Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
832
Views
6
Helpful
4
Replies

IDS Signature Attack

Lumbee
Level 1
Level 1

‎02-03-2022 09:42 AM

All,

what happens when an IDS Signature Attack is detected? What is the response of the Wireless Controller? Does this lock out all users on that AP for a time period or just that individual user for a period of time?

 

thanks

Labels:
0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎02-03-2022 09:47 AM

Its all depends on what you using 802.1x then ISE can take some action here and block the client.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Lumbee
Level 1
Level 1
In response to balaji.bandi

‎02-03-2022 09:50 AM

BB,

thanks for the quick response. Just to be clear this IDS Signature Attack is 802.1x based? 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Lumbee

‎02-03-2022 05:22 PM

Since SSID is publicly available, there may be many attacks on SSID, that need to be verified based on the information generated on the Wireless controller, if you have a strong authentication system in place, these attacks can be blocked for while (if the system in place).

some reference how the logs looks like :

 

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69366-controller-ids-sig.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎02-03-2022 02:27 PM

Hi Lumbee,

When it comes to wireless world there are very few intrusion attacks which can be contained automatically. For example if someone is advertising a rogue SSID in the vicinity you can configure the WLC to perform a legitimate deauth attack to contain the rogue AP. If a rogue AP seen on your LAN it can follow the same suit to contain it. If there is a client who is trying to spoof a MAC address of a legitimate client you can block the access to MAC address, but this will impact the legitimate client as well, the list goes on. 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-1/config-guide/b_wl_17_11_cg/b_wl_17_11_cg_chapter_010001100.html

 

But however most of the attacks which happens at the RF level cannot be contained, rather we can configure the wireless infra to identify these attacks and alert us. based on the severity of the attack then as per the defined security policy you may have to act manually. There are many attacks which can be categorized as DOS attacks which can be identified by wireless infra (probe floods, beacon floods, CTS/RTS floods etc.) but from your wireless infra I do not think you can automate to contain the attacks. As I said before this requires human to interact manually and act. 

 

It is always recommended to have visibility in to your wireless infra as this will provide you with required forensics in case of an attack. However due to the medium behavior only certain attacks can be mitigated or contained, and others can be only identified. 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card