Advanced WIPS
A Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is a wireless security system that
-
uses advanced techniques for wireless threat detection and performance management
-
enables the AP to detect threats and generate alarms, and
-
combines network traffic analysis, topology information, signatures, and anomaly detection for comprehensive wireless threat prevention.
Feature history for advanced WIPS
This table provides release and related information for the features explained in this module. These features are available on all releases subsequent to the one they were introduced in, unless noted otherwise.
|
Release |
Feature name |
Feature information |
|---|---|---|
|
Cisco IOS XE 17.5.1 |
Advanced WIPS Signatures |
Up to 15 additional signatures are supported. |
Advanced WIPS signatures and definitions
The table lists alarms introduced starting with Cisco IOS XE Bengaluru Release 17.5.1.
|
Advanced WIPS signature |
Definition |
|---|---|
|
Deauthentication Flood by Pair |
This alarm provides enhanced threat context by tracking both the source (attacker) and the destination (victim) involved in the attack. |
|
Fuzzed Beacon |
A fuzzed beacon occurs when an attacker introduces invalid, unexpected, or random data into a beacon frame and replays the modified frames over the air. This can cause unexpected behavior on the destination device, such as driver crashes, operating system crashes, and stack-based overflows, and may allow execution of arbitrary code. |
|
Fuzzed Probe Request |
A fuzzed probe request occurs when an attacker introduces invalid, unexpected, or random data into a probe request and replays the modified frames over the air. |
|
Fuzzed Probe Response |
A fuzzed probe response occurs when an attacker introduces invalid, unexpected, or random data into a probe response and replays the modified frames over the air. |
|
PS Poll Flood by Signature |
A PS poll flood occurs when an attacker spoofs the MAC address of a wireless client and sends a large number of PS poll frames. The access point sends buffered data frames to the client, which may cause the client to miss data frames while operating in power-save mode. |
|
EAPOL Start Flood by Signature |
An Extensible Authentication Protocol over LAN (EAPOL) start flood occurs when an attacker floods an access point with EAPOL start frames to exhaust its internal resources. |
|
Reassociation Request Flood by Destination |
A reassociation request flood occurs when a device floods an access point with a large number of spoofed client reassociation requests to exhaust its resources, particularly the client association table. When the table overflows, legitimate clients cannot associate, resulting in a denial-of-service (DoS) attack. |
|
Beacon Flood by Signature |
A beacon flood occurs when stations receive a large number of beacons generated with different MAC addresses and SSIDs. This flood prevents clients from detecting beacons sent by corporate access points and can result in a denial-of-service (DoS) attack. |
|
Probe Response Flood by Destination |
A probe response flood occurs when a device floods clients with a large number of spoofed probe responses. This prevents clients from detecting valid probe responses sent by corporate access points. |
|
Block Acknowledgement Flood by Signature |
A block acknowledgement flood occurs when an attacker sends an invalid Add Block Acknowledgement (ADDBA) frame to an access point while spoofing a valid client MAC address. The access point then ignores valid traffic from the client until traffic outside the invalid frame range is received. |
|
AirDrop Session |
An AirDrop session uses Apple AirDrop to establish a peer-to-peer link for file sharing. This activity can introduce security risks by allowing unauthorized peer-to-peer networks to appear in the WLAN environment. |
|
Malformed Association Request |
A malformed association request occurs when an attacker sends a malformed request to an access point to exploit software defects, potentially resulting in a denial-of-service (DoS) attack. |
|
Authentication Failure Flood by Signature |
An authentication failure flood occurs when a device floods an access point with invalid authentication requests spoofed from a valid client, which can cause client disconnections. |
|
Invalid MAC OUI by Signature |
An invalid MAC OUI event occurs when a spoofed MAC address that does not contain a valid organizationally unique identifier (OUI) is used. |
|
Malformed Authentication |
Malformed authentication occurs when an attacker sends malformed authentication frames that may expose vulnerabilities in certain wireless drivers. |
The table lists alarms introduced prior to Cisco IOS XE Bengaluru Release 17.5.1.
|
Advanced WIPS signature |
|---|
|
Authentication Flood Alarm |
|
Association Flood Alarm |
|
Broadcast Probe Flood Alarm |
|
Disassociation Flood Alarm |
|
Broadcast Disassociation Flood Alarm |
|
Deauthentication Flood Alarm |
|
Broadcast Deauthentication Flood Alarm |
|
EAPOL Logoff Flood Alarm |
|
CTS Flood Alarm |
|
RTS Flood Alarm |
Guidelines and Restrictions
-
In the aWIPS profile, Cisco Aironet 1850 Series Access Points, Cisco Catalyst 9117 Series Access Points, and Cisco Catalyst 9130AX Series Access Points can detect EAPOL logoff attack and raise alarms accordingly, only on off-channel. They can not detect EAPOL logoff attack and raise alarms on on-channel.
-
aWIPS profile download is not supported when Cisco Catalyst Center is configured using the fully qualified domain name (FQDN).
Enable advanced WIPS
From Cisco IOS XE Release 17.5.1 onward, aWIPS security has higher priority than Hyperlocation/Fastlocate.
These are the possible scenarios.
All Catalyst APs that support Fastlocate can operate with aWIPS regardless of AP mode or configuration.
When both aWIPS and Hyperlocation are enabled on Cisco Aironet 4800 APs in any mode except Monitor mode, only aWIPS is available.
|
Hyperlocation/Fastlocate |
Advanced WIPS |
Cisco Aironet 4800 AP Mode |
Cisco Aironet 4800 AP effective feature |
|---|---|---|---|
|
Enable |
Enable |
Any Non-Monitor |
aWIPS 1 |
|
Enable |
Disable |
Any Non-Monitor |
Hyperlocation/Fastlocate |
|
Disable |
Disable |
Any Non-Monitor |
Hyperlocation/Fastlocate and aWIPS are disabled. |
|
Disable |
Enable |
Any Non-Monitor |
aWIPS |
|
Enable |
Enable |
Monitor |
aWIPS and Hyperlocation 2 |
|
Disable |
Enable |
Monitor |
aWIPS 3 |
|
Enable |
Disable |
Monitor |
Hyperlocation/Fastlocate |
|
Disable |
Disable |
Monitor |
Hyperlocation/Fastlocate and aWIPS are disabled. |
Advanced WIPS solution components and capabilities
The aWIPS solution comprises these components and capabilities.
Solution components
The aWIPS solution comprises these components
-
Cisco Catalyst 9800 Series Wireless Controller
-
Cisco Aironet Wave 2 APs
-
Cisco Catalyst Center
Because aWIPS functionality is integrated into Cisco Catalyst Center, aWIPS can configure WIPS policies, monitor alarms, and report threats.
Capabilities
aWIPS supports these capabilities
-
Static signatures
Beginning with Cisco IOS XE version 17.4.1, Cisco Catalyst Center can change threshold values and push new signature files to the AP.
-
Enable or disable signature forensic capture from Cisco Catalyst Center.
-
Standalone signature detection only
-
Only alarms are supported.
-
GUI support
-
CLI to view alarms
-
The static signature file is packaged with the controller and AP image.
-
Export alarms to Cisco Catalyst Center through WSA channel
 Note |
aWIPS alarm details such as the AP MAC address, alarm ID, alarm string, and signature ID are displayed on the Cisco Catalyst 9800 series wireless controller GUI. |
Supported modes and platforms
aWIPS is supported on these controllers:
-
Cisco Catalyst 9800 Series Wireless Controllers
-
Cisco Embedded Wireless Controller on Catalyst Access Points
Note |
aWIPS is not supported on Cisco IOS APs. |
Enable advanced WIPS (GUI)
Enable advanced WIPS features on your access points for improved network security.
Procedure
|
Step 1 |
Choose Configuration > Tags & Profiles > AP Join. |
|
Step 2 |
Click Add. The Add AP Join Profile window is displayed. |
|
Step 3 |
In the Add AP Join Profile window, click the Security tab. |
|
Step 4 |
Under the aWIPS section, check the aWIPS Enable check box. |
|
Step 5 |
Click Apply to Device. You return to the General tab. |
|
Step 6 |
Click the Security tab. |
|
Step 7 |
Under the aWIPS section, check the Forensic Enable check box. |
|
Step 8 |
Click Apply to Device. |
Advanced WIPS and forensic features are enabled for the selected AP profile.
Enable advanced WIPS (CLI)
Enable advanced WIPS to enhance network security and ensure proper priority over location services.
To enable aWIPS from the controller and ensure that aWIPS has higher priority than Hyperlocation/Fastlocate , perform these steps:
Procedure
|
Step 1 |
Enter global configuration mode. Example: |
||
|
Step 2 |
Configure the default AP profile. Example: |
||
|
Step 3 |
Enable aWIPS. Example:
|
||
|
Step 4 |
Enable forensics for aWIPS alarms. Example: |
||
|
Step 5 |
Enable Hyperlocation/Fastlocate on all the supported APs that are associated with this AP profile. Example: |
||
|
Step 6 |
Return to privileged EXEC mode. Example: |
The controller is now configured with advanced WIPS and forensics, and prioritizes aWIPS above Hyperlocation/Fastlocate features on AP.
View advanced WIPS alarms (GUI)
Identify and analyze current and historical WIPS alarms.
Procedure
|
Step 1 |
Navigate to . |
|
Step 2 |
To view the details of the alarms in the last five minutes (0.08 hours), click the Current Alarms tab. |
|
Step 3 |
To view the alarm count for longer periods such as hourly or daily (24 hours), click the Historical Statistics tab. |
|
Step 4 |
Sort or filter the alarms based on these parameters:
|
Advanced WIPS alarms appear according to the selected criteria. You receive real-time and historical data for security monitoring and analysis.
Verify advanced WIPS
To view the aWIPS status, use the show awips status radio_mac command:
Device# show awips status 0xx7.8xx8.2xx0
AP Radio MAC AWIPS Status Forensic Capture Status Alarm Message Count
----------------------------------------------------------------------------------
0xx7.8xx8.2xx0 ENABLED CONFIG_NOT_ENABLED 14691 The various aWIPS status indicators are:
-
ENABLED: aWIPS enabled. -
NOT_SUPPORTED: The AP does not support AWIPS. -
CONFIG_NOT ENABLED: aWIPS is not enabled on the AP.
To view details of specific alarm signatures, use the show awips alarm signature signature_id command:
Device# show awips alarm signature 10001
AP Radio MAC AlarmID Timestamp SignatureID Alarm Description Message Index
-----------------------------------------------------------------------------------------------------------------
0xx7.8xx8.2f80 1714 11/02/2020 13:02:19 10001 Authentication Flood 3966
To view alarm message statistics, use the show awips alarm statistics command:
Device# show awips alarm statisticsTo view a list of alarms since the last clear, use the show awips alarm ap ap_mac detailed command:
Device# show awips alarm ap 0xx7.8xx8.2f80 detailed
AP Radio MAC AlarmID Timestamp SignatureID Alarm Description
---------------------------------------------------------------------------------------------------------------
0xx7.8xx8.2f80 2491 08/02/2022 17:44:40 10009 RTS Flood
To view detailed alarm information, use the show awips alarm detailed command:
Device# show awips alarm detailed
AP Radio MAC AlarmID Timestamp SignatureID Alarm Description
--------------------------------------------------------------------------------------------------
7xx3.5xxd.d360 1 10/29/2020 23:21:27 10001 Authentication Flood by Source
dxxc.3xx5.9460 71 10/29/2020 23:21:27 10001 Authentication Flood by Source
7xx3.5xxd.d360 2 10/29/2020 23:21:28 10002 Association Request Flood by Destination
dxxc.3xx5.9460 72 10/29/2020 23:21:28 10002 Association Request Flood by Destination
To view the alarms on a specific AP, use the show awips alarm ap radio_mac detailed command:
Feedback