Solved

Cisco WLC 2504 - How can I log if someone is actively trying to BRUTE FORCE their way into my WLAN?

Posted on 2015-01-09
2
483 Views
Last Modified: 2015-01-20
Hello,

I have a Cisco WLC 2504 Controller with a Cisco 1602i AP (1).  Switch is a Cisco SG-300.

I have (4) VLANs:
  100 - DMZ
  101 - Data (10.0.1.0/24)
  102 - Voice (10.0.0.0/24)
  200 - WLAN (172.16.100.0/24)

The WLC is on VLAN 200, 172.16.100.2.  
The AP (Aironet 1602i) is on VLAN 200, 172.16.100.10.  The AP is on a TRUNK port.
DHCP for clients is being passed by a Windows server on the data subnet.
The AP joins the WLC fine, and is under management.

I suspect that my WLAN is under attack / brute force.  However, when I look at logs, I see logs of ROGUE AP's, I see logs of UNKNOWN AP's, but nothing about BAD PASSWORD, even when I intentionally authenticate badly against the AP.  

Can anyone tell me how to audit / log / review if there are extensive bad authorizations on my WLC?  All of the clients that I see on the AP are clients I expect...there is nothing unexpected ASSOCIATED already, but I suspect an attack.  Here's why:

On the VOICE NETWORK, voice was very choppy.  pings to the voice switch management interface get 1 in 10 drops and 20-30ms latency on a medium sized LAN.  I reviewed the voice switch, and it was catching 75-100% activity consistently from port 1, the WLAN AP (The AP is in this switch because it is the only POE switch, an AdTran 1234).  I moved the AP into the core switch (Cisco SG-300) with a POE injector, and now the switch is happy, voice is back to normal, and I'm not dropping packets to the voice switch anymore.

Any insight into how to log this would be very helpful.

Thanks!
0
Comment
Question by:jkeegan123
2 Comments
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
Comment Utility
First, unless you're using APs in FlexConnect (what used to be called H-REAP) mode you should connect the APs to an access port, not a trunk port.  All traffic is tunnelled to the WLC in CAPWAP so no user traffic hits the switch on user VLANs.

You can use WIPS to detect suspected intrusions, but generally rogue APs are normal.  The prerequisite for WIPS though is that you need an MSE as well as a WLC and Prime.

If you are using a preshared key you'll just see association failures but nothing for authentication failures.  If you're doing RADIUS-based authentication you'll see AAA failures.

Voice traffic should be using QoS on the WLAN and the wired network.  In the WLC you can configure the Voice SSID to use the Platinum QoS profile - that will tell the WLC to prioritize voice traffic on the Voice SSID.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
Comment Utility
The closest answer was:  "If you are using a preshared key you'll just see association failures but nothing for authentication failures".  The question was close to answered in this way, but it was not exactly what I was looking for.  I was looking for a way to LOG failed attempts at association.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Sonicwall AP 3 47
No internet 10 32
Setting up new wifi in new office 3 29
Trunk port configuration for Wireless VLANs 11 51
This article is a step by step guide on how to create a basic PTP link using Ubiquiti airOS devices. This guide can be used on the following Ubiquiti AirMAX devices. Nanostation, Bullets, AirBridge, Nanobeam, NanoBridge to name a few. Please review …
In this article we have discussed about the OS X EI Capitan and how to fix Wi-Fi issue in OS X El Capitan. We have explained how to delete system level preferences and create a new Wi-Fi location to resolve Wi-Fi issue.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now