WLC 4400 and IDS attacks

Similar Messages

• WLC 4400 and IDS/IPS

  One of my clients is keen to know the IDS/IPS capabilities with WLC 4400. Any hints? Also can anyone explain IDS sensor to me? Thank you.

  There are a number of IDS capabilities that are highlighted regarding the WLC. Unfortunately, you will find that the product continues to suffer from ongoing false positives and a severe lack of documentation (and support) for the IDS.
  For example, if you utilize containment against a rogue AP (which is used to prevent users from attaching to the rogue), the system detects its own containment messages as a denial of service attack. The system is not intelligent enough to know that it is the source of these messages and ignore them.
  Initially, Cisco flagged these false positive as "cosmetic" and claimed that to fix them required a "feature request that must be run through the Cisco sales team" which we did in the spring of 07. Cisco has be VERY slow in coming around on getting these fixed (it has been well over a year since these have been documented and they are still not resolved in the current version of 4.2).
  The Wireless IDS system is also famous for other false alarms which Cisco TAC has linked to alarming on normal behavior when a client goes out of range and a string of deauthentication messages is sent to make sure that the conversation has ended. The WLC 4.2 continues to flag these as false-positive denial-of-service attacks even though the IDS parameters could be adjusted (from the factory) to account for the known 64 repeated deauths that are sent.
  The IDS file is capable of "tuning" but the parameters are very lightly documented. In fact, the IDS parameter file itself had the least sparse version of documentation and it is a text file only 200-lines long.
  In terms of determining if a rogue AP is on-wire. This functionality does not work reliably (not just if there is no path on the wired network to the controller which is understandable) but even if the rogue AP is on the same subnet as the controller. It just plain does not work.
  If you are attempting to determine if there are clients on the rogue AP, this mechanism works with limited success since the AP has to catch the client attaching during its brief scan interval. This results in misleading information.
  There are other false alarms that appear to be related to a specific chipset (using the OUI / first octet of the MAC address). However, there has been very little movement on Cisco's part in getting resolution to getting these anomalies addressed. The basic attitude has been "if we didn't see it in our lab in San Jose when we wrote the code, there's nothing we can do". Since the IDS lacks any ability to "phone home" (sending the alarms it is seeing to the development team) they end up having to develop in a relatively limited environment.
  For more information, please reference the following:
  Wireless LAN Controller IDS Signature Parameters
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008063e5d0.shtml
  I would send you the link to some of the bugs, such as CSCsj06015, CSCsh35010, CSCsk60655, etc. but the Cisco bug tool ( http://tools.cisco.com/Support/BugToolKit/ )is currently not working (no doubt the system is getting overworked). Maybe the site will be up when you read this.
  In the interest of fairness, there have been efforts over the past year by Cisco to address these false alarms and a number of them appear to finally be resolved.
  Bottom line: In my opinion, the wireless IDS is still not ready for prime time. To quote my customer, "I just can't trust it". Unless you set your customer's expectations fairly low, you will both end up disappointed.
  That said, the product itself still has many compelling reasons to implement it including ease of installation and management. If you are willing to wade through the various bugs in the IDS and WCS it still is the best game in town.
  - John

• WLC 4400 and multiple authentication servers e.g. RADIUS, ACS

  WLC 4400 and multiple authentication servers e.g. RADIUS, ACS
  Can the WCL 4400 be set up to use multiple RADIUS servers? The user accounts for accessing wireless would use a RADIUS server. The administrative accounts for the WLC would reside on an ACS server.

  Yes, that is correct. You can set acs to use both radius and tacacs.
  For this you need to add WLC twice in acs-->network configuration. But you need to keep host name different.
  eg 1) Host name WLC --->IP x.x.x.x -->Auth using -->radius
  2) Host name WLC1--->IP x.x.x.x --->Auth using -->Tacacs.
  You need to set up tacacs commands on WLC along with radius commands.
  Regards,
  ~JG
  Please rate helpful posts

• WLC 4400 and WLC 5500

  We have a site with a WLC 4400 and we would like to setup a Controller failover. The WLC 4400 is EOS/EOL and the replacement available is WLC 5508. Can someone advice me on how to configure these units in Primary /Secondary mode so that if any of the Controllers fail, the other one can take over?
  Thanks,

  Hi Akil,
  You are most welcome
  Yes, you can configure 4400's and 5500's in a redundant configuration, but both should be runningthe
  same code version. I believe the latest version that is compatible for both is 7.0.220.0. 
  this is the last version that supports the 4400 series.
  Here's a note that reflects the support;
  Note
  Controllers  do not have to be of the same model to be a member of a mobility group.  Mobility groups can be comprised of any combination of controller  platforms.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html
  Cheers!
  Rob
  "Show a little faith, there's magic in the night" - Springsteen

• WLC 4400 and 5500 Fail-over

  Can we do the same thing with WCL 4400 and 5500 series for failover? We have 1 existing 4400 WLC and we wanted to purchase another 1 for fail-over as well as backup. But right now, 4400 is EOL already. The only option is to have the 5500 WLC.
  So if you do have previous set-up like this, so I would need your inputs.. Otherwise, same as usual, will gonna test to work this out.

  You can have both in a primary and backup, but make sure they are on the same code version. I'm assuming that you also have the configuration correct for the two wlc to communicate.
  I would put them both on the 7.0.220.0.
  Sent from Cisco Technical Support iPhone App

• Preventive maintenance WLC 4400 and 5500?

  Hi good morning,
  i asking for help in order to make a preventive maintenance for WLC 4000 and 5500.
  the main problem is: can i open the WLC´s and clean all the circuits they have inside? or must i only cleaning out the WLC?
  And i would like to know if there are documentation about this topic.
  thanks.

  thanks
  I thought of opening the WLC, and use compressed air to remove dust only.
  but like you mention would be better not open it.
  Greetings

• WLC 4400 and supported APs

  Hello.
  Does anyone know which indoor APs are still sold by Cisco and supported by a 4400 WLC? From my research I only found 3500.
  Thanks in advance,
  João.

  The complete list of APs which can be supported on the 4400 can be found here.

• WLC 4400 and RADIUS accounting

  Have trawled what docs there are and cant find out if the RADIUS accounting messages from the 4400 include the name of the lightweight AP handling the user session.
  I'm guessing there might be a new Cisco VSA for it.
  Anyone know?
  Thanks

  The error message could be because of any unused protocol.

• WLC 4400 and user authentication

  I would like to know if it's possible to configure/use WLC4400 to authenticate user from LDAP database. Currently I have LDAP server with VPN 3020 box to control user access for WLAN. Is there any way that I could set up 4400 box with my existing LDAP server without using VPN 3020?
  Thanks in advance.

  You'll need a radius middle man. ACS will do it natively.

• WLC 4400 and LAP 1131 radio reset daily at 2 P.M.

  192 Tue Mar 25 14:35:46 2014 AP's Interface:0(802.11b) Operation State Down: Base Radio MAC:00:24:c4:1d:11:10 Cause=Radio interface reset. Status:NA
  193 Tue Mar 25 14:35:46 2014 AP's Interface:0(802.11b) Operation State Up: Base Radio MAC:00:24:c4:8f:79:b0 Cause=Radio reset due to Init. Status:NA
  194 Tue Mar 25 14:35:46 2014 AP's Interface:1(802.11a) Operation State Up: Base Radio MAC:00:24:c4:8f:82:e0 Cause=Radio reset due to Init. Status:NA
  195 Tue Mar 25 14:35:46 2014 AP's Interface:0(802.11b) Operation State Up: Base Radio MAC:00:24:c4:8f:82:e0 Cause=Radio reset due to Init. Status:NA
  196 Tue Mar 25 14:35:46 2014 AP 'LAP-2F-2_54f8', MAC: 00:24:c4:8f:7f:40 disassociated previously due to AP Reset. Uptime: 15 days, 12 h 03 m 31 s . Last reset reason: operator changed 11g 
  ==================================================================================================================
  *apfReceiveTask: Mar 25 14:35:46.949: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *spamReceiveTask: Mar 25 14:35:46.628: %LOG-3-Q_IND: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *apfReceiveTask: Mar 25 14:35:46.554: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *spamReceiveTask: Mar 25 14:35:46.042: %LOG-3-Q_IND: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *apfReceiveTask: Mar 25 14:35:45.971: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 
  *apfReceiveTask: Mar 25 14:35:45.321: %RRM-3-RRM_LOGMSG: rrmChanUtils.c:290 RRM LOG: Airewave Director: Could not find valid channel lists for 802.11bg 

  Similar issue resolved here
  https://supportforums.cisco.com/discussion/11015036/ap1141-rebooting-constantly

• WLC 4400 Not authetnicating between GUEST and Private networks

  Hello,
  I have a problem. I have a WLC 4400 and the problem i´m encountering is that when a user authetnicates to the private network, and then tryies to autheticate to the Guest network, it just stays there, it doens't do anything. Same way around, if you authenticate tothe Guest network, and change to the private network, it just sits there. I pointing that the problem is with Authentication, but not sure if i´m correct.
  Can anyone help me?? what ifnormation will i need to retreive from the WLC to see where the problem lies??
  I will get the debug mac addr <client-MAC-address           xx:xx:xx:xx:xx:xx> and repeat the issue in order to see if i get anything from the client.
  Thanks for the help
  Tony

  Thanks for the help.
  Actually the problem was that the WLC had a wrong time and also we had on our DHCP a 24 hour lease, so we were running low on IP´s.
  Change the lease for 8 hours and set the time correctly and the issue got solved.
  Thanks.

• WLC 4400 question

  Hi
  The scenario is as follows:
  We deployed a WLAN with a WLC 4400 and several LWAPs. The main configuration include 2 SSID, one for guest access (internet and a limited access to internal resources) and one with complete access to the internal resources. For the "guest" SSID the access control is done trough an ACL placed in the core cat 6500 switch. This ACL blocks the access from "guests" to several subnets including the subnet where the WLC resides.
  No one "guest" WLAN user can ping or access any host located in the subnet where the WLC is configured, but they can ping and access the WLC via https!!!
  The goal is to block the acces to "guest" users to the WLC. And let the WLAN users with complet access to manage wirelessly the WLC.
  Can this be done?
  I know that the wireless administration can be enabled or disabled but it applies to all the WLAN users no just the "guest" users.
  Any idea or suggestion is quite welcome
  Roger

  Hi Roger,
  You can configure CPU ACL if you are running 4.0 release on your controller. In CPU ACL you can deny telnet as well as HTTP access from client subnet to the management ip address of the controller which will block the access of guest user to access the controller via web or cli and also you can block the icmp traffic from guest user subnet to the controller ip address.
  You can configure acl from cli or web but to apply that acl to cpu you an do it via cli only.
  HTH
  Ankur
  *Pls rate all helpfull post

• WLC 4400

  Hi,
  Can anyone tell the detail proceture/doc to remove software version 6 from a WLC 4400 and install a lower version of 5.1?
  Thank you!

  Sorry for the late response.
  Actually I found the version 5.1 software is still on the controller as backup, so I just made this one as ACTIVE.
  The reason I changed it back is the web-autnetication against Radius didn't work - didn't accept usename/pwd. After comparing the log on radius, the only difference is that version 6 sent NAS-Port-Type: Wireless - IEEE 802.11 to radius but version 5 don't. Any idea?
  Thanks!

• IDS feature on WLC 4400 series

  Hi Everyone,
  I'd like to ask about the IDS feature on WLC 4400 series.
  What will the WLC do if it detects an attack specified in the Standard IDS signature ? Will the WLC shutdown the client or just report it ?
  Thank you

  The intrusion-detection-system (IDS) signature engine on controllers and on the Cisco WCS automatically eliminates duplicate alerts for rogue access points, rogue clients, and IDS signatures that previously occurred when two or more access points detected the same attacker. Now instead of one IDS alert from each detecting access point, a single alert is generated for the attack.
  Intrusion detection, location, and containment preserve the integrity of wireless networks and sensitive corporate information. When an associated client sends malicious traffic, a Cisco wired IDS device detects the attack and sends shun requests to Cisco Wireless LAN Controllers, which then disassociate the client device.

• WLC 4400 4.2.176.0 Ver and Windows Vista

  We recently upgraded our WLC 4400s to 4.2.176.0. This was requested by Cisco. When the students returned from Christmas break, any student running Vista is able to authenticate to the AP, get an appropriate IP address and DNS configuration, but cannot get to any network resources, including Internet. If we hard code the DNS information in the wireless card TCP/IP Properties, the user can get to some Internet sites, but no HTTPS pages.
  All XP and MAC machines appear to be working fine.
  Any thoughts?

  The problem is that its not deauthenticating the user, its just dropping completely and disabling the windows zero configuration in the services.  I do not know how or what in the WLC would do this?  I really dont think this is anything that I can control.  I am guessing that there is an internal conflict on the pc.  I have been told that the image used to image the machine has had the manufacturers wireless client utility removed.  I did find a DW Utility in the services list.  I think that is my problem.  I did however go ahead and upgrade them to 5.2.193.  All I can do is have the customer monitor and see what happens.  Will post an update when I get one.