Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Amsterdam 17.2.x

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Results

Updated:: June 25, 2020

Chapter: Advanced WIPS

Advanced WIPS
Information About Advanced WIPS
aWIPS in a Cisco Catalyst Wireless Controller environment
Supported Modes and Platforms
Prerequisites for Advanced WIPS
Configuring Advanced WIPS (GUI)
Viewing Advanced WIPS Alarms (GUI)
Enabling Advanced WIPS
Verifying Advanced WIPS

Advanced WIPS

Information About Advanced WIPS

The Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is a wireless intrusion threat detection and mitigation mechanism. aWIPS uses an advanced approach to wireless threat detection and performance management. The AP detects the threats and generates alarms. It combines network traffic analysis, network device and topology information, signature-based techniques, and anomaly detection to deliver highly accurate and complete wireless threat prevention.

With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both the wired and wireless networks and use that network intelligence to analyze attacks from many sources to accurately pinpoint and proactively prevent attacks, rather than wait until damage or exposure has occurred.

aWIPS in a Cisco Catalyst Wireless Controller environment

The aWIPS solution comprises the following components:

Cisco Catalyst 9800 Series Wireless Controller
Cisco Catalyst and Aironet Wave 2 APs
Cisco DNA Center

As the aWIPS functionality is integrated into the Cisco DNA Center, the aWIPS can configure and monitor WIPS policies and alarms and report threats.

Note

aWIPS is supported only on Cisco DNA-C.

aWIPS supports the following capabilities:

Static signatures
Standalone signature detection only
Alarms only
GUI support
Controller commands to view alarms
Static signature file packaged with controller and AP image
Export alarms to Cisco DNA Center through WSA channel

aWIPS alarm details like the AP MAC address, alarm ID, client MAC address, alarm string, and signature ID are displayed on the Cisco Catalyst 9800 series wireless controller GUI.

Supported Modes and Platforms

aWIPS is supported on the following Cisco Catalyst Controllers:

Cisco Catalyst 9800 series wireless controllers
Cisco Embedded Wireless Controller on Catalyst Access Points

aWIPS is supported on all controller and AP modes.

Prerequisites for Advanced WIPS

Set all entities (controller and APs) in an aWIPS deployment to the UTC time zone.

Configuring Advanced WIPS (GUI)

aWIPS initialization is done by the controller. aWIPS initialization could also be triggered via the controller GUI or CLI. The controller then sends the aWIPS configuration to the APs using CAPWAP.

Procedure

Step 1	Choose Configuration > Tags & Profiles > AP Join.
Step 2	On the AP Join page, click the name of the desired AP join profile.
Step 3	In the Edit AP Join Profile window, click the Security tab.
Step 4	In the aWIPS section, select the aWIPS Enable check box.
Step 5	Click Update & Apply to Device.

Viewing Advanced WIPS Alarms (GUI)

Procedure

Navigate to Monitoring > Security > aWIPS.

To view details of the alarms in the last 5 minutes, go to the Current Alarms tab.
To view the alarm count over an extended period of time, either hourly, for a day (24 hours) or more, go to Historical Statistics tab.

You can sort or filter the alarms based on the following parameters:

AP Radio MAC address
Client MAC address
Alarm ID
Time Stamp
Signature ID
Alarm Description
Alarm Message Index

Enabling Advanced WIPS

Procedure

Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

ap profile profile-name

Example:

Device(config)# ap profile myprofile

Configures the default AP profile.

Step 3

aWIPS

Example:

Device(config-ap-profile)# aWIPS

Enable aWIPS.

Note

aWIPS is disabled by default on the controller.

Step 4

end

Example:

Device(config-ap-profile)# end

Returns to privileged EXEC mode.

Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Verifying Advanced WIPS

To view aWIPS status, use the show awips status radio_mac command:

Device# show awips status 00d7.8f58.2f80 
AP Radio MAC      AWIPS Status      Alarm Message Count
---------------------------------------------------------------------------
00d7.8f58.2f80        ENABLED           3944

The various aWIPS status indicators are listed below:

ENABLED: aWIPS enabled.
NOT_SUPPORTED: AP does not support AWIPS.
CONFIG_NOT ENABLED: aWIPS is not enabled on the AP.

To view details of specific alarm signatures, use the show awips alarm signature signature_id command:

Device# show awips alarm signature 10001 
AP Radio MAC      Source/Dest MAC       AlarmID   Timestamp             SignatureID     Alarm Description         Message Index 
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
00d7.8f58.2f80    0023.68b0.235b        1714    11/02/2020 13:02:19       10001         Authentication Flood        3966

To view alarm message statistics, use the below command:

Device# show awips alarm statistics

To view a list of alarms since the last clear, use the below command:

Device# show awips alarm ap ap_mac detailed

To view detailed alarm information, use the show awips alarm detailed command:

Device# show awips alarm detailed 
AP Radio MAC      Source/Dest MAC       AlarmID   Timestamp             SignatureID     Alarm Description         Message Index 
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
00d7.8f58.2f80    0023.68b0.235b        1714    11/02/2020 13:02:19       10001         Authentication Flood        3966     
00d7.8f58.2f80    0024.d71c.f3cc        1714    11/02/2020 13:02:19       10001         Authentication Flood        3971     
…
…
…
00d7.8f58.2f80    0023.68b0.235b        1715    11/02/2020 13:02:20       10001         Authentication Flood        3982     
00d7.8f58.2f80    0024.d71c.f3cc        1715    11/02/2020 13:02:20       10001         Authentication Flood        3987     
…

To view alarms on a specific AP, use the show awips alarm ap radio_mac detailed command:

Device# show awips alarm ap 00d7.8f58.2f80 detailed 

AP Radio MAC      Source/Dest MAC       AlarmID   Timestamp             SignatureID     Alarm Description         Message Index 
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
00d7.8f58.2f80    0023.68b0.235b        1714    11/02/2020 13:02:19       10001         Authentication Flood        3966     
00d7.8f58.2f80    0024.d71c.f3cc        1714    11/02/2020 13:02:19       10001         Authentication Flood        3971     
…
…
…
00d7.8f58.2f80    0023.68b0.235b        1715    11/02/2020 13:02:20       10001         Authentication Flood        3982     
00d7.8f58.2f80    0024.d71c.f3cc        1715    11/02/2020 13:02:20       10001         Authentication Flood        3987     
…

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)