Hi, I've recently installed a WLC 4402 and about 19 1242AG APs. The wireless clients accessing the network are all Symbol MC-9090 handheld scanners. Several times a day I get the following alert in the WLC Log, followed by a cleared message about 10 minutes later:
The AP name and MAC changes, and usually 4 or 5 of our APs send this message all at once. The MAC addresses being listed are the Symbol scanners and other APs in the general area of the detecting AP. The scanners are accessing an SAP application via HTTP.
What is causing these messages, and how do I adjust the WLC to not think these scanners/APs are trying to attack the network?
More likely, this is another example of a false-positive generated by the wireless IDS.
From discussions with Cisco TAC it would appear that there are a number of client behaviors that vary from wireless client to wireless client.
At times, while not actual attacks (in the sense that someone is attempting to attack your network), the RF traffic generated by these clients will match some of the pre-programmed criteria in the Wireless IDS signature file - resulting in a false positive.
The values in the signature file can be adjusted. For example, you might want to adjust some of the parameters so that more of these messages need to happen in the same time frame before they are considered an alarm, etc.
However, you will want to be careful so as not to adjust the values in such a way that the alarm is effectively disabled.
If your experience is like ours, questions to Cisco TAC (even their tier 3 personnel) regarding how to tune this signature file without accidentally disabling an alarm will result in an awkward silence at the other end of the phone - as they do not appear to have any idea as to how to tweak the file.
Also, as pointed out in the forum in other posts, there does not appear to be any meaningful documentation pertainint to what these alarms are (their actual potential security threat, etc.) as well as what might cause them (intentionally and accidentally).
To date, I have been unable to find any meaningful published documentation, urban legend, or colorful anectdote providing guidance as to how an administrator might "tune" these parameters without breaking the system.
Currently, the best (i.e.: lease sparse) form of documentation is in the comments section of the signature file itself.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...