Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
902
Views
0
Helpful
3
Replies

WIPS test using Honeypot in Kali Linux

Yuslivan
Level 1
Level 1

‎09-30-2019 04:00 AM - edited ‎07-05-2021 11:03 AM

helo all,

 

I am currently installing Cisco wireless IPS (WIPS), which is the WIPS are integrated with Cisco Prime and WLC. The installation already done and i try to prove the feature of WIPS that can prevent Rogue AP. I'am using Honeypot that running in Kali Linux to provide the simulation of Rogue AP attacks.

When i do the simulation with Honeypot configured same SSID with WIPS SSID, users (using laptop) that trying to connect to wireless with that SSID are intercepted to connect to Kali Linux Honeypot SSID, and the user get the IP address from Kali Linux Honeypot. And when i try to reconnect to the wireless access, users still connect to Honeypot. The wireless connection of users can back to Original SSID when i turn off the Honeypot service. It's Meaning that WIPS aren't running properly yet. I Try to check in Cisco Prime and WLC notification alert but its not showing that the attack are "contained".

 

The question is:

- why the WIPS cannot intercept the rogue AP attack ?

- is it possible to get the users back to original SSID when it's already connect to fake SSID ?

- what should i configure or check in my WIPS/PRIME to fix this WIPS installation ?

- can someone give me other references about configuring Honeypot and WIPS installation?

 

Thanks,

Yuslivan

Labels:
0 Helpful
3 Replies 3

patoberli
VIP Alumni
VIP Alumni

‎09-30-2019 08:12 AM

On the WLC, what is your rogue containment policy?
Do you have APs running nearby on the same channel/frequency?
0 Helpful

Yuslivan
Level 1
Level 1
In response to patoberli

‎09-30-2019 08:07 PM

hi patoberli, 

thanks for reply.

1. rogue containment policy based on rogue rule, contain malicous rogue ap detected with the same SSID
2. no we dont have, in the testing room we just deploy 1 monitor mode ap 4800 series aironet and honeypot ap (running in laptop running kali).

 

yus

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Yuslivan

‎10-01-2019 12:33 AM

I'm not entirely sure, but I think an AP in monitor mode only monitors and doesn't send any packets. For the protection you need to use client serving APs on the same channel like the rogue AP.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card