Table of Contents
13.1 Commands for AP threat detection
13.1.1 debug wireless wids internal-info
no debug wireless wids internal-info
Function: Enable debugging of the WIDS threat detection. The no command will disable the information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to debug the WIDS threat detection function when needed. The information includes the AP MAC of the sending RF Scan Report, the AP MAC, and the VAP MAC of the threat detection, the result of the detection steps, and printing the received Neighbor AP Info & Neighbor AP Info Part2 of the RF Scan Report Message.
Example: Enable the debug information of the WIDS threat detection.
active500EM#debug wireless wids internal-info
13.1.2 show wireless ap rf-scan rogue-classification
Function: Show the threat detection log summary information of the appointed AP.
Parameters:
-
<macaddr>: rogue AP MAC address.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the threat detection log summary information of the AP.
Example: MAC address as f8-f7-d3-00-03-a0. Show the threat detection log summary information of the AP.
active500EM#show wireless ap f8-f7-d3-00-03-a0 rf-scan rogue-classification Cond Test Time Since Time Since Test ID Detect MAC Addr (radio) Config Result 1st Report Last Report ------------- ------ -------------------- ------- ------ ----------- ----------- WIDSAPROGUE01 False 00-00-00-00-00-00(0) Enable 0d:00:00:00 0d:00:00:00 WIDSAPROGUE02 True f8-f7-d3-00-03-a0(1) Enable Rogue 0d:08:18:41 0d:00:29:18 WIDSAPROGUE03 False 00-00-00-00-00-00(0) Enable 0d:00:00:00 0d:00:00:00 WIDSAPROGUE04 False 00-00-00-00-00-00(0) Enable 0d:00:00:00 0d:00:00:00 WIDSAPROGUE05 False 00-00-00-00-00-00(0) Enable 0d:00:00:00 0d:00:00:00 WIDSAPROGUE06 False 00-00-00-00-00-00(0) Enable 0d:00:00:00 0d:00:00:00 WIDSAPROGUE07 False 00-00-00-00-00-00(0) Enable 0d:00:00:00 0d:00:00:00 WIDSAPROGUE08 False 00-00-00-00-00-00(0) Enable 0d:00:00:00 0d:00:00:00 WIDSAPROGUE09 False 00-00-00-00-00-00(0) Enable 0d:00:00:00 0d:00:00:00 WIDSAPROGUE10 False 00-00-00-00-00-00(0) Enable 0d:00:00:00 0d:00:00:00 WIDSAPROGUE11 False 00-00-00-00-00-00(0) Enable 0d:00:00:00 0d:00:00:00 WIDSAPROGUE01.................................. Administrator configured rogue AP WIDSAPROGUE02.................................. Managed SSID from an unknown AP WIDSAPROGUE03.................................. Managed SSID from a fake managed AP WIDSAPROGUE04.................................. AP without an SSID WIDSAPROGUE05.................................. Fake managed AP on an invalid channel WIDSAPROGUE06.................................. Managed SSID detected with incorrect security WIDSAPROGUE07.................................. Invalid SSID from a managed AP WIDSAPROGUE08.................................. AP is operating on an illegal channel WIDSAPROGUE09.................................. Standalone AP with unexpected configuration WIDSAPROGUE10.................................. Unexpected WDS device detected on network WIDSAPROGUE11.................................. Unmanaged AP detected on wired network
Parameters | Explanation |
Test ID | Number of 11 kinds of AP rogue-detection (WIDSAPROGUEnn) |
Cond Detect | Identifies a threat occurrence |
MAC Addr(radio) | MAC address of this RF scanning AP (radio serial) |
Test Config | Determines threat detection (Enable & Disable) test |
Result | Threat information |
Time Since 1st Report | The first time of this case |
Time Since Last Report | The last found of this case |
13.1.3 show wireless wids-security
Function: Show the configured AP threat detection parameters.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Show the configured AP threat detection detailed parameters, including: detection enabled, the shortest waiting time of each round of detection, and other parameters.
Example: Show the configured AP rogue-detection parameters.
active500EM#show wireless wids-security Rogue - admin configured Rogue AP???s............ Enable Rogue - APs on an illegal channel.............. Enable Rogue - fake managed AP / invalid channel...... Enable Rogue - fake managed AP / no SSID.............. Enable Rogue - managed AP / invalid SSID.............. Enable Rogue - managed SSID / invalid security........ Enable Rogue - standalone AP / unexpected config...... Enable Rogue - unknown AP / managed SSID.............. Enable Rogue - fake managed AP / managed SSID......... Enable Rogue - unmanaged AP on a wired network........ Enable Rogue - unexpected WDS devices................. Enable OUI Database mode.............................. Local Rogue detected trap interval................... 60 seconds Wired network detection interval............... 60 seconds AP De-Authentication Attack.................... Disable
Parameters | Explanation |
Rogue detected trap interval | The detection interval for the Rogue AP |
Wired network detection interval | The detection interval of unmanaged AP connecting to wired network |
13.1.4 show wireless wids-security rogue-test-descriptions
Function: Show the explanation of AP threat detection.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Show the explanation of AP threat detection.
Example: Show the explanation of AP threat detection.
active500EM#show wireless wids-security rogue-test-descriptions WIDSAPROGUE01.................................. Administrator configured rogue AP WIDSAPROGUE02.................................. Managed SSID from an unknown AP WIDSAPROGUE03.................................. Managed SSID from a fake managed AP WIDSAPROGUE04.................................. AP without an SSID WIDSAPROGUE05.................................. Fake managed AP on an invalid channel WIDSAPROGUE06.................................. Managed SSID detected with incorrect security WIDSAPROGUE07.................................. Invalid SSID from a managed AP WIDSAPROGUE08.................................. AP is operating on an illegal channel WIDSAPROGUE09.................................. Standalone AP with unexpected configuration WIDSAPROGUE10.................................. Unexpected WDS device detected on network WIDSAPROGUE11.................................. Unmanaged AP detected on wired network
13.1.5 trapflags rogue-ap
no trapflags rogue-ap
Function: Enable the detection of rogue AP traps. If it detects a rogue AP, the AC will immediately send the trap. The no command disables this function.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Disable the function.
Usage guide: Rogue AP trap can be detected by this command. The AC controller runs AP risk detection; if the threat is detected, identify the AP as rogue and send a trap to notify the network administrator.
Example: Enable the detection of rogue AP trap.
active500EM(config-wireless)#trapflags rogue-ap
13.1.6 wired-detection-vlan
no wired-detection-vlan
Function: Set VLAN ID of the detection packet of unmanaged AP access to wired network. The no command will reset the default VLAN ID value as 1.
Parameters:
-
<0-4094>: VLAN ID; range is 0~4094. 0 means the test frame is without a tag.
Command mode: AP Profile Configuration Mode
Default: 1.
Usage guide: An unmanaged AP connects to the wired network detection. An AP that is in sentry mode monitors the radio every 1 second to switch channels for monitoring. If the detection function is enabled, after switching to the new channel, the AP sends multicast frames addresses with MAC address of 01-02-BC-00-12-00 to the wired network. The VLAN ID of the multicast frame tag is the configuration value in this command; if configured as 0, multicast frames with no VLAN is flagged. If this command is not configured, the multicast frame tag of the VLAN ID is 1.
Example: Set the VLAN ID as VLAN 2 of detection package of unmanaged AP access to wired network.
active500EM(config-wireless)#ap profile 1 active500EM(config-ap-profile)#wired-detection-vlan 2 active500EM(config- ap-profile)#no wired-detection-vlan
13.1.7 wids-security admin-config-rogue
Function: Enable the illegal AP detection configured by network administrator.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable this function.
Usage guide: The network administrator can set the authentication in the valid-AP database of the local or radius server. Administrators can manually configure the three states of the AP: managed, standalone, and rogue. The rogue configuration is the rogue AP with the valid-AP local database or valid radius server. Use this command to enable the rogue AP.
Example: Enable the rogue AP detection configuration.
active500EM(config-wireless)#wids-security admin-config-rogue
13.1.8 wids-security ap-chan-illegal
no wids-security ap-chan-illegal
Function: Enable the illegal channel detection of the AP. The no command will disable this function.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the illegal channel detection.
Usage guide: Different countries have different valid radio frequencies. The lawful channel in one country may be illegal in another. If the AP works in an illegal channel, use this command to detect the rogue AP.
Example: Enable illegal channel detection.
active500EM(config-wireless)#wids-security ap-chan-illegal
13.1.9 wids-security fakeman-ap-chan-invalid
no wids-security fakeman-ap-chan-invalid
Function: Enable the beacon frame detection of the received managed AP in the invalid channel. The no?command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable beacon frame detection.
Usage guide: The managed AP channels are distributed by the AC, so the AC knows which channel the managed AP should work in. The hacker will fake manage the AP MAC address but the channel used to send the beacon frames may be in the wrong channel. Use this command to detect this type of rogue AP.
Example: Enable the beacon frame detection receiving managed AP in the wrong channel.
active500EM(config-wireless)#wids-security fakeman-ap-chan-invalid
13.1.10 wids-security fakeman-ap-managed-ssid
no wids-security fakeman-ap-managed-ssid
Function: Enable the illegal vendor field detection in beacon frames. The no command will disable this function.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the vendor field illegal detected.
Usage guide: Hackers pose as the managed AP???s MAC and send a managed SSID. The vendor field is carried in the beacon frame of the managed AP in this scenario. By detecting the vendor field, the rogue AP of the managed AP MAC address can be detected (if there is a no vendor field, the AP MAC address will be 00:00:00:xx:xx:xx in the neighbor AP info of the RF scan report message).
Example: Enable the illegal vendor field detection in beacon frames.
active500EM(config-wireless)#wids-security fakeman-ap-managed-ssid
13.1.11 wids-security fakeman-ap-no-ssid
no wids-security fakeman-ap-no-ssid
Function: Enable detection of no SSID field in the beacon frame. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable detection of no SSID field in the beacon frame.
Usage guide: In order to avoid being detected, the hacker may not incorporate the SSID field in the beacon frames. The hacker can still send the probe response frame to the client sent probe request to deceive the client in order to access and obtain security information. Use this command to detect such a rogue AP.
Example: Enable detection of no SSID field in the beacon frame.
active500EM(config-wireless)#wids-security fakeman-ap-no-ssid
13.1.12 wids-security managed-ap-ssid-invalid
no wids-security managed-ap-ssid-invalid
Function: Enable invalid SSID detection of the managed AP. The no command will disable the detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable invalid SSID detection of the managed AP.
Usage guide: The AP that detects the managed AP will send the RF scan report message to the AC controller. If the managed AP sends an invalid SSID, the information will include the invalid SSID. Use this command to detect the invalid SSID and determine if it is a rogue AP.
Example:
active500EM(config-wireless)#wids-security managed-ap-ssid-invalid
13.1.13 wids-security managed-ssid-secu-bad
no wids-security managed-ssid-secu-bad
Function: Enable detection that the AP has used a wrong security authentication method. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the detection that the AP has used a wrong security authentication method.
Usage guide: The command, security authentication method (open, WEP, WPA) of the AP in the beacon frame configuration will also be recorded on the AC controller. This command is used to detect whether the two security authentication methods are consistent in order to detect the rogue AP.
Example: Enable the detection that the AP has used a wrong security authentication method.
active500EM(config-wireless)#wids-security managed-ssid-secu-bad
13.1.14 wids-security rogue-det-trap-interval
no wids-security rogue-det-trap-interval
Function: Set the time interval for detection of the rogue AP. The no command will restore the default value.
Parameters:
-
<0>: enter the number 0 to disable this trap.
-
<60-3600>: time interval; unit is second.
Command mode: Wireless Global Configuration Mode
Default: 300s.
Usage guide: Configure the system to check whether there is a rogue AP at regular intervals; if there is a rogue AP, the AC controller will send ws rogues present trap to remind the user that there is currently an existing rogue AP. This command is used to configure the time interval.
Example: Set the the interval of detection for the rogue AP to 1000s.
active500EM(config-wireless)#wids-security client rogue-det-trap-interval 1000
13.1.15 wids-security standalone-cfg-invalid
no wids-security standalone-cfg-invalid
Function: Enable the error detection of the lawful FAT AP configuration. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the error detection of the legislation standalone AP configuration.
Usage guide: If the AP is in the standalone state, and the scanned AP configuration (working channel, SSID, security authentication mode, WDS mode, and access to the wired network) is detected as different to the AC controller, use this command to detect the rogue AP.
Example: Enable the error detection of the lawful FAT AP configuration.
active500EM(config-wireless)# wids-security standalone-cfg-invalid
13.1.16 wids-security unknown-ap-managed-ssid
no wids-security unknown-ap-managed-ssid
Function: Enable the detection of the unknown AP posing as the legal SSID. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the detection of the unknown AP posing as the legal SSID.
Usage guide: The network configuration of the AC controller SSID inquiry system records the legal SSID. Unknown APs may pose as the legal SSID to deceive client access and steal customer information. Use this command to detect the rogue AP.
Example: Enable the detection of the unknown AP posing as the legal SSID.
active500EM(config-wireless)#wids-security unknown-ap-managed-ssid
13.1.17 wids-security unmanaged-ap-wired
no wids-security unmanaged-ap-wired
Function: Enable the detection of the unmanaged AP accessing the wired network. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the detection of the unmanaged AP accessing the wired network.
Usage guide: Only the managed AP can access the wired network, so if the unknown AP accesses the wired network, this command can detect the rogue AP.
Example: Enable the detection of an unmanaged AP accessing the wired network.
active500EM(config-wireless)#wids-security unmanaged-ap-wired
13.1.18 wids-security wds-device-unexpected
no wids-security wds-device-unexpected
Function: Enable the detection of an AP working in WDS mode. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the detection of an AP working in the WDS mode.
Usage guide: WDS (Wireless Distribution System) is the protocol of the AP connecting through the wireless network. The APs running in WDS mode are connected to each other by a bridge or repeater. It reduces the dependence of the wired network and improves the flexibility and convenience of the entire network structure. Use this command to detect whether the AP WDS state is the same as the AP WDS state in the AC database. If they are not the same, then the AP is confirmed as a rogue AP.
Example: Enable the detection of the AP working in WDS mode.
active500EM(config-wireless)#wids-security wds-device-unexpected
13.1.19 wids-security wired-detection-interval
no wids-security wired-detection-interval
Function: Set the shortest time interval of each detection. The no command will restore the time interval to the default value as 60s.
Parameters:
-
<interval>: the shortest time interval of each detection for the AP; range is 1~3600s.
Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: In order to avoid the AP from sending the detection data packets frequently, set the shortest time interval; then the AP must wait for the next round of detection (during this time, the RF scan function is running). Use this command to set the shortest time interval.
Example: Set the time interval of each detection to 360.
active500EM(config-wireless)#wids-security wired-detection-interval 360
13.2 Commands for client threat detection parameter
13.2.1 debug wireless wids known-client Internal-info
no debug wireless wids known-client Internal-info
Function: Enable the debug information of the known-client database. The no command will disable this
information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to display the debugging information of the known-client database to show the information of added, deleted, and checked known-clients.
Example: Enable the debugging of the known-client database.
active500EM#debug wireless wids known-client Internal-info
13.2.2 oui database
Function: Add OUI entries to the OUI database; used to show and detect. The no command will delete the?entries from the local OUI database corresponding OUI value.
Parameters:
-
<ouival>: the OUI value of AP or client company.
-
<oui>: the company name of this OUI.
Command mode: Wireless Global Configuration Mode
Default: None.
Usage guide: Use this command to add/delete OUI entries in order to advance the detection that uses the OUI list to detect threats.
Example: Add a OUI entry with the OUI value as F8-F7-D3 to company vendor name.
active500EM(config-wireless)#oui database F8-F7-D3 ???vendor name???
13.2.3 show wireless client detected-client rogue-classification
Function: Show the client threat detection log.
Parameters:
-
<macaddr>: client MAC address.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the client threat detection log.
Example: Show the threat detection log of client with MAC address D8-D7-D3-00-03-60.
active500EM#show wireless client D8-D7-D3-00-03-60 detected-client rogue-classification Cond Test Test Time Since Time Since Test ID Detect MAC Addr (radio) Config Result 1st Report Last Report -------------- ------ -------------------- ------- ------ ----------- ------------ WIDSCLNTROGUE1 False 00-00-00-00-00-00(0) Disable 0d:08:40:54 0d:08:40:54 WIDSCLNTROGUE2 False D8-D7-D3-00-03-60(1) Enable 0d:08:40:54 0d:00:00:01 WIDSCLNTROGUE3 False 00-00-00-00-00-00(0) Disable 0d:08:40:54 0d:08:40:54 WIDSCLNTROGUE4 False D8-D7-D3-00-03-60(1) Enable 0d:08:40:54 0d:00:00:01 WIDSCLNTROGUE5 False 00-00-00-00-00-00(0) Disable 0d:08:40:54 0d:08:40:54 WIDSCLNTROGUE6 False D8-D7-D3-00-03-60(1) Enable 0d:08:40:54 0d:00:00:01 WIDSCLNTROGUE7 False 00-00-00-00-00-00(0) Disable 0d:08:40:54 0d:08:40:54 WIDSCLNTROGUE1................................. Client not in Known Client Database WIDSCLNTROGUE2................................. Client exceeds configured rate for auth msgs WIDSCLNTROGUE3................................. Client exceeds configured rate for probe msgs WIDSCLNTROGUE4................................. Client exceeds configured rate for de-auth msgs WIDSCLNTROGUE5................................. Client exceeds max failing authentications WIDSCLNTROGUE6................................. Known client authenticated with unknown AP WIDSCLNTROGUE7................................. Client OUI not in the OUI Database
Parameters | Explanation |
Test ID | Client threat test ID (WIDSCLNTROGUEnn) |
Detect | Identifies whether a threat has been detected |
MAC Addr(radio) | MAC address of the RF scanning AP (radio number) |
Test Config | Shows the threat detection as Enable or Disable |
Test Result | Shows whether the equipment is rogue |
Time Since 1st Report | Shows the time stamp of when the threat first occurred |
Time Since Last Report | Shows the time stamp of the occurrence of the last threat |
13.2.4 show wireless oui database
Parameters:
-
<ouival>: OUI value of the AP or the client company.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the specified OUI company information. If the OUI is not specified, then show all OUI database content.
Example: Show the OUI database with the company OUI value of F8-F7-D3.
active500EM#show wireless OUI database F8-F7-D3 OUI Value...................................... F8-F7-D3 OUI............................................
Parameters | Explanation |
OUI Value | AP/client company OUI value |
OUI | Company name of this OUI value |
13.2.5 show wireless wids-security client
Function: Show the configured client threat detection parameters.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to check the configured client threat detection parameters.
Example: Show the configured client threat detection parameters.
active500EM#show wireless wids-security client Rogue detected trap interval................... 300 seconds Rogue-Not in OUI database...................... Disable Rogue-Not in Known Client list................. Disable Rogue-Exceeds Auth Req ........................ Enable Rogue-Exceeds DeAuth Req ...................... Enable Rogue-Exceeds Probe Req ....................... Disable Rogue-Exceeds Failed auth ..................... Disable Rogue-Auth with unknown AP..................... Enable Client Threat Mitigation....................... Disable De-auth threshold interval..................... 300 seconds De-auth threshold value........................ 10 Auth threshold interval........................ 300 seconds Auth threshold value........................... 10 Probe threshold interval....................... 300 seconds Probe threshold value.......................... 10 Auth failure threshold......................... 5 Known DB Location.............................. Local Known DB RADIUS Server Name.................... Default-RADIUS-Server Known DB RADIUS Server Status.................. Not Configured
Parameters | Explanation |
Rogue Detected Trap Interval | The interval of system testing whether the rogue client is detected |
De-auth threshold interval | Interval of the client sending 802.11 delete authentication frame |
De-auth threshold value | Threshold of the client sending the 802.11 delete authentication frame |
Auth threshold interval | Interval of the client sending the 802.11 authentication |
Auth threshold value | Threshold of the client sending the802.11 authentication |
Probe threshold interval | Interval of the client sending the 802.11 exploration frame |
Probe threshold value | Threshold of the client sending the 802.11 exploration frame |
Auth failure threshold | Threshold of the client failure authentication numbers |
Known DB Location | Known client database location (local or RADIUS server) |
Known DB RADIUS Server Name | RADIUS server name, when the known client database location is RADIUS server |
Known DB RADIUS Server Status | Shows whether the set known client database location as RADIUS server |
13.2.6 show wireless wids-security client rogue-test-descriptions
Function: Shows client threat detection description.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show client threat detection description.
Example: Show client threat detection description.
active500EM#show wireless wids-security client rogue-test-descriptions WIDSCLNTROGUE1................................. Client not in Known Client Database WIDSCLNTROGUE2................................. Client exceeds configured rate for auth msgs WIDSCLNTROGUE3................................. Client exceeds configured rate for probe msgs WIDSCLNTROGUE4................................. Client exceeds configured rate for de-auth msgs WIDSCLNTROGUE5................................. Client exceeds max failing authentications WIDSCLNTROGUE6................................. Known client authenticated with unknown AP WIDSCLNTROGUE7................................. Client OUI not in the OUI Database
13.2.7 wids-security client auth-with-unknown-ap
no wids-security client auth-with-unknown-ap
Function: Enable the detection of legal clients associated with the rogue AP. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the detection of legal clients associated with rogue APs.
Usage guide: The legal client may be accessing the network through a rogue AP. In this case the legal client information will be disclosed to the hacker using the rogue AP. Use this command to detect this type of rogue client.
Example: Enable the detection of the legal client associating with the rogue AP.
active500EM(config-wireless)#wids-security client auth-with-unknown-ap
13.2.8 wids-security client configured-assoc-rate
no wids-security client configured-assoc-rate
Function: Enable flooding attack detection of the association request frame. The no command disables it.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enabled.
Usage guide: An association request frame flooded attack refers to a rogue client sending a large number of request frames to an AP device in a short period of time. The AP device will be inundated by a flooding attack message and cannot handle the real wireless terminal messages. Use this command to enable this detection to detect this class of rogue client.
Example: Enable flooding attack detection of association request frame.
active500EM(config-wireless)#wids-security client configured-assoc-rate
13.2.9 wids-security client configured-auth-rate
no wids-security client configured-auth-rate
Function: Enable authentication request frame flood attack detection. The no command will disable this?command.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable authentication request frame flood attack detection.
Usage guide: Authentication request frame flooding attack refers to the rogue client sending a large number of authentication request frames to the AP device in a short time. The AP device will be flooded by attack packets and cannot handle the message of the wireless terminal. Enable this command to detect this type of rogue client.
Example: Enable authentication request frame flood attack detection.
active500EM(config-wireless)#wids-security client configured-auth-rate
13.2.10 wids-security client configured-deauth-rate
no wids-security client configured-deauth-rate
Function: Enable the deletion of authentication request frame flooding attack detection. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the deletion of authentication request frame flooding attack detection.
Usage guide: Delete authentication request frame flood attack if the rogue client sends a large number of authentication request frames in a short time to an AP device. Use this command to enable the rogue OUI detection to detect such a rogue client.
Example: Enable the deletion authentication request frame flooding attack detection command.
active500EM(config-wireless)#wids-security client configured-deauth-rate
13.2.11 wids-security client configured-disassoc-rate
no wids-security client configured-disassoc-rate
Function: Enable flooding attack detection of disassociation request frame. The no command disables it.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enabled.
Usage guide: Disassociation request frame flooded attack refers to a rogue client sending a large number of request frames to an AP device in a short period of time. The AP device will be inundated by flooding attack messages and cannot handle the real wireless terminal messages. Use this command to enable this detection to detect this class of rogue client.
Example: Enable flooding attack detection of disassociation request frame.
active500EM(config-wireless)#wids-security client configured-disassoc-rate
13.2.12 wids-security client configured-probe-rate
no wids-security client configured-probe-rate
Function: Enable probe request frame flooding attack detection. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable probe request frame flooding attack detection.
Usage guide: Probe request frame flooding refers to the rogue client sending a large number of probe request frames to the AP device in a short time. This command can detect such a rogue client.
Example: Enable probe request frame flooding attack detection.
active500EM(config-wireless)#wids-security client configured-probe-rate
13.2.13 wids-security client known-client-database
no wids-security client known-client-database
Function: Enable known client database detection. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Disable known client database detection.
Usage guide: Set the AC controller to read the known client database from the local or radius server. The known client database notes the appropriate client entry if the client is legitimate; otherwise, the client is not legitimate (rogue). Use this command to detect such a rogue client.
Example: Enable known client database detection.
active500EM(config-wireless)#wids-security client known-client-database
13.2.14 wids-security client max-auth-failure
no wids-security client max-auth-failure
Function: Enable the maximum number of authentication failures. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the maximum number of authentication failures.
Usage guide: Some rogue clients, in order to access the protected wireless network, will try to send authentication requests until the certification request is allowed. This command can detect such a rogue client.
Example: Enable the maximum number of authentication failures.
active500EM(config-wireless)#wids-security client max-auth-failure
13.2.15 wids-security client oui-database
no wids-security client oui-database
Function: Enable OUI illegal detection. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Disable OUI illegal detection.
Usage guide: Checks the OUI field (the first three bytes) of the destination client MAC address to verify that the OUI of client exists in the OUI database. Use this command to detect such a rogue client.
Example: Enable OUI illegal detection.
active500EM(config-wireless)#wids-security client oui-database
13.2.16 wids-security client rogue-det-trap-interval
no wids-security client rogue-det-trap-interval
Function: Set the interval of detection for rogue clients. The no command will restore the interval to the default value.
Parameters:
-
<0>: enter the number 0 to disable this trap.
-
<60-3600>: time interval; unit is seconds.
Command mode: Wireless Global Configuration Mode
Default: 300s.
Usage guide: Set at a regular interval. The system will check whether there is a rogue client. If one exists, the AC controller sends ws rogue client present trap to alert the user. Use this command to set the time interval.
Example: Set the interval of detection for rogue client as 1000 seconds.
active500EM(config-wireless)#wids-security client rogue-det-trap-interval 1000
13.2.17 wids-security client threshold-auth-failure
no wids-security client threshold-auth-failure
Function: Set the threshold of the client authentication failure. The no command will restore the threshold to the default value.
Parameters:
-
<1-99999>: threshold of client authentication failure number.
Command mode: Wireless Global Configuration Mode
Default: 5.
Usage guide: Detect the rogue AP by the number of client certifications (beyond the configured threshold). Use this command to set the threshold of client authentication failures.
Example: Set the threshold of client authentication failure number to 1000.
active500EM(config-wireless)# wids-security client threshold-auth-failure 1000
13.2.18 wids-security client threshold-interval-assoc
no wids-security client threshold-interval-assoc <1-3600>
Function: Configure the detection time of the client sending 802.11 association request frames. The no?command resets to default.
Parameters:
-
<1-3600>: the detection interval for a client sending association request frames; unit is second.
Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: Determine if there is a flooding attack of the association request frame by the number of association request frames detected in the configured time interval. Use this command to configure the detection time interval of association request frames.
Example: Configure the detection time interval of the client sending 802.11 association request frame as 360s.
active500EM(config-wireless)# wids-security client threshold-interval-assoc 100
13.2.19 wids-security client threshold-interval-auth
no wids-security client threshold-interval-auth
Function: Set the detection interval of the client sending 802.11 authentication request frame. The no command will restore the interval to the default value.
Parameters:
-
<1-3600>: interval of the client sending authentication request frame; unit is seconds.
Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: Based on the number of authentication request frames (whether it exceeds the threshold) to determine if there is an authentication request frame flood attack. Use this command to set the authentication request frame detection time.
Example: Set the detection interval of the client sending 802.11 authentication request frame as 360s.
active500EM(config-wireless)#wids-security client threshold-interval-auth 360
13.2.20 wids-security client threshold-interval-deauth
no wids-security client threshold-interval-deauth
Function: Set the detection interval of the client sending 802.11 deletion authentication request frame. The no command will restore the interval to the default value.
Parameters:
-
<1-3600>: detection interval of client sending 802.11 deletion authentication request frame; unit is seconds.
Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: Based on the number of deletion authentication request frames (whether it exceeds the threshold) determine if there is a deletion authentication request frame flood attack. Use this command to set the deletion authentication request frame detection time.
Example: Set the detection interval of the client sending 802.11 deletion authentication request frame as 100 seconds.
active500EM(config-wireless)#wids-security client threshold-interval-deauth 100
13.2.21 wids-security client threshold-interval-disassoc
no wids-security client threshold-interval-disassoc
Function: Configure the detection time of the client sending 802.11 disassociation request frame. The no command recovers to be default.
Parameters:
-
<1-3600>: the detection time of the client sending disassociation request frames; unit is seconds.
Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: Show whether there is a flooding attack of disassociation request frame through the number of disassociation request frames detected in the configured time interval. Use this command to configure the detection time of disassociation request frames.
Example: Configure the detection time of the client sending 802.11 disassociation request frame to 100s.
active500EM(config-wireless)#wids-security client threshold-interval-disassoc 100
13.2.22 wids-security client threshold-interval-probe
no wids-security client threshold-interval-probe
Function: Set the detection interval of the client sending 802.11 probe request frames. The no command will restore the interval to the default value.
Parameters:
-
<1-3600>: detection interval of the client sending 802.11 probe request frames; unit is seconds.
Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: Based on the number of probe request frames (whether it exceeds the threshold), determine if there is a probe request frame flood attack. This command can be used to set the probe request frame detection time interval.
Example: Set the detection time interval of the client sending 802.11 probe request frame as 100 seconds.
active500EM(config-wireless)#wids-security client threshold-interval-probe 100
13.2.23 wids-security client threshold-value-assoc
no wids-security client threshold-value-assoc
Function: Configure the threshold of the client sending 802.11 association request frames. The no command will restore the threshold to the default value.
Parameters:
-
<1-99999>: the threshold of the client sending 802.11 association request frame.
Command mode: Wireless Global Configuration Mode
Default: 120.
Usage guide: Use this command to set the maximum number of client sending 802.11 association request frame in the threshold-interval-assoc time.
Example: Set the maximum number of client sending 802.11 association request frame as 100.
active500EM(config-wireless)#wids-security client threshold-value-assoc 100
13.2.24 wids-security client threshold-value-auth
no wids-security client threshold-value-auth
Function: Set the threshold of the client sending 802.11 authentication request frames. The no command will restore the threshold to the default value.
Parameters:
-
<1-99999>: the threshold of the client sending the 802.11 authentication request frame.
Command mode: Wireless Global Configuration Mode
Default: 120.
Usage guide: Use this command to set the maximum number of client sending 802.11 authentication request frame in the threshold-interval-auth time.
Example: Set the threshold of the client sending 802.11 authentication request frame to 100.
active500EM(config-wireless)#wids-security client threshold-value-auth 100
13.2.25 wids-security client threshold-value-deauth
no wids-security client threshold-value-deauth
Function: Set the threshold of the client sending 802.11 deletion authentication request frames. The no command will restore the threshold to the default value.
Parameters:
-
<1-99999>: threshold of the client sending 802.11 deletion authentication request frame.
Command mode: Wireless Global Configuration Mode
Default: 120.
Usage guide: Use this command to set the maximum number of client sending 802.11 deletion authentication request frame in the threshold-interval-deauth time.
Example: Set the threshold ofthe client sending 802.11 deletion authentication request frame as 100.
active500EM(config-wireless)#wids-security client threshold-value-deauth 100
13.2.26 wids-security client threshold-value-disassoc
no wids-security client threshold-value-disassoc
Function: Configure the threshold of client sending 802.11 disassociation request frames. The no command will restore the threshold to the default value.
Parameters:
-
<1-99999>: the threshold of client sending 802.11 disassociation request frames.
Command mode: Wireless Global Configuration Mode
Default: 120.
Usage guide: Use this command to set the maximum number of clients sending 802.11 disassociation request frame in the threshold-interval-disassoc time.
Example: Set the maximum number of clients sending 802.11 disassociation request frame as 1100.
active500EM(config-wireless)# wids-security client threshold-value-disassoc 1100
13.2.27 wids-security client threshold-value-probe
no wids-security client threshold-value-probe
Function: Set the threshold of the client sending 802.11 probe request frame. The no command will restore the threshold to the default value.
Parameters:
-
<1-99999>: threshold of client sending 802.11 probe request frame.
Command mode: Wireless Global Configuration Mode
Default: 120.
Usage guide: Use this command to set the maximum number of clients sending the 802.11 probe request frame in the threshold-interval-probe time.
Example: Set the threshold of client sending 802.11 probe request frame as 1100.
active500EM(config-wireless)# wids-security client threshold-value-probe 1100
13.3 Commands for anti-attack function
13.3.1 clear wireless detected-client non-auth
Function: Clear the client from the detected-client database.
Parameters:
-
<macaddr>: MAC address of client.
Command mode: Wireless Global Configuration Mode
Default: None.
Usage guide: Use this command to clear the specified client from the detected-client database. If the client MAC address is not specified, clear the detected-client database. If the client state is authenticated, it will not be deleted.
Example: Clear the client with MAC address of F8-F7-D3-00-03-e0 from detected-client database.
active500EM(config-wireless)#clear wireless detected-client F8-F7-D3-00-03-e0 non-auth
13.3.2 debug wireless wids msg
no debug wireless wids msg
Function: Enable the debug information of the WIDS sending messages (Client-Threat- Deauthenticate Message and WIDS-Configuration Message). The no command will disable the information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to enable the debug information of WIDS sending messages, including the message content and the sending result.
Example: Enable the debug information of WIDS sending message.
active500EM#debug wireless wids msg
13.3.3 show wireless wids-security de-authentication
Function: Show the attacking rogue AP list.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the attacking rogue AP list.
Example: Show the attacking rogue AP list.
active500EM#show wireless wids-security de-authentication BSSID Channel Attack Time Age ----------------- ------- -- --------- ----- ------ F8-F7-D3-00-03-e0 11 0d:00:00:13 0d:00:00:13 F8-F7-D3-00-03-e1 11 0d:00:00:12 0d:00:00:12
Parameters | Explanation |
BSSID | Rogue AP BSSID |
Channel | Rogue AP work channel |
Attack time | Anti-attack start time |
Age | Time of receiving this Rogue AP RF report |
13.3.4 wids-security ap-de-auth-attack
no wids-security ap-de-auth-attack
Function: Enable rogue AP counter-attack function. The no command will disable this function.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Disabled.
Usage guide: After the AC controller is detected, the rogue AP will add this AP to the attacking rogue AP list. If this function is enabled, it will send this list to all managed APs through a WIDS-configuration-message. The Sentry Mode Radio imitates the client sending the authentication message to the rogue AP. The Active Mode Radio will send the relieving authentication message to the client associated with the rogue AP. Use this command to enable the counter-attack.
Example: Enable the Rogue AP counter-attack function.
active500EM(config-wireless)#wids-security ap-de-auth-attack
13.3.5 wids-security client threat-mitigation
no wids-security client threat-mitigation
Function: Enable the known client protection function. The no command will disable this function.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Disable known client protection.
Usage guide: If the AC controller enables detection of valid clients associating with the rogue AP and detects such threats, the client will be identified as a rogue client and a rogue client information message will be sent to the client-security task. The message queue capacity is 128, so a max of 128 messages can be received. The client-security task constructs a client-threat-deauthenticate message to send to the managed AP when it receives the message from WIDS module. Radio of sentry mode imitates this client to send a relieving authentication message to its associated AP to relieve the connection with the rogue AP. Use this command to protect the known client.
Example: Enable known client protection function.
active500EM(config-wireless)#wids-security client threat-mitigation
13.3.6 wireless acknowledge-rogue
Parameters:
-
<macaddr>: rogue AP MAC address.
Command mode: Wireless Global Configuration Mode
Default: None.
Usage guide: When the rogue AP threat has been cleared, restore the AP state to the state before it was identified as rogue in the RF scan database. Use this command to change these rogue AP states. If the MAC address is specified, change the AP with this MAC address. If it is not specified, then change all the rogue AP statuses.
Example: Change the rogue AP with MAC address of F8-F7-D3-00-03-e1.
active500EM#wireless acknowledge-rogue F8-F7-D3-00-03-e1
13.4 Commands for user isolation
13.4.1 l2tunnel station-isolation allowed vlan
no l2tunnel station-isolation allowed vlan
Function: Enable the user isolation in centralized forwarding mode. The no command will disable this isolation.
Parameters:
-
WORD: add a VLAN list to allow VLAN, and overwrite the old configuration.
-
add: add a VLAN list to the existing allow VLAN list.
-
remove: delete the VLAN specified by the VLAN list from the existing allow VLAN list.
Command mode: Wireless Global Configuration Mode
Default: Disable this user isolation.
Usage guide: Use this command to enable the user isolation function in centralized forwarding mode.
Example: Enable the user isolation function of VLAN100 in centralized forwarding mode.
active500EM#l2tunnel station-isolation allowed vlan 100
13.4.2 station-isolation
no station-isolation
Function: Enable the user isolation of the AP in distributed forwarding mode. The no command will disable this isolation.
Parameters: None.
Command mode: Radio Configuration Mode
Default: Disable the user isolation.
Usage guide: In distributed forwarding mode, the AP driver layer needs to resolve the 802.11 data packet. If the destination addresses of the client are under the same BSSID, forward it directly; otherwise, transform it as 802.3 format to send it to the internal bridge for forwarding. Then, send it to the wired network. It is similar to traditional wired network forwarding. Therefore, the user isolation requires the AP and the connected wired network to complete together. The user isolation of the same AP and the same VLAN needs to enable this isolation. Use this command to enable user isolation.
Example: Enable the user isolation of the AP.
active500EM(config-wireless)#ap profile 1 active500EM(config-ap-profile)#radio 1 active500EM(config-ap-profile-radio)#station-isolation
13.5 Commands for ARP suppression
13.5.1 arp-suppression
no arp-suppression
Function: Enable the ARP suppression function of the AP, then enable ARP snooping, ARP broadcast-to-unicast, ARP filtration, and DHCP/BOOTP frame detection function automatically. The no command will disable this function and disable other detection functions automatically.
Parameters: None.
Command mode: Network Configuration Mode
Default: Disabled.
Usage guide: This function uses the ARP snooping and DHCP/BOOTP snooping functions to record the IP and MAC mapping table of all the local authenticated clients. It can reduce empty ARP broadcast packets through ARP broadcast-to-unicast or ARP agency to save the client electricity. Use this command to enable the ARP suppression function.
Example: Enable the ARP suppression function of the AP.
active500EM(config-wireless)#network 1 active500EM(config-network)#arp-suppression
13.5.2 show wireless ap statistics
Function: Show ARP suppression information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the ARP suppression information.
Example: Show ARP suppression information.
active500EM#show wireless ap F8-F7-D3-00-03-60 statistics MAC address.................................... F8-F7-D3-00-03-60 Location....................................... WLAN Packets Received.......................... 657165 WLAN Packets Transmitted....................... 22491 WLAN Bytes Received............................ 53895600 WLAN Bytes Transmitted......................... 2106411 WLAN Packets Receive Dropped................... 0 WLAN Packets Transmit Dropped.................. 0 WLAN Bytes Receive Dropped..................... 0 WLAN Bytes Transmit Dropped.................... 0 Ethernet Packets Received...................... 34983 Ethernet Packets Transmitted................... 665519 Ethernet Bytes Received........................ 3098387 Ethernet Bytes Transmitted..................... 91636961 Ethernet Multicast Packets Received............ 11217 Total Transmit Errors.......................... 0 Total Receive Errors........................... 0 Central L2 Tunnel Bytes Received............... 353162 Central L2 Tunnel Packets Received............. 57 Central L2 Tunnel Multicast Packets Received... 4035 Central L2 Tunnel Bytes Transmitted............ 44695300 Central L2 Tunnel Packets Transmitted.......... 654775 Central L2 Tunnel Multicast Packets Transmitt.. 2391 ARP Reqs Converted from Bcast to Ucast......... 0 Filtered ARP Requests.......................... 0 Broadcasted ARP Requests....................... 0
Parameters | Explanation |
Filtered ARP requests | ARP requests number of ARP agency |
Broadcasted ARP requests | ARP requests number of ARP Broadcast-to-unicast |
13.5.3 show wireless client status
Function: Show ARP snooping information.
Parameters:
-
<macaddr>: Client MAC address.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the ARP snooping information. Show all client statuses if the client MAC address is not specified.
Example: Show the client status with MAC of F8-F7-D3-00-03-E0.
active500EM#show wireless client F8-F7-D3-00-03-E0 status MAC address.................................... F8-F7-D3-00-03-E0 Detected IP Address............................ 192.168.1.4 VAP MAC Address................................ F8-F7-D3-00-03-E1 AP MAC Address................................. F8-F7-D3-00-03-Ef Location....................................... Radio.......................................... 1 - 802.11b/g/n Associating Switch............................. Peer Switch Switch MAC Address............................. F8-F7-D3-00-03-F0 Switch IP Address.............................. 192.168.1.1 Tunnel IP Address.............................. ----- SSID........................................... test NetBIOS Name................................... TEST1 Status......................................... Authenticated Channel........................................ 11 User Name...................................... VLAN........................................... 40 Transmit Data Rate............................. 144.4 Mbps 802.11n Capable................................ Yes STBC Capable................................... No Inactive Period................................ 0d:00:00:00 Age............................................ 0d:00:00:05 Network Time................................... 0d:01:06:25
Parameters | Explanation |
MAC address | Client MAC address |
Detected IP address | Client IP address |
13.6 Commands for dynamic blacklist
13.6.1 dynamic-blacklist
no dynamic-blacklist
Function: Enable dynamic blacklist function. The no command disables this function.
Parameters: None.
Command mode: Wireless Global Mode
Default: Disabled.
Usage guide: This command is used to enable the dynamic blacklist. When detected, the threat conforms to the dynamic blacklist and is considered a rogue client. Put the MAC address of this client into the dynamic blacklist, and send it to the managed AP to prevent the flooding attack to this client.
Example: Enable dynamic blacklist function.
active500EM(config-wireless)#dynamic-blacklist
13.6.2 dynamic-blacklist lifetime
no dynamic-blacklist lifetime
Function: Configure lifetime of the dynamic blacklist. The no command resets to default.
Parameters:
-
<60-3600>: the aging time; unit is second. One hour is the maximum.
Command mode: Wireless Global Mode
Default: 300s.
Usage guide: This command is used to configure the aging time of dynamic blacklist. When adding the new table entry to the dynamic blacklist, the aging time will be configured at the same time. During this time, the AP will drop the data frame of this rogue client. After the lifetime value has been reached, the relevant table entry will be deleted and the data frame of this client will be received again.
Example: Configure aging time of dynamic blacklist as 600s.
active500EM(config-wireless)#dynamic-blacklist lifetime 600
13.6.3 clear dynamic-blacklist
Parameters:
-
<FF-FF-FF-FF-FF-FF>: delete one record of the wireless terminal MAC address.
-
If no mac address is listed, all wireless terminal records in the dynamic blacklist will be deleted.
Command mode: Privileged EXEC Mode
Default: None.
Usage guide: This command is used to manually delete one or all of the MAC address records of the wireless terminal in the dynamic blacklist, delete the relevant table entry, and receive the data frame of this client again.
Example: Manually delete the MAC address record of 30-46-9a-30-2b-e4 of wireless terminal in the dynamic blacklist.
active500EM#clear wireless dynamic-blacklist 30-46-9a-30-2b-e4
13.6.4 show wireless dynamic-blacklist
Function: Show all wireless terminal records in the dynamic blacklist, including the MAC address, keep-alive time, the time from the last update, and the anti-flooding attack detection type of wireless terminal.
Parameters: None.
Command mode: Privileged EXEC Mode
Default: None.
Usage guide: This command is used to show all wireless terminal records in the dynamic blacklist.
Example: Show all wireless terminal records in the dynamic blacklist.
active500EM#show wireless dynamic-blacklist Client LifeTime Time Since MAC Address (seconds) Last Report Rogue Classification ------------------ --------- ----------- --------------------- 54-e6-fc-0b-a8-36 300 0d:00:00:25 Exceed Configured Probe Rate 20-7c-8f-7c-8f-73 300 0d:00:00:25 Exceed Configured Probe Rate 00-22-5f-5a-22-93 300 0d:00:00:25 Exceed Configured Probe Rate 00-23-4e-e1-a7-d2 300 0d:00:00:25 Exceed Configured Probe Rate e0-05-c5-8e-10-2f 300 0d:00:00:25 Exceed Configured Probe Rate 20-7c-8f-7c-90-4c 300 0d:00:00:25 Exceed Configured Probe Rate 18-f4-6a-00-e2-eb 300 0d:00:00:25 Exceed Configured Probe Rate 74-ea-3a-10-bb-ab 300 0d:00:00:25 Exceed Configured Probe Rate 08-10-74-ad-93-c8 300 0d:00:00:25 Exceed Configured Probe Rate 18-f4-6a-00-14-62 300 0d:00:00:25 Exceed Configured Probe Rate 00-21-00-cf-f0-e0 300 0d:00:00:25 Exceed Configured Probe Rate fc-25-3f-d8-d0-b8 300 0d:00:00:25 Exceed Configured Probe Rate 8c-7b-9d-fb-b4-51 300 0d:00:00:25 Exceed Configured Probe Rate 00-0b-c0-02-9d-ac 300 0d:00:00:25 Exceed Configured Probe Rate e0-b9-ba-dd-b8-c8 300 0d:00:00:25 Exceed Configured Probe Rate 30-46-9a-30-2b-e4 300 0d:00:00:25 Exceed Configured Probe Rate Dynamic-blacklist entries Count.................16