I am currently installing Cisco wireless IPS (WIPS), which is the WIPS are integrated with Cisco Prime and WLC. The installation already done and i try to prove the feature of WIPS that can prevent Rogue AP. I'am using Honeypot that running in Kali Linux to provide the simulation of Rogue AP attacks.
When i do the simulation with Honeypot configured same SSID with WIPS SSID, users (using laptop) that trying to connect to wireless with that SSID are intercepted to connect to Kali Linux Honeypot SSID, and the user get the IP address from Kali Linux Honeypot. And when i try to reconnect to the wireless access, users still connect to Honeypot. The wireless connection of users can back to Original SSID when i turn off the Honeypot service. It's Meaning that WIPS aren't running properly yet. I Try to check in Cisco Prime and WLC notification alert but its not showing that the attack are "contained".
The question is:
- why the WIPS cannot intercept the rogue AP attack ?
- is it possible to get the users back to original SSID when it's already connect to fake SSID ?
- what should i configure or check in my WIPS/PRIME to fix this WIPS installation ?
- can someone give me other references about configuring Honeypot and WIPS installation?
thanks for reply.
1. rogue containment policy based on rogue rule, contain malicous rogue ap detected with the same SSID
2. no we dont have, in the testing room we just deploy 1 monitor mode ap 4800 series aironet and honeypot ap (running in laptop running kali).