IDS Signature attack detected on a Wireless Network

Unanswered Question
May 9th, 2007

Hello all

I have a little Wireless netwok ( 1 WLC 2200 and 6 AP 1100 series )and since few days I have the following message :" IDS Signature attack detected. Signature Type:Standard, Name: Assoc flood, Description: Association Request flood, Track:per-signature, Detecting AP Name: AP3, Radio Type: 802.11b/g, Preced:4,Hits: 50, Channel: 6, srcMac: 00:16:6F:49:C6:8A " and don't know how to resolve !

Help is welcome !

Thanks a lot

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mghcisco Wed, 05/09/2007 - 13:27

I just received the following from TAC today:

In regards to the "IDS 'Disassoc flood' Signature attack detected on AP" log, please refer to following bug:


IDS:AP impersonation alerts against own AP mac address


WLC is reporting AP impersonation alerts for the same MAC address of the AP.

Tha MAC address corresponds to the first WLAN configured

AP Impersonation with MAC 'xx:xx:xx:xx:xx:xx' is detected by authenticated AP 'xx:xx:xx:xx:xx:xx' on '802.11b/g' radio and Slot ID '0'.

The event can be triggered if AP can hear itself due to RF conditions, and there is no AP authentication enabled in controllers


Enable "AP Authentication feature" and trigger set to 2. (Requires CCO Login)

Please go into your controller GUI>>Security>>Wireless Protection

Policies>>AP Authentication/MFP and for Protection Type set that to AP

Authentication and trigger set to 2

derek.james Fri, 10/05/2007 - 11:46

I am running MFP on my WLC.

I recieved the same error message with MFP anomolies (NO MIC). Under wireless peotecion policies I have MFP enabled. Should I disable MFP and change it to AP authentication?


This Discussion



Trending Topics - Security & Network