Cisco WLAN with AirWave RAPIDS
I have a few questions I can't seem to track down. If someone could give me a brief explanation or point me in the right direction, it would be greatly appreciated. These questions are primarily about RAPIDS and general IDS correlation with Cisco controllers. Current environment is AWMS 7.x and Cisco WiSM blades with 18.104.22.168 and 1142LWAP APs. NO WCS or MSE.
1. Are we only going to be able to detect rogues/potential rogues, or are other IDS attack signatures going to be visible from AWMS (especially without WCS/MSE)?
2. With the Cisco APs, does router/switch polling need to be enabled to correlate wireside MACs with the wireless MACs? Can the Cisco APs not gather info similar to Aruba APs and determine the wireside MACs if they're in the same VLAN?
3. If AWMS is configured as the trap receiver for WiSM/WLC, where can you see what traps have been sent to the AWMS (vs. what is seen when polled by AWMS); or is this in the same location?
4. In regards to location tracking of a rogue device, is the MSE appliance needed; or will it be correlated by AWMS anyway based on monitored APs?
1. AirWave supports rogue AP detection and also IDS attack events. AirWave gets IDS attack data from SNMP traps.
2. Yes, router/switch polling does have to be enabled to get wired side information in a Cisco controller environment. Cisco controllers do not have the same wired side rogue detection capabilities that Aruba controllers have.
3. For IDS and RADIUS Auth events, you can see the data in AirWave anywhere that we display IDS and RADIUS events: there are summaries on the home page, controller/AP monitoring pages and user pages, each with links to detailed information.
4. MSE is not required. AirWave can track rogue AP locations as long as they're seen by APs that we're monitoring/managing.