ids unauthorized-device-profile

Name that identifies an instance of the profile.

Range: 1-63 characters

Default:  

Time to wait, in seconds, after detecting an ad hoc network using a valid SSID, after which the check can be resumed.

Range: 60-360000 seconds

Default: 900 seconds

Allows devices with known MAC addresses to classify rogues APs.

Depending on your network, configure one or more of the following options for classifying rogue APs:

• hsrp: Routers configured for HSRP, a Cisco-proprietary redundancy protocol, with the HSRP MAC OUI 00:00:0c.
• iana: Routers using the IANA MAC OUI 00:00:5e.
• local-mac: Devices with locally administered MAC addresses starting with 02.
• vmware: Devices with any of the following VMWare OUIs: 00:0c:29, 00:05:69, or 00:50:56
• vmware1: Devices with VMWare OUI 00:0c:29.
• vmware2: Devices with VMWare OUI 00:05:69.
• vmware3: Devices with VMWare OUI 00:50:56.

If you modify an existing configuration, the new configuration overrides the original configuration. For example, if you configure allow-well-known-mac hsrpand then configure allow-well-known-mac iana, the original configuration is lost. To add more options to the original configuration, include all of the required options, for example: allow-well-known-mac hsrp iana.

Use caution when configuring this command. If the neighboring network uses similar routers, those APs might be classified as rogues. If containment is enabled, clients attempting to associate to an AP classified as a rogue are disconnected through a denial of service attack.

To clear the well known MACs in the system, use the following commands:

• clear wms wired-mac:This clears all of the learned wired MAC information on Mobility Conductor.
• reload: This reboots Mobility Conductor.

List of valid 802.11a channels that third-party APs are allowed to use.

Range: 34-165

List of valid 802.11b/g channels that third-party APs are allowed to use.

Range: 1-14

Enables or disables rogue AP classification. A rogue AP is one that is unauthorized and plugged into the wired side of the network. Any other AP seen in the RF environment that is not part of the valid enterprise network is considered to be interfering — it has the potential to cause RF interference but it is not connected to the wired network and thus does not represent a direct threat.

Name of an existing IDS rate thresholds profile from which parameter values are copied.

Enables or disables detection of ad hoc networks.

Enables or disables detection of ad hoc networks using valid or protected SSIDs.

Enables or disables detection of WEP initialization vectors that are known to be weak or repeating. A primary means of cracking WEP keys is to capture 802.11 frames over an extended period of time and search for implementations that are still used by many legacy devices.

Enables or disables detection of high-throughput devices advertising greenfield preamble capability.

Enables or disables checking of the first three bytes of a MAC address, known as the organizationally unique identifier (OUI), assigned by the IEEE to known manufacturers. Often clients using a spoofed MAC address do not use a valid OUI and instead use a randomly generated MAC address. Enabling MAC OUI checking causes an alarm to be triggered if an unrecognized MAC address is in use.

Enables or disables detection of misconfigured APs. An AP is classified as misconfigured if it is classified as valid and does not meet any of the following configurable parameters:

• valid channels
• encryption type
• list of valid AP MAC OUIs
• valid SSID list

Enables or disables detection of station association to rogue AP.

Enables or disables detection of unencrypted valid clients.

Enables or disables detection of misassociation between a valid client and an unsafe AP. This setting can detect the following misassociation types:

• MisassociationToRogueAP
• MisassociationToExternalAP
• MisassociationToHoneypotAP
• MisassociationToAdhocAP
• MisassociationToHostedAP

Enables or disables detection of Interfering or Neighbor APs using valid or protected SSIDs.

Enables or disables detection of WIFI-Direct P2P groups.

Enables or disables detection of Windows station bridging.

Enables or disables detection of wireless bridging.

If enabled, this feature can detect the presence of a wireless hosted network.

When a wireless hosted network is detected this feature sends a “Wireless Hosted Network” warning level security log message and the wlsxWirelessHostedNetworkDetected SNMP trap.

If there are clients associated to the hosted network, this feature will send a “Client Associated To Hosted Network” warning level security log message and the wlsxClientAssociatedToHostedNetworkDetected SNMP trap.

Ignore or process frames from adhoc AWDL networks.

Time, in seconds, that must elapse after an invalid MAC OUI alarm has been triggered before another identical alarm may be triggered.

Range: 60-360000 seconds

Default: 900 seconds

Negates any configured parameter.

Enables or disables OUI based rogue AP classification.

Enables or disables overlay rogue AP classification.

Enables or disables encryption as a valid AP configuration.

Enables or disables rogue AP classification through propagated wired MACs.

Enable or disable advanced protection from open or WEP ad hoc networks. When enhanced ad hoc containment is carried out, a new repeatable event, syslog and SNMP trap will be generated for each containment event.

Enable or disable protection from ad hoc networks using WPA or WPA2 security. When ad hoc networks are detected, they are disabled using a DoS attack.

Enable or disable protection from ad hoc networks using valid or protected SSIDs.

Enable or disable protection of high-throughput (802.11n) devices.

Enable or disable protection of high-throughput (802.11n) devices operating in 40 MHz mode.

Enable or disable protection of misconfigured APs.

Enable or disable use of SSID by valid APs only.

When enabled, does not allow valid stations to connect to a non-valid AP.

Enable or disable protection from WIFI-Direct P2P Groups.

Enable or disable protection of a windows station bridging

When you enable the wireless hosted network protection feature, Mobility Conductor enforces containment on a wireless hosted network by launching a denial of service attack to disrupt associations between a Windows 7 software-enabled Access Point (softAP) and a client, and disrupt associations between the client that is hosting the softAP and any access point to which the host connects.

When a wireless hosted network triggers this feature, wireless hosted network protection sends the Wireless Hosted Network Containment and
Host of Wireless Network Containment warning level security log messages, and the wlsxWirelessHostedNetworkContainment and wlsxHostOfWirelessNetworkContainment SNMP traps.

NOTE: The existing generic containment SNMP traps and log messages will also be sent when Wireless Hosted Network Containment or Host of Wireless Network Containment is enforced.

When enabled, any valid AP that is not using WPA encryption is flagged as misconfigured.

Rogue APs can be detected (see classification) but are not automatically disabled. This option automatically shuts down rogue APs. When this option is enabled, clients attempting to associate to an AP classified as a rogue are disconnected through a denial of service attack.

Confidence level of suspected Rogue AP to trigger containment.

When an AP is classified as a suspected rogue AP, it is assigned a 50% confidence level. If multiple APs trigger the same events that classify the AP as a suspected rogue, the confidence level increases by 5% up to 95%.

In combination with suspected rogue containment, this option configures the threshold by which containment should occur. Suspected rogue containment occurs only when the configured confidence level is met.

Range: 50-100%

Default: 60%

Suspected rogue APs are treated as interfering APs, thereby Mobility Conductor attempts to reclassify them as rogue APs. Suspected rogue APs are not automatically contained. In combination with the configured confidence level (see suspect-rogue-conf-level), this option contains the suspected rogue APs.

Time to wait, in seconds, after detecting an unencrypted valid client after which the check can be resumed.

Range: 60-360000 seconds

Default: 900 seconds

List of valid and protected SSIDs.

List of valid MAC OUIs.

List of MAC addresses of wired devices in the network, typically gateways or servers.

Configures exclusions for IDS containment based on vendor specific IE information. This feature allows APs to be exempted from containment even when the devices use randomized MAC addresses. AOS allows for a maximum of five vendor OUI and OUI types to be defined for confinement exclusion.

Time to wait in seconds after detecting a WIFI-Direct network, after which the check can be resumed. Minimum is 60 seconds

Time, in seconds, that must elapse after a wireless bridge alarm has been triggered before another identical alarm may be triggered.

Range: 60-360000 seconds

Default: 900 seconds