cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Popup Hotspot Using ISR 1000 with WiFi/LTE for Teleworkers and Micro Branchesr

Ask Me Anything – How to Enable Network Connectivity to Remote Workers
321
Views
0
Helpful
0
Replies
Highlighted
Beginner

NULL probe resp 1 Alert on Cisco vWLC and Prime

We've recently been getting the following alert on our Cisco Prime: 

Message: IDS 'NULL probe resp 1' Signature attack detected on AP 'SERV-RM-AP-9_(3800)' protocol '802.11a' on Controller '172.xxx.xxx.xxx'. The Signature description is 'NULL Probe Response - Zero length SSID element', with precedence '2'. The attacker's mac address is '8a:15:14:f9:6c:3f', channel number is '149', and the number of detections is '1'.

Failure Source: WLAN Controller WIRELESSCTLR/172.xxx.xxx.xxx.

 

We're in a multi-tenant building and I've confirmed with the wireless admin in our neighboring office that the APs generating these alerts are part of his Meraki deployment and I've set them as friendly external rogues in our WLC. 

I've referenced several discussions in the forums that mention that this signature can be disabled in the WLC settings because Cisco WLCs don't respond to NULL probes with their hidden SSIDs. But, I've been unable to locate this fact in any documentation. I'd like to know if someone knows where in Cisco's technical documentation this is stated, that Cisco WLCs don't respond to NUILL probes with their hidden SSIDs. This way I can show my compliance/security folks that it's not a security concern to disable this signature in the WLC. Any help is appreciated. 

 

 

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey