advancedwips · device(config-ap-profile)#end exitglobalconfigurationmode. verifying advanced wips...
TRANSCRIPT
Advanced WIPS
• Information About Advanced WIPS, on page 1• aWIPS in a Cisco Catalyst Wireless Controller environment, on page 1• Supported Modes and Platforms, on page 2• Prerequisites for Advanced WIPS, on page 2• Configuring Advanced WIPS (GUI), on page 2• Viewing Advanced WIPS Alarms (GUI), on page 3• Enabling Advanced WIPS, on page 3• Verifying Advanced WIPS, on page 4
Information About Advanced WIPSThe Cisco Advanced Wireless Intrusion Prevention System (aWIPS) is a wireless intrusion threat detectionand mitigation mechanism. aWIPS uses an advanced approach to wireless threat detection and performancemanagement. The AP detects the threats and generates alarms. It combines network traffic analysis, networkdevice and topology information, signature-based techniques, and anomaly detection to deliver highly accurateand complete wireless threat prevention.
With a fully infrastructure-integrated solution, you can continually monitor wireless traffic on both the wiredand wireless networks and use that network intelligence to analyze attacks from many sources to accuratelypinpoint and proactively prevent attacks, rather than wait until damage or exposure has occurred.
aWIPS in a Cisco Catalyst Wireless Controller environmentThe aWIPS solution comprises the following components:
• Cisco Catalyst 9800 Series Wireless Controller
• Cisco Catalyst and Aironet Wave 2 APs
• Cisco DNA Center
As the aWIPS functionality is integrated into the Cisco DNA Center, the aWIPS can configure and monitorWIPS policies and alarms and report threats.
Advanced WIPS1
aWIPS is supported only on Cisco DNA-C.Note
aWIPS supports the following capabilities:
• Static signatures
• Standalone signature detection only
• Alarms only
• GUI support
• Controller commands to view alarms
• Static signature file packaged with controller and AP image
• Export alarms to Cisco DNA Center through WSA channel
aWIPS alarm details like the AP MAC address, alarm ID, client MAC address, alarm string, and signatureID are displayed on the Cisco Catalyst 9800 series wireless controller GUI.
Supported Modes and PlatformsaWIPS is supported on the following Cisco Catalyst Controllers:
• Cisco Catalyst 9800 series wireless controllers
• Cisco Embedded Wireless Controller on Catalyst Access Points
aWIPS is supported on all controller and AP modes.
Prerequisites for Advanced WIPSSet all entities (controller and APs) in an aWIPS deployment to the UTC time zone.
Configuring Advanced WIPS (GUI)aWIPS initialization is done by the controller. aWIPS initialization could also be triggered via the controllerGUI or CLI. The controller then sends the aWIPS configuration to the APs using CAPWAP.
Procedure
Step 1 Choose Configuration > Tags & Profiles > AP Join.Step 2 On the AP Join page, click the name of the desired AP join profile.Step 3 In the Edit AP Join Profile window, click the Security tab.Step 4 In the aWIPS section, select the aWIPS Enable check box.
Advanced WIPS2
Advanced WIPSSupported Modes and Platforms
Step 5 Click Update & Apply to Device.
Viewing Advanced WIPS Alarms (GUI)Procedure
Navigate toMonitoring > Security > aWIPS.
• To view details of the alarms in the last 5 minutes, go to the Current Alarms tab.
• To view the alarm count over an extended period of time, either hourly, for a day (24 hours) or more, goto Historical Statistics tab.
You can sort or filter the alarms based on the following parameters:
• AP Radio MAC address
• Client MAC address
• Alarm ID
• Time Stamp
• Signature ID
• Alarm Description
• Alarm Message Index
Enabling Advanced WIPSProcedure
PurposeCommand or Action
Enters global configuration mode.configure terminal
Example:
Step 1
Device# configure terminal
Configures the default AP profile.ap profile profile-name
Example:
Step 2
Device(config)# ap profile myprofile
Enable aWIPS.aWIPSStep 3
Example:
Advanced WIPS3
Advanced WIPSViewing Advanced WIPS Alarms (GUI)
PurposeCommand or ActionDevice(config-ap-profile)# aWIPS aWIPS is disabled by default on the
controller.Note
Returns to privileged EXEC mode.endStep 4
Example: Alternatively, you can also press Ctrl-Z toexit global configuration mode.Device(config-ap-profile)# end
Verifying Advanced WIPSTo view aWIPS status, use the show awips status radio_mac command:
Device# show awips status 00d7.8f58.2f80AP Radio MAC AWIPS Status Alarm Message Count---------------------------------------------------------------------------00d7.8f58.2f80 ENABLED 3944
The various aWIPS status indicators are listed below:
• ENABLED: aWIPS enabled.
• NOT_SUPPORTED: AP does not support AWIPS.
• CONFIG_NOT ENABLED: aWIPS is not enabled on the AP.
To view details of specific alarm signatures, use the show awips alarm signature signature_id command:
Device# show awips alarm signature 10001AP Radio MAC Source/Dest MAC AlarmID Timestamp SignatureIDAlarm Description Message Index--------------------------------------------------------------------------------------------------------------------------------------------------------------------00d7.8f58.2f80 0023.68b0.235b 1714 11/02/2020 13:02:19 10001Authentication Flood 3966
To view alarm message statistics, use the below command:
Device# show awips alarm statistics
To view a list of alarms since the last clear, use the below command:
Device# show awips alarm ap ap_mac detailed
To view detailed alarm information, use the show awips alarm detailed command:
Device# show awips alarm detailedAP Radio MAC Source/Dest MAC AlarmID Timestamp SignatureIDAlarm Description Message Index--------------------------------------------------------------------------------------------------------------------------------------------------------------------00d7.8f58.2f80 0023.68b0.235b 1714 11/02/2020 13:02:19 10001Authentication Flood 396600d7.8f58.2f80 0024.d71c.f3cc 1714 11/02/2020 13:02:19 10001Authentication Flood 3971………00d7.8f58.2f80 0023.68b0.235b 1715 11/02/2020 13:02:20 10001Authentication Flood 398200d7.8f58.2f80 0024.d71c.f3cc 1715 11/02/2020 13:02:20 10001
Advanced WIPS4
Advanced WIPSVerifying Advanced WIPS
Authentication Flood 3987…
To view alarms on a specific AP, use the show awips alarm ap radio_mac detailed command:
Device# show awips alarm ap 00d7.8f58.2f80 detailed
AP Radio MAC Source/Dest MAC AlarmID Timestamp SignatureIDAlarm Description Message Index--------------------------------------------------------------------------------------------------------------------------------------------------------------------00d7.8f58.2f80 0023.68b0.235b 1714 11/02/2020 13:02:19 10001Authentication Flood 396600d7.8f58.2f80 0024.d71c.f3cc 1714 11/02/2020 13:02:19 10001Authentication Flood 3971………00d7.8f58.2f80 0023.68b0.235b 1715 11/02/2020 13:02:20 10001Authentication Flood 398200d7.8f58.2f80 0024.d71c.f3cc 1715 11/02/2020 13:02:20 10001Authentication Flood 3987…
Advanced WIPS5
Advanced WIPSVerifying Advanced WIPS
Advanced WIPS6
Advanced WIPSVerifying Advanced WIPS