Advanced WIPS
A Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is a wireless security system that
-
uses advanced techniques for wireless threat detection and performance management
-
enables the AP to detect threats and generate alarms, and
-
combines network traffic analysis, topology information, signatures, and anomaly detection for comprehensive wireless threat prevention.
Feature history for advanced WIPS
This table provides release and related information for the features explained in this module. These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
|
Release |
Feature name |
Feature information |
|---|---|---|
|
Cisco IOS XE 17.5.1 |
Advanced WIPS Signatures |
Up to 15 additional signatures are supported. |
Advanced WIPS signatures and definitions
The table lists alarms introduced starting with Cisco IOS XE Bengaluru Release 17.5.1.
|
Advanced WIPS signature |
Definition |
|---|---|
|
Deauthentication Flood by Pair |
This alarm provides enhanced threat context by tracking both the source (attacker) and the destination (victim) involved in the attack. |
|
Fuzzed Beacon |
A fuzzed beacon occurs when an attacker introduces invalid, unexpected, or random data into a beacon frame and replays the modified frames over the air. This can cause unexpected behavior on the destination device, such as driver crashes, operating system crashes, and stack-based overflows, and may allow execution of arbitrary code. |
|
Fuzzed Probe Request |
A fuzzed probe request occurs when an attacker introduces invalid, unexpected, or random data into a probe request and replays the modified frames over the air. |
|
Fuzzed Probe Response |
A fuzzed probe response occurs when an attacker introduces invalid, unexpected, or random data into a probe response and replays the modified frames over the air. |
|
PS Poll Flood by Signature |
A PS poll flood occurs when an attacker spoofs the MAC address of a wireless client and sends a large number of PS poll frames. The access point sends buffered data frames to the client, which may cause the client to miss data frames while operating in power-save mode. |
|
EAPOL Start Flood by Signature |
An Extensible Authentication Protocol over LAN (EAPOL) start flood occurs when an attacker floods an access point with EAPOL start frames to exhaust its internal resources. |
|
Reassociation Request Flood by Destination |
A reassociation request flood occurs when a device floods an access point with a large number of spoofed client reassociation requests to exhaust its resources, particularly the client association table. When the table overflows, legitimate clients cannot associate, resulting in a denial-of-service (DoS) attack. |
|
Beacon Flood by Signature |
A beacon flood occurs when stations receive a large number of beacons generated with different MAC addresses and SSIDs. This flood prevents clients from detecting beacons sent by corporate access points and can result in a denial-of-service (DoS) attack. |
|
Probe Response Flood by Destination |
A probe response flood occurs when a device floods clients with a large number of spoofed probe responses. This prevents clients from detecting valid probe responses sent by corporate access points. |
|
Block Acknowledgement Flood by Signature |
A block acknowledgement flood occurs when an attacker sends an invalid Add Block Acknowledgement (ADDBA) frame to an access point while spoofing a valid client MAC address. The access point then ignores valid traffic from the client until traffic outside the invalid frame range is received. |
|
AirDrop Session |
An AirDrop session uses Apple AirDrop to establish a peer-to-peer link for file sharing. This activity can introduce security risks by allowing unauthorized peer-to-peer networks to appear in the WLAN environment. |
|
Malformed Association Request |
A malformed association request occurs when an attacker sends a malformed request to an access point to exploit software defects, potentially resulting in a denial-of-service (DoS) attack. |
|
Authentication Failure Flood by Signature |
An authentication failure flood occurs when a device floods an access point with invalid authentication requests spoofed from a valid client, which can cause client disconnections. |
|
Invalid MAC OUI by Signature |
An invalid MAC OUI event occurs when a spoofed MAC address that does not contain a valid organizationally unique identifier (OUI) is used. |
|
Malformed Authentication |
Malformed authentication occurs when an attacker sends malformed authentication frames that may expose vulnerabilities in certain wireless drivers. |
The table lists alarms introduced prior to Cisco IOS XE Bengaluru Release 17.5.1.
|
Advanced WIPS signature |
|---|
|
Authentication Flood Alarm |
|
Association Flood Alarm |
|
Broadcast Probe Flood Alarm |
|
Disassociation Flood Alarm |
|
Broadcast Disassociation Flood Alarm |
|
Deauthentication Flood Alarm |
|
Broadcast Deauthentication Flood Alarm |
|
EAPOL Logoff Flood Alarm |
|
CTS Flood Alarm |
|
RTS Flood Alarm |
Advanced WIPS solution components and capabilities
The aWIPS solution comprises these components and capabilities.
Solution components
The aWIPS solution comprises these components
-
Cisco Catalyst 9800 Series Wireless Controller
-
Cisco Aironet Wave 2 APs
-
Cisco Catalyst Center
Because aWIPS functionality is integrated into Cisco Catalyst Center, aWIPS can configure WIPS policies, monitor alarms, and report threats.
Capabilities
aWIPS supports these capabilities
-
Static signatures
-
Standalone signature detection only
-
Only alarms are supported.
-
GUI support
-
CLI to view alarms
-
The static signature file is packaged with the controller and AP image.
-
Export alarms to Cisco Catalyst Center through WSA channel
 Note |
aWIPS alarm details such as the AP MAC address, alarm ID, client MAC address, alarm string, and signature ID are displayed on the Cisco Catalyst 9800 series wireless controller GUI. |
Supported modes and platforms
aWIPS is supported on these controllers:
-
Cisco Catalyst 9800 Series Wireless Controllers
-
Cisco Embedded Wireless Controller on Catalyst Access Points
Enable advanced WIPS (CLI)
Enable advanced WIPS to enhance network security and ensure proper priority over location services.
To enable aWIPS from the controller and ensure that aWIPS has higher priority than Hyperlocation , perform these steps:
Procedure
|
Step 1 |
Enter global configuration mode. Example: |
||
|
Step 2 |
Configure the default AP profile. Example: |
||
|
Step 3 |
Enable aWIPS. Example:
|
||
|
Step 4 |
Enable Hyperlocation on all the supported APs that are associated with this AP profile. Example: |
||
|
Step 5 |
Return to privileged EXEC mode. Example: |
The controller is now configured with advanced WIPS and forensics, and prioritizes aWIPS above Hyperlocation/Fastlocate features on AP.
View advanced WIPS alarms (GUI)
Identify and analyze current and historical WIPS alarms.
Procedure
|
Step 1 |
Navigate to . |
|
Step 2 |
To view the details of the alarms in the last five minutes (0.08 hours), click the Current Alarms tab. |
|
Step 3 |
To view the alarm count for longer periods such as hourly or daily (24 hours), click the Historical Statistics tab. |
|
Step 4 |
Sort or filter the alarms based on these parameters:
|
Advanced WIPS alarms appear according to the selected criteria. You receive real-time and historical data for security monitoring and analysis.
Verify advanced WIPS
To view the aWIPS status, use the show awips status radio_mac command:
Device# show awips status 0xx7.8xx8.2xx0
AP Radio MAC AWIPS Status Forensic Capture Status Alarm Message Count
----------------------------------------------------------------------------------
0xx7.8xx8.2xx0 ENABLED CONFIG_NOT_ENABLED 14691 The various aWIPS status indicators are:
-
ENABLED: aWIPS enabled. -
NOT_SUPPORTED: The AP does not support AWIPS. -
CONFIG_NOT ENABLED: aWIPS is not enabled on the AP.
To view details of specific alarm signatures, use the show awips alarm signature signature_id command:
Device# show awips alarm signature 10009
AP Radio MAC AlarmID Timestamp SignatureID Alarm Description
-----------------------------------------------------------------------------------------------------------------
0xx7.8xx8.2f80 2491 08/02/2022 17:44:40 10009 RTS Flood
To view alarm message statistics, use the show awips alarm statistics command:
Device# show awips alarm statisticsTo view a list of alarms since the last clear, use the show awips alarm ap ap_mac detailed command:
Device# show awips alarm ap 0xx7.8xx8.2f80 detailed
AP Radio MAC AlarmID Timestamp SignatureID Alarm Description
---------------------------------------------------------------------------------------------------------------
0xx7.8xx8.2f80 2491 08/02/2022 17:44:40 10009 RTS Flood
To view detailed alarm information, use the show awips alarm detailed command:
Device# show awips alarm detailed
AP Radio MAC AlarmID Timestamp SignatureID Alarm Description
--------------------------------------------------------------------------------------------------
7xx3.5xxd.d360 1 10/29/2020 23:21:27 10001 Authentication Flood by Source
dxxc.3xx5.9460 71 10/29/2020 23:21:27 10001 Authentication Flood by Source
7xx3.5xxd.d360 2 10/29/2020 23:21:28 10002 Association Request Flood by Destination
dxxc.3xx5.9460 72 10/29/2020 23:21:28 10002 Association Request Flood by Destination
To view the alarms on a specific AP, use the show awips alarm ap radio_mac detailed command:
Device# show awips alarm ap 0xx7.8xx8.2xx0 detailed
AP Radio MAC Source/Dest MAC AlarmID Timestamp SignatureID Alarm Description Message Index
--------------------------------------------------------------------------------------------------------------
0xx7.8xx8.2f80 0xx3.6xx0.235b 1714 11/02/2020 13:02:19 10001 Authentication Flood 3966
0xx7.8xx8.2f80 0xx4.dxxc.f3cc 1714 11/02/2020 13:02:19 10001 Authentication Flood 3971
…
…
…
0xx7.8xx8.2f80 0xx3.6xx0.235b 1715 11/02/2020 13:02:20 10001 Authentication Flood 3982
0xx7.8xx8.2f80 0xx4.dxxc.f3cc 1715 11/02/2020 13:02:20 10001 Authentication Flood 3987
…
Feedback