Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

zia.ahmad@broadridge.com

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

NCS has detected a change in one or more alarms of category Security and severity Critical in Virtual Domain ROOT-DOMAIN.

The new severity of the following items is Clear:

Hi,

I am new to Mobility. We are getting below alerts. Please help me

1. Alarm Condition:Signature attack

Message: IDS 'Auth flood' Signature attack cleared on AP 'AP2-AP3502-04' protocol '802.11b/g' on Controller '100.100.100.51'. The Signature description is 'Authentication Request flood'.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

NCS has detected one or more alarms of category Security and severity Critical in Virtual Domain ROOT-DOMAIN for the following items:

1. Alarm Condition:Signature attack

Message: IDS 'Auth flood' Signature attack detected on AP 'AP2-AP3502-04' protocol '802.11b/g' on Controller '100.100.100.51'. The Signature description is 'Authentication Request flood', with precedence '5'. The attacker's mac address is 'd0:b3:3f:ad:de:c8', channel number is '1', and the number of detections is '300'.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

NCS has detected one or more alarms of category Security and severity Critical in Virtual Domain ROOT-DOMAIN for the following items:

1. Alarm Condition:Signature attack

Message: IDS 'Auth flood' Signature attack detected on AP 'AP1-AP3502-03' protocol '802.11b/g' on Controller '100.100.100.51'. The Signature description is 'Authentication Request flood', with precedence '5'. The attacker's mac address is '44:91:db:4e:87:c6', channel number is '1', and the number of detections is '300'

1 REPLY
VIP Purple

zia.ahmad@broadridge.com

HI Zia,This is only one controller that you have? If multiple controllers, are they on same mobility domain or Do they (APs) belong to same or different RF groups?
Just check the APs are on same WLC and on same RF group. If not, then the APs may see each other as rogue devices
Check what type/model wireless client connect to the affected AP reporting this AP.
Check If you disable the radio of the attacker AP still the attack is seen, if seen get the wireless packet capture of the attack to find the spoofer's physical location and ID the DoS attacker.
Client with bad driver spoofs AP's mac address and sends auth request, looks like that's what happening here. update the w.less client driver.

Workaround: You can blacklist that MAC under disabled client(Security>> AAA>> disabled clients), this way all request from that MAC doesn't get forwarded to WLC.

or

If you have a deauth issue you can sniff the area where the ap is reporting and see if its the controller or something else.


If you want this to trigger not at all:

Then login to controller then go to
Management > SNMP> Trap Controls >Security> 802.11 Security Traps > IDS Signature Attack( uncheck the box) and apply.

Regards
Hope it helps.

226
Views
0
Helpful
1
Replies
CreatePlease login to create content