Advanced WIPS

• Information About Advanced WIPS, on page 1• aWIPS in a Cisco Catalyst Wireless Controller environment, on page 1• Supported Modes and Platforms, on page 2• Prerequisites for Advanced WIPS, on page 2• Configuring Advanced WIPS (GUI), on page 2• Viewing Advanced WIPS Alarms (GUI), on page 3• Enabling Advanced WIPS, on page 3• Verifying Advanced WIPS, on page 4

Information About Advanced WIPSThe Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is a wireless intrusion threat detectionand mitigation mechanism. aWIPS uses an advanced approach to wireless threat detection and performancemanagement. The AP detects the threats and generates alarms. It combines network traffic analysis, networkdevice and topology information, signature-based techniques, and anomaly detection to deliver highly accurateand complete wireless threat prevention.

With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both the wiredand wireless networks and use that network intelligence to analyze attacks from many sources to accuratelypinpoint and proactively prevent attacks, rather than wait until damage or exposure has occurred.

aWIPS in a Cisco Catalyst Wireless Controller environmentThe aWIPS solution comprises the following components:

• Cisco Catalyst 9800 Series Wireless Controller

• Cisco Catalyst and Aironet Wave 2 APs

• Cisco DNA Center

As the aWIPS functionality is integrated into the Cisco DNA Center, the aWIPS can configure and monitorWIPS policies and alarms and report threats.

Advanced WIPS1

aWIPS is supported only on Cisco DNA-C.Note

aWIPS supports the following capabilities:

• Static signatures

• Standalone signature detection only

• Alarms only

• GUI support

• Controller commands to view alarms

• Static signature file packaged with controller and AP image

• Export alarms to Cisco DNA Center through WSA channel

aWIPS alarm details like the AP MAC address, alarm ID, client MAC address, alarm string, and signatureID are displayed on the Cisco Catalyst 9800 series wireless controller GUI.

Supported Modes and PlatformsaWIPS is supported on the following Cisco Catalyst Controllers:

• Cisco Catalyst 9800 series wireless controllers

• Cisco Embedded Wireless Controller on Catalyst Access Points

aWIPS is supported on all controller and AP modes.

Prerequisites for Advanced WIPSSet all entities (controller and APs) in an aWIPS deployment to the UTC time zone.

Configuring Advanced WIPS (GUI)aWIPS initialization is done by the controller. aWIPS initialization could also be triggered via the controllerGUI or CLI. The controller then sends the aWIPS configuration to the APs using CAPWAP.

Procedure

Step 1 Choose Configuration > Tags & Profiles > AP Join.Step 2 On the AP Join page, click the name of the desired AP join profile.Step 3 In the Edit AP Join Profile window, click the Security tab.Step 4 In the aWIPS section, select the aWIPS Enable check box.

Advanced WIPS2

Advanced WIPSSupported Modes and Platforms

Step 5 Click Update & Apply to Device.

Viewing Advanced WIPS Alarms (GUI)Procedure

Navigate toMonitoring > Security > aWIPS.

• To view details of the alarms in the last 5 minutes, go to the Current Alarms tab.

• To view the alarm count over an extended period of time, either hourly, for a day (24 hours) or more, goto Historical Statistics tab.

You can sort or filter the alarms based on the following parameters:

• AP Radio MAC address

• Client MAC address

• Alarm ID

• Time Stamp

• Signature ID

• Alarm Description

• Alarm Message Index

Enabling Advanced WIPSProcedure

PurposeCommand or Action

Enters global configuration mode.configure terminal

Example:

Step 1

Device# configure terminal

Configures the default AP profile.ap profile profile-name

Example:

Step 2

Device(config)# ap profile myprofile

Enable aWIPS.aWIPSStep 3

Example:

Advanced WIPS3

Advanced WIPSViewing Advanced WIPS Alarms (GUI)

PurposeCommand or ActionDevice(config-ap-profile)# aWIPS aWIPS is disabled by default on the

controller.Note

Returns to privileged EXEC mode.endStep 4

Example: Alternatively, you can also press Ctrl-Z toexit global configuration mode.Device(config-ap-profile)# end

Verifying Advanced WIPSTo view aWIPS status, use the show awips status radio_mac command:

Device# show awips status 00d7.8f58.2f80AP Radio MAC AWIPS Status Alarm Message Count---------------------------------------------------------------------------00d7.8f58.2f80 ENABLED 3944

The various aWIPS status indicators are listed below:

• ENABLED: aWIPS enabled.

• NOT_SUPPORTED: AP does not support AWIPS.

• CONFIG_NOT ENABLED: aWIPS is not enabled on the AP.

To view details of specific alarm signatures, use the show awips alarm signature signature_id command:

Device# show awips alarm signature 10001AP Radio MAC Source/Dest MAC AlarmID Timestamp SignatureIDAlarm Description Message Index--------------------------------------------------------------------------------------------------------------------------------------------------------------------00d7.8f58.2f80 0023.68b0.235b 1714 11/02/2020 13:02:19 10001Authentication Flood 3966

To view alarm message statistics, use the below command:

Device# show awips alarm statistics

To view a list of alarms since the last clear, use the below command:

Device# show awips alarm ap ap_mac detailed

To view detailed alarm information, use the show awips alarm detailed command:

Device# show awips alarm detailedAP Radio MAC Source/Dest MAC AlarmID Timestamp SignatureIDAlarm Description Message Index--------------------------------------------------------------------------------------------------------------------------------------------------------------------00d7.8f58.2f80 0023.68b0.235b 1714 11/02/2020 13:02:19 10001Authentication Flood 396600d7.8f58.2f80 0024.d71c.f3cc 1714 11/02/2020 13:02:19 10001Authentication Flood 3971………00d7.8f58.2f80 0023.68b0.235b 1715 11/02/2020 13:02:20 10001Authentication Flood 398200d7.8f58.2f80 0024.d71c.f3cc 1715 11/02/2020 13:02:20 10001

Advanced WIPS4

Advanced WIPSVerifying Advanced WIPS

Authentication Flood 3987…

To view alarms on a specific AP, use the show awips alarm ap radio_mac detailed command:

Device# show awips alarm ap 00d7.8f58.2f80 detailed

AP Radio MAC Source/Dest MAC AlarmID Timestamp SignatureIDAlarm Description Message Index--------------------------------------------------------------------------------------------------------------------------------------------------------------------00d7.8f58.2f80 0023.68b0.235b 1714 11/02/2020 13:02:19 10001Authentication Flood 396600d7.8f58.2f80 0024.d71c.f3cc 1714 11/02/2020 13:02:19 10001Authentication Flood 3971………00d7.8f58.2f80 0023.68b0.235b 1715 11/02/2020 13:02:20 10001Authentication Flood 398200d7.8f58.2f80 0024.d71c.f3cc 1715 11/02/2020 13:02:20 10001Authentication Flood 3987…

Advanced WIPS5

Advanced WIPSVerifying Advanced WIPS

Advanced WIPS6

Advanced WIPSVerifying Advanced WIPS