wIPS from the AP Sub Mode drop-down list.
      Step 5   Click Apply.
      Step 6   Click Save.

      Monitoring wIPS Information

      This section describes the new command for wIPS.

      The following command can be used to monitor wIPS configured on the access point.

      Table 2 Monitoring wIPS Command

      Command

      Purpose

      show wireless wps wips summary

      Displays the wIPS configuration on the access point.

      show wireless wps wips statistics

      Displays the current state of wIPS configuration.

      Examples: wIPS Configuration

      This example shows how to configure wIPS on AP1: 
      Switch# ap name ap1 mode local submode wips
Switch# end
Switch# show wireless wps wips summary

      Additional References for Configuring wIPS

      Related Documents

      Related Topic Document Title
      wIPS commands

      Security Command Reference Guide, Cisco IOS XE Release 3SE (Cisco WLC 5700 Series)

      Standards and RFCs

      Standard/RFC Title
      None

      MIBs

      MIB MIBs Link
      All supported MIBs for this release.

      To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

      http:/​/​www.cisco.com/​go/​mibs

      Technical Assistance

      Description Link

      The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

      To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

      Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​support

      Feature History for Performing wIPS Configuration

      Release Feature Information
      Cisco IOS XE 3.3SE This feature was introduced.