The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The Cisco Intrusion Detection System/Intrusion Prevention System (CIDS/CIPS) instructs controllers to block certain clients from accessing the wireless network when attacks involving these clients are detected at Layer 3 through Layer 7. This system offers significant network protection by helping to detect, classify, and stop threats including worms, spyware/adware, network viruses, and application abuse. Two methods are available to detect potential attacks:
You can configure IDS sensors to detect various types of IP-level attacks in your network. When the sensors identify an attack, they can alert the controller to shun the offending client. When you add a new IDS sensor, you register the controller with that IDS sensor so that the controller can query the sensor to get the list of shunned clients.
When an IDS sensor detects a suspicious client, it alerts the controller to shun this client. The shun entry is distributed to all controllers within the same mobility group. If the client to be shunned is currently joined to a controller in this mobility group, the anchor controller adds this client to the dynamic exclusion list, and the foreign controller removes the client. The next time that the client tries to connect to a controller, the anchor controller rejects the handoff and informs the foreign controller that the client is being excluded.
Step 1 | Choose Security > Advanced > CIDS > Shunned Clients to open the CIDS Shun List page. This page shows the IP address and MAC address of each shunned client, the length of time that the client’s data packets should be blocked by the controller as requested by the IDS sensor, and the IP address of the IDS sensor that discovered the client. | ||
Step 2 | Click Re-sync to purge and reset the list as desired.
|
Step 1 | Add an IDS sensor by entering this command: config wps cids-sensor add index ids_ip_address username password. The index parameter determines the sequence in which the controller consults the IDS sensors. The controller supports up to five IDS sensors. Enter a number (between 1 and 5) to determine the priority of this sensor. For example, if you enter 1, the controller consults this IDS sensor first.
| ||
Step 2 | (Optional) Specify the number of the HTTPS port through which the controller is to communicate with the IDS sensor by entering this command: config wps cids-sensor port index port For the port-number parameter, you can enter a value between 1 and 65535. The default value is 443. This step is optional because we recommend that you use the default value of 443. The sensor uses this value to communicate by default. | ||
Step 3 | Specify how often the controller should query the IDS server for IDS events by entering this command: config wps cids-sensor interval index interval For the interval parameter, you can enter a value between 10 and 3600 seconds. The default value is 60 seconds. | ||
Step 4 | Enter a 40-hexadecimal-character security key used to verify the validity of the sensor by entering this command: config wps cids-sensor fingerprint index sha1 fingerprint You can get the value of the fingerprint by entering show tls fingerprint on the sensor’s console.
| ||
Step 5 | Enable or disable this controller’s registration with an IDS sensor by entering this command: config wps cids-sensor {enable | disable} index | ||
Step 6 | Enable or disable protection from DoS attacks by entering this command: The default value is disabled.
| ||
Step 7 | Save your settings by entering this command: save config | ||
Step 8 | See the IDS sensor configuration by entering one of these commands: | ||
Step 9 | The second command provides more information than the first. | ||
Step 10 | See the auto-immune configuration setting by entering this command:
Information similar to the following appears: Auto-Immune Auto-Immune.................................... Disabled Client Exclusion Policy Excessive 802.11-association failures.......... Enabled Excessive 802.11-authentication failures....... Enabled Excessive 802.1x-authentication................ Enabled IP-theft....................................... Enabled Excessive Web authentication failure........... Enabled Signature Policy Signature Processing........................... Enabled | ||
Step 11 | Obtain debug information regarding IDS sensor configuration by entering this command: debug wps cids enable
|
Step 1 | View the list of clients to be shunned by entering this command: show wps shun-list | ||
Step 2 | Force the controller to synchronize with other controllers in the mobility group for the shun list by entering this command: config wps shun-list re-sync
|