In WCS, I see that we can set a severity level for rogue APs, which is minor by default. What I'd like to do is set APs classificed as Malicious Rogues (based on the rogue policies), to have a different severity -- critical to be specific. The goal here is to have an email trigger based on rogue AP detection, but only for those classified as malicious. How do I accomplish this?
In WCS7.0.98, under Administration-->Setting-->Severity Configuration, only 3 Alarm conditions had been listed under Rogue AP Alarm Category:
1. Rogue detected on the network
2. Rogue detected
3. Rogue detected contained
There's no Alarm condition for malicious rogue ap, so you can't use malicious Rogue AP as a condition of Rogue AP Alarm Category and change its severity level to be critical. While you configure Email Notification under Monitoring-->Alarm, you can only select Rogue AP as Alarm Category, critical as Severity Levels. So based on it, I don't think it can be achieved by current version, you probably need to open a TAC case and probably will to told to contact Cisco's account team to go through the process of Product Enhance Request.
Sounds like we have the exact same issue. We can create rules/policies that will put the alarms in the Malicious category, but not send emails on just those.
Emails get sent out on all rogues though but can select just Critical and Major, excluding minor. So since we are not receiving any Critical or Major alarms, I tried to find a change in Severity Configuration for these alarms but was unable.
For now it looks like we're going to have to manually check the alarms in the Malicious category. But this brings to concern issues like ones that are not detected immediately and users attempt to connect to a malicious AP with our SSID, and also ones that aren't up with we check so are cleared and not showing in the list when we check.
A possible alternative solution would be to have WCS send SNMP traps to a 3rd-party monitoring system, which could be configured to trigger an alert if it receives a notification indicating a new rogue AP has been detected and classified as malicious. This is from the WCS MIB file:
SYNTAX OCTET STRING (SIZE (1..1024))
"This object represents the specialized attributes required
to describe the network condition identified by
cWNotificationType. These include SNR, RSSI, channel information
etc. This value is formatted as 'name=value' pairs in CSV
format. For example, rogueAP Alert's special attributes are sent
as 'detectingAPRadioType=a0,YCoordinate=0, state=11,
I have read this MIB previously, however couldn't find the attribute for Malicious and friendly rogue under rogue alert, do you know where we can find the detailed defination of rogueAP Alert under cWNotificationSpecialAttributes? I noticed in the example, it says "classificationType=3", is it only used to identify rogue, or is there another classificationType value that can represent Malicious rouge and friendly rogue?
Actually I had opened TAC case for it, and yesterday TAC just gave me a confirmation that:
1.It is not possible to define alarm condition for friendly and malicious in WCS, so can’t filter it in the packets sent from WCS to HPOVO(configured as the notification receiver in WCS)
2.In the trap alarms packets sent from WCS to HPOVO, there’s no varbind defining malicious rogue and friendly rogue, so can’t use it as a condition to filter in the HPOVO
And TAC will inform Cisco WNBU about future changes in this context.