Cisco WLC 2504 - How can I log if someone is actively trying to BRUTE FORCE their way into my WLAN?
Posted on 2015-01-09
I have a Cisco WLC 2504 Controller with a Cisco 1602i AP (1). Switch is a Cisco SG-300.
I have (4) VLANs:
100 - DMZ
101 - Data (10.0.1.0/24)
102 - Voice (10.0.0.0/24)
200 - WLAN (172.16.100.0/24)
The WLC is on VLAN 200, 172.16.100.2.
The AP (Aironet 1602i) is on VLAN 200, 172.16.100.10. The AP is on a TRUNK port.
DHCP for clients is being passed by a Windows server on the data subnet.
The AP joins the WLC fine, and is under management.
I suspect that my WLAN is under attack / brute force. However, when I look at logs, I see logs of ROGUE AP's, I see logs of UNKNOWN AP's, but nothing about BAD PASSWORD, even when I intentionally authenticate badly against the AP.
Can anyone tell me how to audit / log / review if there are extensive bad authorizations on my WLC? All of the clients that I see on the AP are clients I expect...there is nothing unexpected ASSOCIATED already, but I suspect an attack. Here's why:
On the VOICE NETWORK, voice was very choppy. pings to the voice switch management interface get 1 in 10 drops and 20-30ms latency on a medium sized LAN. I reviewed the voice switch, and it was catching 75-100% activity consistently from port 1, the WLAN AP (The AP is in this switch because it is the only POE switch, an AdTran 1234). I moved the AP into the core switch (Cisco SG-300) with a POE injector, and now the switch is happy, voice is back to normal, and I'm not dropping packets to the voice switch anymore.
Any insight into how to log this would be very helpful.