Commands for wireless security

Command: debug wireless wids internal-info
no debug wireless wids internal-info
Function: Enable debugging of the WIDS threat detection. The no command will disable the information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to debug the WIDS threat detection function when needed. The information includes the AP MAC of the sending RF Scan Report, the AP MAC, and the VAP MAC of the threat detection, the result of the detection steps, and printing the received Neighbor AP Info & Neighbor AP Info Part2 of the RF Scan Report Message.
Example: Enable the debug information of the WIDS threat detection.

active500EM#debug wireless wids internal-info

 

Command: show wireless ap <macaddr> rf-scan rogue-classification
Function: Show the threat detection log summary information of the appointed AP.
Parameters:

• <macaddr>: rogue AP MAC address.

Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the threat detection log summary information of the AP.
Example: MAC address as f8-f7-d3-00-03-a0. Show the threat detection log summary information of the AP.

active500EM#show wireless ap f8-f7-d3-00-03-a0 rf-scan rogue-classification
              Cond                        Test           Time Since  Time Since
Test ID       Detect MAC Addr (radio)     Config  Result 1st Report  Last Report
------------- ------ -------------------- ------- ------ ----------- -----------
WIDSAPROGUE01 False  00-00-00-00-00-00(0) Enable         0d:00:00:00 0d:00:00:00
WIDSAPROGUE02 True   f8-f7-d3-00-03-a0(1) Enable  Rogue  0d:08:18:41 0d:00:29:18
WIDSAPROGUE03 False  00-00-00-00-00-00(0) Enable         0d:00:00:00 0d:00:00:00
WIDSAPROGUE04 False  00-00-00-00-00-00(0) Enable         0d:00:00:00 0d:00:00:00
WIDSAPROGUE05 False  00-00-00-00-00-00(0) Enable         0d:00:00:00 0d:00:00:00
WIDSAPROGUE06 False  00-00-00-00-00-00(0) Enable         0d:00:00:00 0d:00:00:00
WIDSAPROGUE07 False  00-00-00-00-00-00(0) Enable         0d:00:00:00 0d:00:00:00
WIDSAPROGUE08 False  00-00-00-00-00-00(0) Enable         0d:00:00:00 0d:00:00:00
WIDSAPROGUE09 False  00-00-00-00-00-00(0) Enable         0d:00:00:00 0d:00:00:00
WIDSAPROGUE10 False  00-00-00-00-00-00(0) Enable         0d:00:00:00 0d:00:00:00
WIDSAPROGUE11 False  00-00-00-00-00-00(0) Enable         0d:00:00:00 0d:00:00:00
WIDSAPROGUE01.................................. Administrator configured rogue AP
WIDSAPROGUE02.................................. Managed SSID from an unknown AP
WIDSAPROGUE03.................................. Managed SSID from a fake managed AP
WIDSAPROGUE04.................................. AP without an SSID
WIDSAPROGUE05.................................. Fake managed AP on an invalid channel
WIDSAPROGUE06.................................. Managed SSID detected with incorrect security
WIDSAPROGUE07.................................. Invalid SSID from a managed AP
WIDSAPROGUE08.................................. AP is operating on an illegal channel
WIDSAPROGUE09.................................. Standalone AP with unexpected configuration
WIDSAPROGUE10.................................. Unexpected WDS device detected on network
WIDSAPROGUE11.................................. Unmanaged AP detected on wired network

 

Command: show wireless wids-security
Function: Show the configured AP threat detection parameters.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Show the configured AP threat detection detailed parameters, including: detection enabled, the shortest waiting time of each round of detection, and other parameters.
Example: Show the configured AP rogue-detection parameters.

active500EM#show wireless wids-security
Rogue - admin configured Rogue AP???s............ Enable
Rogue - APs on an illegal channel.............. Enable
Rogue - fake managed AP / invalid channel...... Enable
Rogue - fake managed AP / no SSID.............. Enable
Rogue - managed AP / invalid SSID.............. Enable
Rogue - managed SSID / invalid security........ Enable
Rogue - standalone AP / unexpected config...... Enable
Rogue - unknown AP / managed SSID.............. Enable
Rogue - fake managed AP / managed SSID......... Enable
Rogue - unmanaged AP on a wired network........ Enable
Rogue - unexpected WDS devices................. Enable
OUI Database mode.............................. Local
Rogue detected trap interval................... 60 seconds
Wired network detection interval............... 60 seconds
AP De-Authentication Attack.................... Disable

 

Command: show wireless wids-security rogue-test-descriptions
Function: Show the explanation of AP threat detection.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Show the explanation of AP threat detection.
Example: Show the explanation of AP threat detection.

active500EM#show wireless wids-security rogue-test-descriptions
WIDSAPROGUE01.................................. Administrator configured rogue AP
WIDSAPROGUE02.................................. Managed SSID from an unknown AP
WIDSAPROGUE03.................................. Managed SSID from a fake managed AP
WIDSAPROGUE04.................................. AP without an SSID
WIDSAPROGUE05.................................. Fake managed AP on an invalid channel
WIDSAPROGUE06.................................. Managed SSID detected with incorrect security
WIDSAPROGUE07.................................. Invalid SSID from a managed AP
WIDSAPROGUE08.................................. AP is operating on an illegal channel
WIDSAPROGUE09.................................. Standalone AP with unexpected configuration
WIDSAPROGUE10.................................. Unexpected WDS device detected on network
WIDSAPROGUE11.................................. Unmanaged AP detected on wired network

 

Command: trapflags rogue-ap
no trapflags rogue-ap
Function: Enable the detection of rogue AP traps. If it detects a rogue AP, the AC will immediately send the trap. The no command disables this function.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Disable the function.
Usage guide: Rogue AP trap can be detected by this command. The AC controller runs AP risk detection; if the threat is detected, identify the AP as rogue and send a trap to notify the network administrator.
Example: Enable the detection of rogue AP trap.

active500EM(config-wireless)#trapflags rogue-ap

 

Command: wired-detection-vlan <0-4094>
no wired-detection-vlan
Function: Set VLAN ID of the detection packet of unmanaged AP access to wired network. The no command will reset the default VLAN ID value as 1.
Parameters:

• <0-4094>: VLAN ID; range is 0~4094. 0 means the test frame is without a tag.

Command mode: AP Profile Configuration Mode
Default: 1.
Usage guide: An unmanaged AP connects to the wired network detection. An AP that is in sentry mode monitors the radio every 1 second to switch channels for monitoring. If the detection function is enabled, after switching to the new channel, the AP sends multicast frames addresses with MAC address of 01-02-BC-00-12-00 to the wired network. The VLAN ID of the multicast frame tag is the configuration value in this command; if configured as 0, multicast frames with no VLAN is flagged. If this command is not configured, the multicast frame tag of the VLAN ID is 1.
Example: Set the VLAN ID as VLAN 2 of detection package of unmanaged AP access to wired network.

active500EM(config-wireless)#ap profile 1
active500EM(config-ap-profile)#wired-detection-vlan 2
active500EM(config- ap-profile)#no wired-detection-vlan

 

Command: wids-security admin-config-rogue
Function: Enable the illegal AP detection configured by network administrator.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable this function.
Usage guide: The network administrator can set the authentication in the valid-AP database of the local or radius server. Administrators can manually configure the three states of the AP: managed, standalone, and rogue. The rogue configuration is the rogue AP with the valid-AP local database or valid radius server. Use this command to enable the rogue AP.
Example: Enable the rogue AP detection configuration.

active500EM(config-wireless)#wids-security admin-config-rogue

 

Command: wids-security ap-chan-illegal
no wids-security ap-chan-illegal
Function: Enable the illegal channel detection of the AP. The no command will disable this function.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the illegal channel detection.
Usage guide: Different countries have different valid radio frequencies. The lawful channel in one country may be illegal in another. If the AP works in an illegal channel, use this command to detect the rogue AP.
Example: Enable illegal channel detection.

active500EM(config-wireless)#wids-security ap-chan-illegal

 

Command: wids-security fakeman-ap-chan-invalid
no wids-security fakeman-ap-chan-invalid
Function: Enable the beacon frame detection of the received managed AP in the invalid channel. The no?command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable beacon frame detection.
Usage guide: The managed AP channels are distributed by the AC, so the AC knows which channel the managed AP should work in. The hacker will fake manage the AP MAC address but the channel used to send the beacon frames may be in the wrong channel. Use this command to detect this type of rogue AP.
Example: Enable the beacon frame detection receiving managed AP in the wrong channel.

active500EM(config-wireless)#wids-security fakeman-ap-chan-invalid

 

Command: wids-security fakeman-ap-managed-ssid
no wids-security fakeman-ap-managed-ssid
Function: Enable the illegal vendor field detection in beacon frames. The no command will disable this function.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the vendor field illegal detected.
Usage guide: Hackers pose as the managed AP???s MAC and send a managed SSID. The vendor field is carried in the beacon frame of the managed AP in this scenario. By detecting the vendor field, the rogue AP of the managed AP MAC address can be detected (if there is a no vendor field, the AP MAC address will be 00:00:00:xx:xx:xx in the neighbor AP info of the RF scan report message).
Example: Enable the illegal vendor field detection in beacon frames.

active500EM(config-wireless)#wids-security fakeman-ap-managed-ssid

 

Command: wids-security fakeman-ap-no-ssid
no wids-security fakeman-ap-no-ssid
Function: Enable detection of no SSID field in the beacon frame. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable detection of no SSID field in the beacon frame.
Usage guide: In order to avoid being detected, the hacker may not incorporate the SSID field in the beacon frames. The hacker can still send the probe response frame to the client sent probe request to deceive the client in order to access and obtain security information. Use this command to detect such a rogue AP.
Example: Enable detection of no SSID field in the beacon frame.

active500EM(config-wireless)#wids-security fakeman-ap-no-ssid

 

Command: wids-security managed-ap-ssid-invalid
no wids-security managed-ap-ssid-invalid
Function: Enable invalid SSID detection of the managed AP. The no command will disable the detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable invalid SSID detection of the managed AP.
Usage guide: The AP that detects the managed AP will send the RF scan report message to the AC controller. If the managed AP sends an invalid SSID, the information will include the invalid SSID. Use this command to detect the invalid SSID and determine if it is a rogue AP.
Example:

active500EM(config-wireless)#wids-security managed-ap-ssid-invalid

 

Command: wids-security managed-ssid-secu-bad
no wids-security managed-ssid-secu-bad
Function: Enable detection that the AP has used a wrong security authentication method. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the detection that the AP has used a wrong security authentication method.
Usage guide: The command, security authentication method (open, WEP, WPA) of the AP in the beacon frame configuration will also be recorded on the AC controller. This command is used to detect whether the two security authentication methods are consistent in order to detect the rogue AP.
Example: Enable the detection that the AP has used a wrong security authentication method.

active500EM(config-wireless)#wids-security managed-ssid-secu-bad

 

Command: wids-security rogue-det-trap-interval < <0 | 60-3600> >
no wids-security rogue-det-trap-interval
Function: Set the time interval for detection of the rogue AP. The no command will restore the default value.
Parameters:

• <0>: enter the number 0 to disable this trap.
• <60-3600>: time interval; unit is second.

Command mode: Wireless Global Configuration Mode
Default: 300s.
Usage guide: Configure the system to check whether there is a rogue AP at regular intervals; if there is a rogue AP, the AC controller will send ws rogues present trap to remind the user that there is currently an existing rogue AP. This command is used to configure the time interval.
Example: Set the the interval of detection for the rogue AP to 1000s.

active500EM(config-wireless)#wids-security client rogue-det-trap-interval 1000

 

Command: wids-security standalone-cfg-invalid
no wids-security standalone-cfg-invalid
Function: Enable the error detection of the lawful FAT AP configuration. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the error detection of the legislation standalone AP configuration.
Usage guide: If the AP is in the standalone state, and the scanned AP configuration (working channel, SSID, security authentication mode, WDS mode, and access to the wired network) is detected as different to the AC controller, use this command to detect the rogue AP.
Example: Enable the error detection of the lawful FAT AP configuration.

active500EM(config-wireless)# wids-security standalone-cfg-invalid

 

Command: wids-security unknown-ap-managed-ssid
no wids-security unknown-ap-managed-ssid
Function: Enable the detection of the unknown AP posing as the legal SSID. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the detection of the unknown AP posing as the legal SSID.
Usage guide: The network configuration of the AC controller SSID inquiry system records the legal SSID. Unknown APs may pose as the legal SSID to deceive client access and steal customer information. Use this command to detect the rogue AP.
Example: Enable the detection of the unknown AP posing as the legal SSID.

active500EM(config-wireless)#wids-security unknown-ap-managed-ssid

 

Command: wids-security unmanaged-ap-wired
no wids-security unmanaged-ap-wired
Function: Enable the detection of the unmanaged AP accessing the wired network. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the detection of the unmanaged AP accessing the wired network.
Usage guide: Only the managed AP can access the wired network, so if the unknown AP accesses the wired network, this command can detect the rogue AP.
Example: Enable the detection of an unmanaged AP accessing the wired network.

active500EM(config-wireless)#wids-security unmanaged-ap-wired

 

Command: wids-security wds-device-unexpected
no wids-security wds-device-unexpected
Function: Enable the detection of an AP working in WDS mode. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the detection of an AP working in the WDS mode.
Usage guide: WDS (Wireless Distribution System) is the protocol of the AP connecting through the wireless network. The APs running in WDS mode are connected to each other by a bridge or repeater. It reduces the dependence of the wired network and improves the flexibility and convenience of the entire network structure. Use this command to detect whether the AP WDS state is the same as the AP WDS state in the AC database. If they are not the same, then the AP is confirmed as a rogue AP.
Example: Enable the detection of the AP working in WDS mode.

active500EM(config-wireless)#wids-security wds-device-unexpected

 

Command: wids-security wired-detection-interval <interval>
no wids-security wired-detection-interval
Function: Set the shortest time interval of each detection. The no command will restore the time interval to the default value as 60s.
Parameters:

• <interval>: the shortest time interval of each detection for the AP; range is 1~3600s.

Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: In order to avoid the AP from sending the detection data packets frequently, set the shortest time interval; then the AP must wait for the next round of detection (during this time, the RF scan function is running). Use this command to set the shortest time interval.
Example: Set the time interval of each detection to 360.

active500EM(config-wireless)#wids-security wired-detection-interval 360

 

Command: debug wireless wids known-client Internal-info
no debug wireless wids known-client Internal-info
Function: Enable the debug information of the known-client database. The no command will disable this
information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to display the debugging information of the known-client database to show the information of added, deleted, and checked known-clients.
Example: Enable the debugging of the known-client database.

active500EM#debug wireless wids known-client Internal-info

 

Command: oui database <ouival> [<oui>] no oui database <ouival>
Function: Add OUI entries to the OUI database; used to show and detect. The no command will delete the?entries from the local OUI database corresponding OUI value.
Parameters:

• <ouival>: the OUI value of AP or client company.
• <oui>: the company name of this OUI.

Command mode: Wireless Global Configuration Mode
Default: None.
Usage guide: Use this command to add/delete OUI entries in order to advance the detection that uses the OUI list to detect threats.
Example: Add a OUI entry with the OUI value as F8-F7-D3 to company vendor name.

active500EM(config-wireless)#oui database F8-F7-D3 ???vendor name???

 

Command: show wireless client <macaddr> detected-client rogue-classification
Function: Show the client threat detection log.
Parameters:

• <macaddr>: client MAC address.

Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the client threat detection log.
Example: Show the threat detection log of client with MAC address D8-D7-D3-00-03-60.

active500EM#show wireless client D8-D7-D3-00-03-60 detected-client rogue-classification
               Cond                        Test    Test   Time Since Time Since
Test ID        Detect MAC Addr (radio)     Config  Result 1st Report Last Report
-------------- ------ -------------------- ------- ------ ----------- ------------
WIDSCLNTROGUE1 False  00-00-00-00-00-00(0) Disable        0d:08:40:54 0d:08:40:54
WIDSCLNTROGUE2 False  D8-D7-D3-00-03-60(1) Enable         0d:08:40:54 0d:00:00:01
WIDSCLNTROGUE3 False  00-00-00-00-00-00(0) Disable        0d:08:40:54 0d:08:40:54
WIDSCLNTROGUE4 False  D8-D7-D3-00-03-60(1) Enable         0d:08:40:54 0d:00:00:01
WIDSCLNTROGUE5 False  00-00-00-00-00-00(0) Disable        0d:08:40:54 0d:08:40:54
WIDSCLNTROGUE6 False  D8-D7-D3-00-03-60(1) Enable         0d:08:40:54 0d:00:00:01
WIDSCLNTROGUE7 False  00-00-00-00-00-00(0) Disable        0d:08:40:54 0d:08:40:54
WIDSCLNTROGUE1................................. Client not in Known Client Database
WIDSCLNTROGUE2................................. Client exceeds configured rate for auth msgs
WIDSCLNTROGUE3................................. Client exceeds configured rate for probe msgs
WIDSCLNTROGUE4................................. Client exceeds configured rate for de-auth msgs
WIDSCLNTROGUE5................................. Client exceeds max failing authentications
WIDSCLNTROGUE6................................. Known client authenticated with unknown AP
WIDSCLNTROGUE7................................. Client OUI not in the OUI Database

Command: show wireless oui database [<ouival>] Function: Show the OUI database.
Parameters:

• <ouival>: OUI value of the AP or the client company.

Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the specified OUI company information. If the OUI is not specified, then show all OUI database content.
Example: Show the OUI database with the company OUI value of F8-F7-D3.

active500EM#show wireless OUI database F8-F7-D3
OUI Value...................................... F8-F7-D3
OUI............................................

 

Command: show wireless wids-security client
Function: Show the configured client threat detection parameters.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to check the configured client threat detection parameters.
Example: Show the configured client threat detection parameters.

active500EM#show wireless wids-security client
Rogue detected trap interval................... 300 seconds
Rogue-Not in OUI database...................... Disable
Rogue-Not in Known Client list................. Disable
Rogue-Exceeds Auth Req ........................ Enable
Rogue-Exceeds DeAuth Req ...................... Enable
Rogue-Exceeds Probe Req ....................... Disable
Rogue-Exceeds Failed auth ..................... Disable
Rogue-Auth with unknown AP..................... Enable
Client Threat Mitigation....................... Disable
De-auth threshold interval..................... 300 seconds
De-auth threshold value........................ 10
Auth threshold interval........................ 300 seconds
Auth threshold value........................... 10
Probe threshold interval....................... 300 seconds
Probe threshold value.......................... 10
Auth failure threshold......................... 5
Known DB Location.............................. Local
Known DB RADIUS Server Name.................... Default-RADIUS-Server
Known DB RADIUS Server Status.................. Not Configured

 

Command: show wireless wids-security client rogue-test-descriptions
Function: Shows client threat detection description.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show client threat detection description.
Example: Show client threat detection description.

active500EM#show wireless wids-security client rogue-test-descriptions
WIDSCLNTROGUE1................................. Client not in Known Client Database
WIDSCLNTROGUE2................................. Client exceeds configured rate for auth msgs
WIDSCLNTROGUE3................................. Client exceeds configured rate for probe msgs
WIDSCLNTROGUE4................................. Client exceeds configured rate for de-auth msgs
WIDSCLNTROGUE5................................. Client exceeds max failing authentications
WIDSCLNTROGUE6................................. Known client authenticated with unknown AP
WIDSCLNTROGUE7................................. Client OUI not in the OUI Database

 

Command: wids-security client auth-with-unknown-ap
no wids-security client auth-with-unknown-ap
Function: Enable the detection of legal clients associated with the rogue AP. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the detection of legal clients associated with rogue APs.
Usage guide: The legal client may be accessing the network through a rogue AP. In this case the legal client information will be disclosed to the hacker using the rogue AP. Use this command to detect this type of rogue client.
Example: Enable the detection of the legal client associating with the rogue AP.

active500EM(config-wireless)#wids-security client auth-with-unknown-ap

 

Command: wids-security client configured-assoc-rate
no wids-security client configured-assoc-rate
Function: Enable flooding attack detection of the association request frame. The no command disables it.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enabled.
Usage guide: An association request frame flooded attack refers to a rogue client sending a large number of request frames to an AP device in a short period of time. The AP device will be inundated by a flooding attack message and cannot handle the real wireless terminal messages. Use this command to enable this detection to detect this class of rogue client.
Example: Enable flooding attack detection of association request frame.

active500EM(config-wireless)#wids-security client configured-assoc-rate

 

Command: wids-security client configured-auth-rate
no wids-security client configured-auth-rate
Function: Enable authentication request frame flood attack detection. The no command will disable this?command.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable authentication request frame flood attack detection.
Usage guide: Authentication request frame flooding attack refers to the rogue client sending a large number of authentication request frames to the AP device in a short time. The AP device will be flooded by attack packets and cannot handle the message of the wireless terminal. Enable this command to detect this type of rogue client.
Example: Enable authentication request frame flood attack detection.

active500EM(config-wireless)#wids-security client configured-auth-rate

 

Command: wids-security client configured-deauth-rate
no wids-security client configured-deauth-rate
Function: Enable the deletion of authentication request frame flooding attack detection. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the deletion of authentication request frame flooding attack detection.
Usage guide: Delete authentication request frame flood attack if the rogue client sends a large number of authentication request frames in a short time to an AP device. Use this command to enable the rogue OUI detection to detect such a rogue client.
Example: Enable the deletion authentication request frame flooding attack detection command.

active500EM(config-wireless)#wids-security client configured-deauth-rate

 

Command: wids-security client configured-disassoc-rate
no wids-security client configured-disassoc-rate
Function: Enable flooding attack detection of disassociation request frame. The no command disables it.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enabled.
Usage guide: Disassociation request frame flooded attack refers to a rogue client sending a large number of request frames to an AP device in a short period of time. The AP device will be inundated by flooding attack messages and cannot handle the real wireless terminal messages. Use this command to enable this detection to detect this class of rogue client.
Example: Enable flooding attack detection of disassociation request frame.

active500EM(config-wireless)#wids-security client configured-disassoc-rate

 

Command: wids-security client configured-probe-rate
no wids-security client configured-probe-rate
Function: Enable probe request frame flooding attack detection. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable probe request frame flooding attack detection.
Usage guide: Probe request frame flooding refers to the rogue client sending a large number of probe request frames to the AP device in a short time. This command can detect such a rogue client.
Example: Enable probe request frame flooding attack detection.

active500EM(config-wireless)#wids-security client configured-probe-rate

 

Command: wids-security client known-client-database
no wids-security client known-client-database
Function: Enable known client database detection. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Disable known client database detection.
Usage guide: Set the AC controller to read the known client database from the local or radius server. The known client database notes the appropriate client entry if the client is legitimate; otherwise, the client is not legitimate (rogue). Use this command to detect such a rogue client.
Example: Enable known client database detection.

active500EM(config-wireless)#wids-security client known-client-database

 

Command: wids-security client max-auth-failure
no wids-security client max-auth-failure
Function: Enable the maximum number of authentication failures. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Enable the maximum number of authentication failures.
Usage guide: Some rogue clients, in order to access the protected wireless network, will try to send authentication requests until the certification request is allowed. This command can detect such a rogue client.
Example: Enable the maximum number of authentication failures.

active500EM(config-wireless)#wids-security client max-auth-failure

 

Command: wids-security client oui-database
no wids-security client oui-database
Function: Enable OUI illegal detection. The no command will disable this detection.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Disable OUI illegal detection.
Usage guide: Checks the OUI field (the first three bytes) of the destination client MAC address to verify that the OUI of client exists in the OUI database. Use this command to detect such a rogue client.
Example: Enable OUI illegal detection.

active500EM(config-wireless)#wids-security client oui-database

 

Command: wids-security client rogue-det-trap-interval ?0 | 60-3600> >
no wids-security client rogue-det-trap-interval
Function: Set the interval of detection for rogue clients. The no command will restore the interval to the default value.
Parameters:

• <0>: enter the number 0 to disable this trap.
• <60-3600>: time interval; unit is seconds.

Command mode: Wireless Global Configuration Mode
Default: 300s.
Usage guide: Set at a regular interval. The system will check whether there is a rogue client. If one exists, the AC controller sends ws rogue client present trap to alert the user. Use this command to set the time interval.
Example: Set the interval of detection for rogue client as 1000 seconds.

active500EM(config-wireless)#wids-security client rogue-det-trap-interval 1000

 

Command: wids-security client threshold-auth-failure <1-99999>
no wids-security client threshold-auth-failure
Function: Set the threshold of the client authentication failure. The no command will restore the threshold to the default value.
Parameters:

• <1-99999>: threshold of client authentication failure number.

Command mode: Wireless Global Configuration Mode
Default: 5.
Usage guide: Detect the rogue AP by the number of client certifications (beyond the configured threshold). Use this command to set the threshold of client authentication failures.
Example: Set the threshold of client authentication failure number to 1000.

active500EM(config-wireless)# wids-security client threshold-auth-failure 1000

 

Command: wids-security client threshold-interval-assoc <1-3600>
no wids-security client threshold-interval-assoc <1-3600>
Function: Configure the detection time of the client sending 802.11 association request frames. The no?command resets to default.
Parameters:

• <1-3600>: the detection interval for a client sending association request frames; unit is second.

Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: Determine if there is a flooding attack of the association request frame by the number of association request frames detected in the configured time interval. Use this command to configure the detection time interval of association request frames.
Example: Configure the detection time interval of the client sending 802.11 association request frame as 360s.

active500EM(config-wireless)# wids-security client threshold-interval-assoc 100

 

Command: wids-security client threshold-interval-auth <1-3600>
no wids-security client threshold-interval-auth
Function: Set the detection interval of the client sending 802.11 authentication request frame. The no command will restore the interval to the default value.
Parameters:

• <1-3600>: interval of the client sending authentication request frame; unit is seconds.

Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: Based on the number of authentication request frames (whether it exceeds the threshold) to determine if there is an authentication request frame flood attack. Use this command to set the authentication request frame detection time.
Example: Set the detection interval of the client sending 802.11 authentication request frame as 360s.

active500EM(config-wireless)#wids-security client threshold-interval-auth 360

 

Command: wids-security client threshold-interval-deauth <1-3600>
no wids-security client threshold-interval-deauth
Function: Set the detection interval of the client sending 802.11 deletion authentication request frame. The no command will restore the interval to the default value.
Parameters:

• <1-3600>: detection interval of client sending 802.11 deletion authentication request frame; unit is seconds.

Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: Based on the number of deletion authentication request frames (whether it exceeds the threshold) determine if there is a deletion authentication request frame flood attack. Use this command to set the deletion authentication request frame detection time.
Example: Set the detection interval of the client sending 802.11 deletion authentication request frame as 100 seconds.

active500EM(config-wireless)#wids-security client threshold-interval-deauth 100

 

Command: wids-security client threshold-interval-disassoc <1-3600>
no wids-security client threshold-interval-disassoc
Function: Configure the detection time of the client sending 802.11 disassociation request frame. The no command recovers to be default.
Parameters:

• <1-3600>: the detection time of the client sending disassociation request frames; unit is seconds.

Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: Show whether there is a flooding attack of disassociation request frame through the number of disassociation request frames detected in the configured time interval. Use this command to configure the detection time of disassociation request frames.
Example: Configure the detection time of the client sending 802.11 disassociation request frame to 100s.

active500EM(config-wireless)#wids-security client threshold-interval-disassoc 100

 

Command: wids-security client threshold-interval-probe <1-3600>
no wids-security client threshold-interval-probe
Function: Set the detection interval of the client sending 802.11 probe request frames. The no command will restore the interval to the default value.
Parameters:

• <1-3600>: detection interval of the client sending 802.11 probe request frames; unit is seconds.

Command mode: Wireless Global Configuration Mode
Default: 60s.
Usage guide: Based on the number of probe request frames (whether it exceeds the threshold), determine if there is a probe request frame flood attack. This command can be used to set the probe request frame detection time interval.
Example: Set the detection time interval of the client sending 802.11 probe request frame as 100 seconds.

active500EM(config-wireless)#wids-security client threshold-interval-probe 100

 

Command: wids-security client threshold-value-assoc <1-99999>
no wids-security client threshold-value-assoc
Function: Configure the threshold of the client sending 802.11 association request frames. The no command will restore the threshold to the default value.
Parameters:

• <1-99999>: the threshold of the client sending 802.11 association request frame.

Command mode: Wireless Global Configuration Mode
Default: 120.
Usage guide: Use this command to set the maximum number of client sending 802.11 association request frame in the threshold-interval-assoc time.
Example: Set the maximum number of client sending 802.11 association request frame as 100.

active500EM(config-wireless)#wids-security client threshold-value-assoc 100

 

Command: wids-security client threshold-value-auth <1-99999>
no wids-security client threshold-value-auth
Function: Set the threshold of the client sending 802.11 authentication request frames. The no command will restore the threshold to the default value.
Parameters:

• <1-99999>: the threshold of the client sending the 802.11 authentication request frame.

Command mode: Wireless Global Configuration Mode
Default: 120.
Usage guide: Use this command to set the maximum number of client sending 802.11 authentication request frame in the threshold-interval-auth time.
Example: Set the threshold of the client sending 802.11 authentication request frame to 100.

active500EM(config-wireless)#wids-security client threshold-value-auth 100

 

Command: wids-security client threshold-value-deauth <1-99999>
no wids-security client threshold-value-deauth
Function: Set the threshold of the client sending 802.11 deletion authentication request frames. The no command will restore the threshold to the default value.
Parameters:

• <1-99999>: threshold of the client sending 802.11 deletion authentication request frame.

Command mode: Wireless Global Configuration Mode
Default: 120.
Usage guide: Use this command to set the maximum number of client sending 802.11 deletion authentication request frame in the threshold-interval-deauth time.
Example: Set the threshold ofthe client sending 802.11 deletion authentication request frame as 100.

active500EM(config-wireless)#wids-security client threshold-value-deauth 100

 

Command: wids-security client threshold-value-disassoc <1-99999>
no wids-security client threshold-value-disassoc
Function: Configure the threshold of client sending 802.11 disassociation request frames. The no command will restore the threshold to the default value.
Parameters:

• <1-99999>: the threshold of client sending 802.11 disassociation request frames.

Command mode: Wireless Global Configuration Mode
Default: 120.
Usage guide: Use this command to set the maximum number of clients sending 802.11 disassociation request frame in the threshold-interval-disassoc time.
Example: Set the maximum number of clients sending 802.11 disassociation request frame as 1100.

active500EM(config-wireless)# wids-security client threshold-value-disassoc 1100

 

Command: wids-security client threshold-value-probe <1-99999>
no wids-security client threshold-value-probe
Function: Set the threshold of the client sending 802.11 probe request frame. The no command will restore the threshold to the default value.
Parameters:

• <1-99999>: threshold of client sending 802.11 probe request frame.

Command mode: Wireless Global Configuration Mode
Default: 120.
Usage guide: Use this command to set the maximum number of clients sending the 802.11 probe request frame in the threshold-interval-probe time.
Example: Set the threshold of client sending 802.11 probe request frame as 1100.

active500EM(config-wireless)# wids-security client threshold-value-probe 1100

 

Command: clear wireless detected-client [<macaddr>] non-auth
Function: Clear the client from the detected-client database.
Parameters:

• <macaddr>: MAC address of client.

Command mode: Wireless Global Configuration Mode
Default: None.
Usage guide: Use this command to clear the specified client from the detected-client database. If the client MAC address is not specified, clear the detected-client database. If the client state is authenticated, it will not be deleted.
Example: Clear the client with MAC address of F8-F7-D3-00-03-e0 from detected-client database.

active500EM(config-wireless)#clear wireless detected-client F8-F7-D3-00-03-e0 non-auth

 

Command: debug wireless wids msg
no debug wireless wids msg
Function: Enable the debug information of the WIDS sending messages (Client-Threat- Deauthenticate Message and WIDS-Configuration Message). The no command will disable the information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to enable the debug information of WIDS sending messages, including the message content and the sending result.
Example: Enable the debug information of WIDS sending message.

active500EM#debug wireless wids msg

 

Command: show wireless wids-security de-authentication
Function: Show the attacking rogue AP list.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the attacking rogue AP list.
Example: Show the attacking rogue AP list.

active500EM#show wireless wids-security de-authentication
BSSID             Channel Attack Time  Age
----------------- ------- -- --------- ----- ------
F8-F7-D3-00-03-e0 11      0d:00:00:13  0d:00:00:13
F8-F7-D3-00-03-e1 11      0d:00:00:12  0d:00:00:12

 

Command: wids-security ap-de-auth-attack
no wids-security ap-de-auth-attack
Function: Enable rogue AP counter-attack function. The no command will disable this function.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Disabled.
Usage guide: After the AC controller is detected, the rogue AP will add this AP to the attacking rogue AP list. If this function is enabled, it will send this list to all managed APs through a WIDS-configuration-message. The Sentry Mode Radio imitates the client sending the authentication message to the rogue AP. The Active Mode Radio will send the relieving authentication message to the client associated with the rogue AP. Use this command to enable the counter-attack.
Example: Enable the Rogue AP counter-attack function.

active500EM(config-wireless)#wids-security ap-de-auth-attack

 

Command: wids-security client threat-mitigation
no wids-security client threat-mitigation
Function: Enable the known client protection function. The no command will disable this function.
Parameters: None.
Command mode: Wireless Global Configuration Mode
Default: Disable known client protection.
Usage guide: If the AC controller enables detection of valid clients associating with the rogue AP and detects such threats, the client will be identified as a rogue client and a rogue client information message will be sent to the client-security task. The message queue capacity is 128, so a max of 128 messages can be received. The client-security task constructs a client-threat-deauthenticate message to send to the managed AP when it receives the message from WIDS module. Radio of sentry mode imitates this client to send a relieving authentication message to its associated AP to relieve the connection with the rogue AP. Use this command to protect the known client.
Example: Enable known client protection function.

active500EM(config-wireless)#wids-security client threat-mitigation

 

Command: wireless acknowledge-rogue [<macaddr>] Function: When clearing the rogue AP threats, change the AP rogue state.
Parameters:

• <macaddr>: rogue AP MAC address.

Command mode: Wireless Global Configuration Mode
Default: None.
Usage guide: When the rogue AP threat has been cleared, restore the AP state to the state before it was identified as rogue in the RF scan database. Use this command to change these rogue AP states. If the MAC address is specified, change the AP with this MAC address. If it is not specified, then change all the rogue AP statuses.
Example: Change the rogue AP with MAC address of F8-F7-D3-00-03-e1.

active500EM#wireless acknowledge-rogue F8-F7-D3-00-03-e1

 

Command: l2tunnel station-isolation allowed vlan {WORD | add | remove }
no l2tunnel station-isolation allowed vlan
Function: Enable the user isolation in centralized forwarding mode. The no command will disable this isolation.
Parameters:

• WORD: add a VLAN list to allow VLAN, and overwrite the old configuration.
• add: add a VLAN list to the existing allow VLAN list.
• remove: delete the VLAN specified by the VLAN list from the existing allow VLAN list.

Command mode: Wireless Global Configuration Mode
Default: Disable this user isolation.
Usage guide: Use this command to enable the user isolation function in centralized forwarding mode.
Example: Enable the user isolation function of VLAN100 in centralized forwarding mode.

active500EM#l2tunnel station-isolation allowed vlan 100

 

Command: station-isolation
no station-isolation
Function: Enable the user isolation of the AP in distributed forwarding mode. The no command will disable this isolation.
Parameters: None.
Command mode: Radio Configuration Mode
Default: Disable the user isolation.
Usage guide: In distributed forwarding mode, the AP driver layer needs to resolve the 802.11 data packet. If the destination addresses of the client are under the same BSSID, forward it directly; otherwise, transform it as 802.3 format to send it to the internal bridge for forwarding. Then, send it to the wired network. It is similar to traditional wired network forwarding. Therefore, the user isolation requires the AP and the connected wired network to complete together. The user isolation of the same AP and the same VLAN needs to enable this isolation. Use this command to enable user isolation.
Example: Enable the user isolation of the AP.

active500EM(config-wireless)#ap profile 1
active500EM(config-ap-profile)#radio 1
active500EM(config-ap-profile-radio)#station-isolation

 

Command: arp-suppression
no arp-suppression
Function: Enable the ARP suppression function of the AP, then enable ARP snooping, ARP broadcast-to-unicast, ARP filtration, and DHCP/BOOTP frame detection function automatically. The no command will disable this function and disable other detection functions automatically.
Parameters: None.
Command mode: Network Configuration Mode
Default: Disabled.
Usage guide: This function uses the ARP snooping and DHCP/BOOTP snooping functions to record the IP and MAC mapping table of all the local authenticated clients. It can reduce empty ARP broadcast packets through ARP broadcast-to-unicast or ARP agency to save the client electricity. Use this command to enable the ARP suppression function.
Example: Enable the ARP suppression function of the AP.

active500EM(config-wireless)#network 1
active500EM(config-network)#arp-suppression

 

Command: show wireless ap <macaddr> statistics
Function: Show ARP suppression information.
Parameters: None.
Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the ARP suppression information.
Example: Show ARP suppression information.

active500EM#show wireless ap F8-F7-D3-00-03-60 statistics
MAC address.................................... F8-F7-D3-00-03-60
Location.......................................
WLAN Packets Received.......................... 657165
WLAN Packets Transmitted....................... 22491
WLAN Bytes Received............................ 53895600
WLAN Bytes Transmitted......................... 2106411
WLAN Packets Receive Dropped................... 0
WLAN Packets Transmit Dropped.................. 0
WLAN Bytes Receive Dropped..................... 0
WLAN Bytes Transmit Dropped.................... 0
Ethernet Packets Received...................... 34983
Ethernet Packets Transmitted................... 665519
Ethernet Bytes Received........................ 3098387
Ethernet Bytes Transmitted..................... 91636961
Ethernet Multicast Packets Received............ 11217
Total Transmit Errors.......................... 0
Total Receive Errors........................... 0
Central L2 Tunnel Bytes Received............... 353162
Central L2 Tunnel Packets Received............. 57
Central L2 Tunnel Multicast Packets Received... 4035
Central L2 Tunnel Bytes Transmitted............ 44695300
Central L2 Tunnel Packets Transmitted.......... 654775
Central L2 Tunnel Multicast Packets Transmitt.. 2391
ARP Reqs Converted from Bcast to Ucast......... 0
Filtered ARP Requests.......................... 0
Broadcasted ARP Requests....................... 0

 

Command: show wireless client [<macaddr>] status
Function: Show ARP snooping information.
Parameters:

• <macaddr>: Client MAC address.

Command mode: Admin Mode
Default: None.
Usage guide: Use this command to show the ARP snooping information. Show all client statuses if the client MAC address is not specified.
Example: Show the client status with MAC of F8-F7-D3-00-03-E0.

active500EM#show wireless client F8-F7-D3-00-03-E0 status
MAC address.................................... F8-F7-D3-00-03-E0
Detected IP Address............................ 192.168.1.4
VAP MAC Address................................ F8-F7-D3-00-03-E1
AP MAC Address................................. F8-F7-D3-00-03-Ef
Location.......................................
Radio.......................................... 1 - 802.11b/g/n
Associating Switch............................. Peer Switch
Switch MAC Address............................. F8-F7-D3-00-03-F0
Switch IP Address.............................. 192.168.1.1
Tunnel IP Address.............................. -----
SSID........................................... test
NetBIOS Name................................... TEST1
Status......................................... Authenticated
Channel........................................ 11
User Name......................................
VLAN........................................... 40
Transmit Data Rate............................. 144.4 Mbps
802.11n Capable................................ Yes
STBC Capable................................... No
Inactive Period................................ 0d:00:00:00
Age............................................ 0d:00:00:05
Network Time................................... 0d:01:06:25

 

Command: dynamic-blacklist
no dynamic-blacklist
Function: Enable dynamic blacklist function. The no command disables this function.
Parameters: None.
Command mode: Wireless Global Mode
Default: Disabled.
Usage guide: This command is used to enable the dynamic blacklist. When detected, the threat conforms to the dynamic blacklist and is considered a rogue client. Put the MAC address of this client into the dynamic blacklist, and send it to the managed AP to prevent the flooding attack to this client.
Example: Enable dynamic blacklist function.

active500EM(config-wireless)#dynamic-blacklist

 

Command: dynamic-blacklist lifetime <60-3600>
no dynamic-blacklist lifetime
Function: Configure lifetime of the dynamic blacklist. The no command resets to default.
Parameters:

• <60-3600>: the aging time; unit is second. One hour is the maximum.

Command mode: Wireless Global Mode
Default: 300s.
Usage guide: This command is used to configure the aging time of dynamic blacklist. When adding the new table entry to the dynamic blacklist, the aging time will be configured at the same time. During this time, the AP will drop the data frame of this rogue client. After the lifetime value has been reached, the relevant table entry will be deleted and the data frame of this client will be received again.
Example: Configure aging time of dynamic blacklist as 600s.

active500EM(config-wireless)#dynamic-blacklist lifetime 600

 

Command: clear dynamic-blacklist [<FF-FF-FF-FF-FF-FF>] Function: Manually delete the MAC address record of the wireless terminal in the dynamic blacklist.
Parameters:

• <FF-FF-FF-FF-FF-FF>: delete one record of the wireless terminal MAC address.
• If no mac address is listed, all wireless terminal records in the dynamic blacklist will be deleted.

Command mode: Privileged EXEC Mode
Default: None.
Usage guide: This command is used to manually delete one or all of the MAC address records of the wireless terminal in the dynamic blacklist, delete the relevant table entry, and receive the data frame of this client again.
Example: Manually delete the MAC address record of 30-46-9a-30-2b-e4 of wireless terminal in the dynamic blacklist.

active500EM#clear wireless dynamic-blacklist 30-46-9a-30-2b-e4

 

Command: show wireless dynamic-blacklist
Function: Show all wireless terminal records in the dynamic blacklist, including the MAC address, keep-alive time, the time from the last update, and the anti-flooding attack detection type of wireless terminal.
Parameters: None.
Command mode: Privileged EXEC Mode
Default: None.
Usage guide: This command is used to show all wireless terminal records in the dynamic blacklist.
Example: Show all wireless terminal records in the dynamic blacklist.

active500EM#show wireless dynamic-blacklist
Client             LifeTime  Time Since
MAC Address        (seconds) Last Report Rogue Classification
------------------ --------- ----------- ---------------------
54-e6-fc-0b-a8-36  300       0d:00:00:25 Exceed Configured Probe Rate
20-7c-8f-7c-8f-73  300       0d:00:00:25 Exceed Configured Probe Rate
00-22-5f-5a-22-93  300       0d:00:00:25 Exceed Configured Probe Rate
00-23-4e-e1-a7-d2  300       0d:00:00:25 Exceed Configured Probe Rate
e0-05-c5-8e-10-2f  300       0d:00:00:25 Exceed Configured Probe Rate
20-7c-8f-7c-90-4c  300       0d:00:00:25 Exceed Configured Probe Rate
18-f4-6a-00-e2-eb  300       0d:00:00:25 Exceed Configured Probe Rate
74-ea-3a-10-bb-ab  300       0d:00:00:25 Exceed Configured Probe Rate
08-10-74-ad-93-c8  300       0d:00:00:25 Exceed Configured Probe Rate
18-f4-6a-00-14-62  300       0d:00:00:25 Exceed Configured Probe Rate
00-21-00-cf-f0-e0  300       0d:00:00:25 Exceed Configured Probe Rate
fc-25-3f-d8-d0-b8  300       0d:00:00:25 Exceed Configured Probe Rate
8c-7b-9d-fb-b4-51  300       0d:00:00:25 Exceed Configured Probe Rate
00-0b-c0-02-9d-ac  300       0d:00:00:25 Exceed Configured Probe Rate
e0-b9-ba-dd-b8-c8  300       0d:00:00:25 Exceed Configured Probe Rate
30-46-9a-30-2b-e4  300       0d:00:00:25 Exceed Configured Probe Rate
Dynamic-blacklist entries Count.................16