Hello,
We are working with a Lab of a MSE with wIPS v8.x integrated with a Cisco Prime v3.x and a WLC v8.x, the integration for all the infrastructure is done and with all the services up and running. The lab enviroment also has two APs and both of them are working in local mode and in the wIPS submode, we have a Kali Linux in order to generate attacks and see the events detected by the wIPS.
We noticed something, we let the Kali Linux attack the wireless network for an hour and no Events were registered in the wIPS + Prime and we discovered that the issue was that the Kali Linux was attacking the wireless network in channel 1 but the 2 APs were working in channel 6. We decided to change the operation mode of one of the APs to "monitor" and this time it detected the attack just a few seconds after it started.
Can this solution be implemented using APs only working in the wIPS "submode"?
Is there something specific that needs to be configured in order to detect the attacks when working with no monitor mode AP and only in wIPS submode?
Thanks in advanced for any comment!