Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
WLCCA download link:
To request access to WLCCA tool, please send an e-mail to Important: include your username. This forum is only for WLCCA posts, please use different forum for WLC/AP/PI questions, thanks!
New Member

Signature attack detected on AP

IDS 'Auth flood' Signature attack cleared on AP 'L2Z4-Columnpoint-DesignLines' protocol '802.11a' on Controller ''. The Signature description is 'Authentication Request flood'.This Signature attack is still detected by 1 APs


IDS 'Broadcast Probe flood' Signature attack detected on AP 'P-Hall-AP-4' protocol '802.11b/g' on Controller ''. The Signature description is 'Broadcast Probe Request flood', with precedence '7'. The channel number is '6', the number of detections is '500', and one of potentially several attackers' mac addresses is '1c:23:2c:1e:8f:01'


I have found these attack on my cisco WLC 5508. please guide and provide solution so that i may be able to remove these kind of attacks in future


We have currently one WLC 5508 connected with nexus switch and AP are connected with access switches which is 2960.


Thanks in advance


Re: Signature attack detected on AP


 Chances are that this is a false positive. Do you have wIPS? If not, it is a good thing to have.




-If I helped you somehow, please, rate it as useful.-

New Member

Re: Signature attack detected on AP

Here are some good reading links...

I suggest to figure out:

- Try to find patterns:

o Time, location, source mac

- Who owns this mac address ?

o Your own Aps ? -> maybe a misconfiguration or a bug. Or someone who is spoofing your mac-address.

o Your own clients ?

o Unknown

- Tools like cisco's Mobility Service Engine or other wireless IDS Systems could help you with this.

If it is an external attacker...

- Remove the attacker physically (best), try to block the attacker (silently discard), or accept the attack message.

- In the end a flood will influence the performance of your wireless infrastructure and wireless clients.

Maybe there are some other suggestions on preventing and defenting actions to wireless attacks ?
New Member

Re: Signature attack detected on AP



don't worry about this signature attack this is Cisco AP intelligent feature which tells you about the rogues, other suspicious devices and signals which can interrupt cisco Aironet signal channels.


whenever any of other devices comes in the range of Cisco AP it detects as a signature attack. you can manually diasble it form your WLC to avoid to receive such types of traps by controller

Zain Khan
CreatePlease to create content