Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
1
Replies

zia.ahmad@broadridge.com

ziamcaccna
Level 1
Level 1

‎11-19-2013 02:15 AM - edited ‎07-04-2021 01:17 AM

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

NCS has detected a change in one or more alarms of category Security and severity Critical in Virtual Domain ROOT-DOMAIN.

The new severity of the following items is Clear:

Hi,

I am new to Mobility. We are getting below alerts. Please help me

1. Alarm Condition:Signature attack

Message: IDS 'Auth flood' Signature attack cleared on AP 'AP2-AP3502-04' protocol '802.11b/g' on Controller '100.100.100.51'. The Signature description is 'Authentication Request flood'.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

NCS has detected one or more alarms of category Security and severity Critical in Virtual Domain ROOT-DOMAIN for the following items:

1. Alarm Condition:Signature attack

Message: IDS 'Auth flood' Signature attack detected on AP 'AP2-AP3502-04' protocol '802.11b/g' on Controller '100.100.100.51'. The Signature description is 'Authentication Request flood', with precedence '5'. The attacker's mac address is 'd0:b3:3f:ad:de:c8', channel number is '1', and the number of detections is '300'.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

NCS has detected one or more alarms of category Security and severity Critical in Virtual Domain ROOT-DOMAIN for the following items:

1. Alarm Condition:Signature attack

Message: IDS 'Auth flood' Signature attack detected on AP 'AP1-AP3502-03' protocol '802.11b/g' on Controller '100.100.100.51'. The Signature description is 'Authentication Request flood', with precedence '5'. The attacker's mac address is '44:91:db:4e:87:c6', channel number is '1', and the number of detections is '300'

Labels:
0 Helpful
1 Reply 1

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎11-19-2013 04:19 AM

HI Zia,This is only one controller that you have? If multiple controllers, are they on same mobility domain or Do they (APs) belong to same or different RF groups?
Just check the APs are on same WLC and on same RF group. If not, then the APs may see each other as rogue devices
Check what type/model wireless client connect to the affected AP reporting this AP.
Check If you disable the radio of the attacker AP still the attack is seen, if seen get the wireless packet capture of the attack to find the spoofer's physical location and ID the DoS attacker.
Client with bad driver spoofs AP's mac address and sends auth request, looks like that's what happening here. update the w.less client driver.

Workaround: You can blacklist that MAC under disabled client(Security>> AAA>> disabled clients), this way all request from that MAC doesn't get forwarded to WLC.

or

If you have a deauth issue you can sniff the area where the ap is reporting and see if its the controller or something else.


If you want this to trigger not at all:

Then login to controller then go to
Management > SNMP> Trap Controls >Security> 802.11 Security Traps > IDS Signature Attack( uncheck the box) and apply.

Regards
Hope it helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card