03-11-2022 08:00 AM
Hi
We have a Cat9800 controller with aWIPs enabled and it is sending alarms to a DNAC appliance. I am seeing quite a lot of alarms that, if they are real, would suggest we have an inordinate number of Wifi attackers in our office. The most frequent alarms are
Block Ack flood
Authentication floods
Targeted Deauthentication
Association flood
I really can't believe these are real events.
Has anyone deployed aWIPs on 9800's and seen similar results?
Thanks, Kev.
03-11-2022 06:23 PM
Hi
I used to play with wIPS and I saw false alarms all the time. To be honest, wIPS is one the most unsuccessful solution I ever see in my life.
03-13-2022 03:31 AM
Do you have multi vendor environment by any chance ?
it’s some manual work for sure but this might help you.
03-14-2022 05:49 AM
Below are mostly RF related attacks where mitigation is very limited or not possible. Description for all the possible alerts are listed in the below article.
I would not agree that the aWIPS is not a successful product. It has it's own use cases, for example if a client is complaining about connectivity issues you can have a look at aWIPS alerts from that AP or the AP's in the vicinity to check whether there is any targeted deauths. Most importantly Rogue detection and containment is also part of aWIPS (Some countries may have legal complications using this feature, take caution) aWIPS will provide you a holistic view of and threat landscape at RF level. With the enterprises moving to complete wireless connectivity, this is one of the must features to have. As @ammahend mentioned there could be lot of false positives as wireless medium itself is not restricted and an attacked with a directional antenna with enough gain could trigger deauth's in your wireless environment may be sitting meters away.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide