IDS Signature attack detected

mplaksin0 · ‎03-21-2014

Hi,

We are getting a lot of entries of this error in the system log of our WLC (5508 7.4.100.0)

IDS Signature attack detected. Signature Type: Standard, Name: Auth flood, Description: Authentication Request flood, Track: per-signature, Detecting AP Name: AP.FLO, Radio Type: 802.11b/g, Preced: 5, Hits: 500, Channel: 11, srcMac: A3:D3:B6:F0:34:7B

There is any workarround about this?

Thanks

Amjad Abdullah · ‎03-22-2014

Hi,

You receivng those because the mentioned source MAC is trying to send 802.11 authentication request frames so many times. That is usually means either bad RF, too many clients or bad client supplicant/driver. In some situation it can be a planned DoS attack.

You have to find the source MAC, isolate the root cause and fix it.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

mplaksin0 · ‎03-22-2014

Thanks Amjad,

Also we are have some clients that are unable to connect to our APs and get authentication errors in her laptops. We are using WPA/WPA2 / PSK authententication but we get the following error:

Client Excluded: MACAddress:f8:f1:eb:dd:c9:cd Base Radio MAC :08:ad:9f:76:4d:30 Slot: 0 User Name: unknown Ip Address: unknown Reason:802.1x Authentication failed 3 times. ReasonCode: 4

Do you have any idea of what could be the problem?

Thabks

Saravanan Lakshmanan · ‎04-02-2014

psk can be incorrect or it could not handle the combination of wpa and wpa2 enabled. try with wpa2 only.

Saravanan Lakshmanan · ‎04-02-2014

are reported on this client only or other client with similar model/type/config/driver also affected. if so try updating the driver. another workaround on wlc is, adjust the timer/hit limit.