Environment: 2 7210s in a master/local config, running 6.5.4.4-FIPS.
We've never really had a handle on WIPS, and I've been tasked with getting this set up. I've run through the GUI wizard a few times; created some match rules:
ids ap-classification-rule "High_db_1_AP"
ssid "WqegFtMR22"
ssid "testMachAuth"
ssid "tfooJmtwSo"
no match-ssids
snr-min 60
snr-max 100
discovered-ap-cnt 1
no check-min-discovered-aps
conf-level-incr 25
!
ids ap-classification-rule "High_db_AtLeast2_APs"
ssid "WqegFtMR22"
ssid "testMachAuth"
ssid "tfooJmtwSo"
no match-ssids
snr-min 60
snr-max 100
discovered-ap-cnt 2
conf-level-incr 30
!
ids ap-classification-rule "High_db_AtLeast5_APs"
ssid "WqegFtMR22"
ssid "testMachAuth"
ssid "tfooJmtwSo"
no match-ssids
snr-min 60
snr-max 100
discovered-ap-cnt 5
conf-level-incr 40
!
ids ap-classification-rule "Low_Signal"
ssid "WqegFtMR22"
ssid "testMachAuth"
ssid "tfooJmtwSo"
no match-ssids
snr-max 30
!
ids ap-classification-rule "Mid_dB_Multiple_APs"
ssid "WqegFtMR22"
ssid "testMachAuth"
ssid "tfooJmtwSo"
no match-ssids
snr-min 30
snr-max 60
discovered-ap-cnt 2
conf-level-incr 20
!
ids ap-classification-rule "Mid_Signal"
ssid "WqegFtMR22"
ssid "testMachAuth"
ssid "tfooJmtwSo"
no match-ssids
snr-min 30
snr-max 60
discovered-ap-cnt 1
conf-level-incr 10
!
The three SSIDs listed are valid in our enterprise. So these should match any SSIDs outside of these three, and add more confidence as the SNR increases.
But when I look in the security dashboard in the GUI, I'm seeing some of our valid enterprise APs being marked as Suspected Rogue, and others as Interfering.
Meanwhile, I created a test WIPS policy that enables wireless containment with deauth-only (our main WIPS policy has containment disabled until we get this sorted out), and I've applied this test policy to a single AP near my testing area.
I'm seeing containment events on this AP by valid clients:
Details show an AP Deauth Containment event with SSID:tfooJmtwSo; Channel 5; MAC:cc:3d:82:f5:f6:18
This is a valid SSID, and a valid client. The target of this event is listed as 9c:1c:12:f0:6a:51. If I look at this MAC in the WMS database, it's a valid AP:
# show wms ap 9c:1c:12:f0:6a:51
AP Info
-------
BSSID SSID Channel Type RAP_Type Status Ageout HT-Type HT-Sec-Chan
----- ---- ------- ---- -------- ------ ------ ------- -----------
9c:1c:12:f0:6a:51 tfooJmtwSo 161 soft-ap valid up -1 HT-40mhz 157
Probe Info
----------
MAC IP Name Type Status AP Type
--- -- ---- ---- ------ -------
9c:1c:12:d3:87:b0 10.100.6.68 B1-F0-A028_FrontRm soft-ap up 135
9c:1c:12:f0:6a:50 10.100.6.26 B1-F0-A028_Datacenter soft-ap up 135
9c:1c:12:ac:cc:50 10.100.6.13 B1-F0-Hall_A028 air-monitor up 135
So if this is a valid AP and a valid client, why is WIPS trying to contain it?