WCS Alarms

Unanswered Question
Feb 23rd, 2010
User Badges:

Hi ,


Iam getting continueous alarm message on my WCS Server..


The messeges are "  IDS 'NetStumbler generic' Signature attack cleared on AP " and " AP Impersonation " both are says critical alarms.


Please help me on how to resolve this alarms to stop generating.



Thanks & Regds,


Lalit

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Milton Tizoc Mon, 03/01/2010 - 10:39
User Badges:

Hi Lalit,

Which version of WLC do you have? those messages appears in all of your ap's or only in some ones?

Best Regards,

Milton Tizoc.

sschmidt Wed, 03/10/2010 - 11:29
User Badges:
  • Cisco Employee,

Hello,


Do a search in this document for netstumbler for an explanation of the IDS signature causing this alarm:


http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5sol.html


The AP impersonation alarm is triggered by an snmp trap sent by the WLC. The trap sent is:


bsnAPImpersonationDetected.


This happens when a radio of an authenticated access point has heard from another
access point whose MAC address neither matches that of a rogue nor is it an authenticated
neighbor of the detecting access point.


On aggressive environments, a helpful feature is to enable access point authentication with
a threshold of 2. This enables you to detect possible AP impersonation and minimize false
positive detections.


This is how to configure it from the CLI of the Wireless Lan Controller (WLC):


config wps ap-authentication enable
config wps ap-authentication threshold 2


Finally, you can change the severity of the AP impersonation alarm in WCS from critical to
lower so you are not alerted. This can be done from Administration > Settings > Severity Configuration.

Actions

This Discussion