Controller Based WLANs

Q:

  What is enhanced Adhoc protection on IDS will do ?

A:

We have this feature Enhanced adhoc protection from 6.3 code and above.

 

• Common way of disrupting Adhoc communication by sending Spoofed Deauth frames (Current Adhoc Protection mechanism)
• But, adhoc network wireless clients are ignoring Deauth frames. Need different mechanism to contain it(by ARP Poisoning called Enhanced Adhoc protection)

Note:

• Effective on Open Adhoc network
• Ineffective on WEP/WPA Adhoc network

How it works

• If we see an IP data frame in the air sent from one member (X) of the ibss to another member (Y), we will create a gratuitous ARP response frame in the reverse direction addressed from Y to X, but replace the sender MAC address in the frame with a fake MAC address*.
• If we see an IP data frame in the air sent from one member (X) of the ibss to another member (Y), we will create a gratuitous ARP response frame addressed from X to Y, but replace the sender MAC address in the frame with a fake MAC address*.  

• If we see an ARP request in the air sent to or from a member of the ibss, we will generate an ARP response in the reverse direction, but replace the sender MAC address in the frame with a fake MAC address*.
• If we see an ARP response in the air sent to or from a member of the ibss, we will replay that ARP response (in the same direction), but replace the sender MAC address in the frame with a fake MAC address*.

From controller config:

ids unauthorized-device-profile <> protect-adhoc-enhanced

 Note:

ids general-profile <> wireless-containment should be enabled for containment to take effect

 

Here is the Screen shot to configure from GUI.

 

 

‘show log all | include Enhanced’

(7210-205) #show log all 2 | include Enhanced

Mar 29 11:08:25  wms[3289]: <126114> <WARN> |wms| |ids| AP(d8:c7:c8:xx:xx:xx@AP-135-D3:0A): Enhanced Adhoc Containment: An AP attempted to contain an adhoc node 68:a3:c4:xx:xx:xx that is part of the adhoc network (BSSID b6:9d:c2:xx:xx:xx and SSID adhoc-open-gsk on CHANNEL 10).

Mar 29 11:08:25  wms[3289]: <126114> <WARN> |wms| |ids| AP(d8:c7:c8:xx:xx:xx@AP-135-D3:0A): Enhanced Adhoc Containment: An AP attempted to contain an adhoc node 68:a3:c4:xx:xx:xx that is part of the adhoc network (BSSID b6:9d:c2:xx:xx:xx and SSID adhoc-open-gsk on CHANNEL 10).

 

show ap monitor containment-info will provide the latest timer with containment request and response.

(7210-205) # show ap monitor containment-info ap-name AP-135-D3:0A         

<snipped>

 

wifi1: Wireless Containment Counters

-------------------------------------

Parameter                                            Value

---------                                            -----

Last Deauth Timer Tick                               0

Deauth frames to AP                                  0

Deauth frames to Client                              0

Last Tarpit Timer Tick                               0

Tarpit Frames: Probe Response                        0

Tarpit Frames: Association Response                  0

Tarpit Frames: Authentication                        0

Tarpit Frames: Data from AP                          0

Tarpit Frames: Data from Client                      0

Last Enhanced Adhoc Containment Timer Tick           157084

Enhanced Adhoc Containment: Frames To Data Sender    0

Enhanced Adhoc Containment: Frames To Data Receiver  0

Enhanced Adhoc Containment: Response to Request      16

Enhanced Adhoc Containment: Replay Response          1

 

 

7210-205) #show wms counters events                                       

 

Related Event Configuration

---------------------------

Name                          Value

----                          -----

wms-on-master                 enable

event-correlation             logs-and-traps

event-correlation-quiet-time  900

Event Counters

--------------

ID   Name                                          Rx-AP  Rx-WMS  DB Updated  DB Inserted  DB Deleted  Corr EvGen  Corr EvSupp

--   ----                                          -----  ------  ----------  -----------  ----------  ----------  -----------

2    Rogue AP                                      2      0       0           0            0           0           0

73   Valid Client Not Using Encryption             8      0       7           1            0           2           6

83   Valid Client Misassociation to External AP    8      0       7           1            0           2           6

85   Valid Client Misassociation to Adhoc Network  8      0       7           1            0           2           6

95   Malformed Frame - Large Duration              4      0       4           0            0           2           2

119  Enhanced Adhoc Containment                    2      0       0           2            0           2           0

 

 

(7210-205) #show ap monitor stats ap-name AP-135-D3:0A mac 68:a3:c4:xx:xx:xx

 

<snipped>

Monitored Time:581

Last Packet Time:157944

Uptime:157944

 

DoS State

----------

tx  old-tx  rx  old-rx  last-dos-time  ap-ev-time  sta-ev-time  last-enhanced-cm-time  enhanced-cm-ev-time

--  ------  --  ------  -------------  ----------  -----------  ---------------------  -------------------

0   0       0   0       0              0           0            157079                 157015

<snipped>