05-09-2007 04:06 AM - edited 07-03-2021 02:02 PM
Hello all
I have a little Wireless netwok ( 1 WLC 2200 and 6 AP 1100 series )and since few days I have the following message :" IDS Signature attack detected. Signature Type:Standard, Name: Assoc flood, Description: Association Request flood, Track:per-signature, Detecting AP Name: AP3, Radio Type: 802.11b/g, Preced:4,Hits: 50, Channel: 6, srcMac: 00:16:6F:49:C6:8A " and don't know how to resolve !
Help is welcome !
Thanks a lot
05-09-2007 04:13 AM
What version of code are you running on the 2002?
05-09-2007 01:27 PM
I just received the following from TAC today:
In regards to the "IDS 'Disassoc flood' Signature attack detected on AP" log, please refer to following bug:
Title:
IDS:AP impersonation alerts against own AP mac address
Symptom:
WLC is reporting AP impersonation alerts for the same MAC address of the AP.
Tha MAC address corresponds to the first WLAN configured
AP Impersonation with MAC 'xx:xx:xx:xx:xx:xx' is detected by authenticated AP 'xx:xx:xx:xx:xx:xx' on '802.11b/g' radio and Slot ID '0'.
The event can be triggered if AP can hear itself due to RF conditions, and there is no AP authentication enabled in controllers
Workaround:
Enable "AP Authentication feature" and trigger set to 2.
http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCsg44344 (Requires CCO Login)
Please go into your controller GUI>>Security>>Wireless Protection
Policies>>AP Authentication/MFP and for Protection Type set that to AP
Authentication and trigger set to 2
05-09-2007 02:41 PM
Wow, I was also getting these alerts. I just implemented the suggestion and will see how it goes.
10-05-2007 11:46 AM
I am running MFP on my WLC.
I recieved the same error message with MFP anomolies (NO MIC). Under wireless peotecion policies I have MFP enabled. Should I disable MFP and change it to AP authentication?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: