06-28-2025 05:53 PM - edited 06-28-2025 09:20 PM
I have several sites with flex-AP associated to 5508 Cisco Flex WLC (software version 8.5.161.11). A couple days ago CPI alarmed IDS 'EAPOL flood' and IDS 'Auth flood' signature attacks are being reported by all of my APs across the sites. What might be the problem, and how might it be resolved?
Is this a false positive alert or does it have anything to do with Bug CSCsj06015 ?
I want to add more info that may help to recap the current state of my wireless infra: my WLC local time configuration is not accurate. it shows 2021 and MFP is globally disabled.
Would this add another cause to the issue?
Thanks
06-28-2025 10:23 PM
- @Gastu Set the correct time on the controller and use an NTP server
+ Upgrade to 8.5.182.12 : https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7
M.
06-29-2025 04:36 AM
Enable Client Exclusion for EAPOL Failures
I think this is best way
MHM
06-29-2025 04:53 AM
> Is this a false positive alert or does it have anything to do with Bug CSCsj06015 ?
8.5.161.0 = 15.3(3)JF12
CSCsj06015 fixed in 12.4(16b)JA, 12.4(10b)JA2 (long before 15.3.x code) so unlikely to be a factor.
As @marce1000 says you should be using the last available code version 8.5.182.12, and pay close attention to the Field Notices below (which is probably why you are using the incorrect time).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide