cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
344
Views
3
Helpful
3
Replies

IDS 'EAPOL flood' Signature attack and IDS 'Auth flood' Signature atta

Gastu
Level 1
Level 1

I have several sites with flex-AP associated to 5508 Cisco Flex WLC (software version 8.5.161.11). A couple days ago CPI alarmed IDS 'EAPOL flood' and IDS 'Auth flood' signature attacks are being reported by all of my APs across the sites. What might be the problem, and how might it be resolved?

Is this a false positive alert or does it have anything to do with Bug CSCsj06015 ?

I want to add more info that may help to recap the current state of my wireless infra: my WLC local time configuration is not accurate. it shows 2021 and MFP is globally disabled. 

Would this add another cause to the issue?

 

Thanks 

3 Replies 3

marce1000
Hall of Fame
Hall of Fame

 

 - @Gastu     Set the correct time on the controller and use an NTP server
                    + Upgrade to 8.5.182.12 :   https://software.cisco.com/download/specialrelease/9a6a7cf84f9fdf04b95c76e2ac7820e7

   M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Enable Client Exclusion for EAPOL Failures

I think this is best way 

MHM

Rich R
VIP
VIP

Is this a false positive alert or does it have anything to do with Bug CSCsj06015 ?
8.5.161.0 = 15.3(3)JF12
CSCsj06015 fixed in 12.4(16b)JA, 12.4(10b)JA2 (long before 15.3.x code) so unlikely to be a factor.
As @marce1000 says you should be using the last available code version 8.5.182.12, and pay close attention to the Field Notices below (which is probably why you are using the incorrect time).

 

Review Cisco Networking for a $25 gift card