Knowledge Search


[WLA/WLC] How to configure WLA Intrusion Detection System Logging

  [KB32679] Show Article Properties


This article describes the procedure for configuring WLA Intrusion Detection System (IDS) Logging.


When configuring the WLA IDS logging, the rogue and attack information is retained by the remote WLA until the WLC reconnects to it. This information can be forwared directly to a log server from the WLA.

The following types of attacks and client issues are detected:

  • Probe request flooding
  • Other reserved management frame flooding including subtypes 6, 7, D, E, and F
  • Decrypt errors
  • Weak WEP key used by client
  • FakeAP beacon flooding

Steps to configure WIDS Logging

  1. Run the following command:

    WLC# set remote-site site-name log server ip-address port port severity severity

    Site-name — an alphanumeric string up to 32 characters long
    IP Address — IP address in dotted decimal notation
    Port - sets the TCP port for sending messages to the log server. You can specify a number from 1 to 65535. The default value is 524.

  2. To enable or disable remote site logging on the AP, use the following command:

    WLC# set remote-site site-name log mode {enable | disable}

  3. To log the severity level, use the following command and specify the severity level from the options:

    WLC# set remote-site site-name log severity severity

    Specify one of the following for the severity level:

    • emergency — the WLA is unusable.
    • alert — action must be taken immediately.
    • critical — you must resolve the critical conditions.
    • warning — a possible problem exists z notice — events that can potentially cause system problems have occured and are logged for diagnostic purposes. No action is required.
    • info — informational messages only. No problem exists.
    • debug — output from debugging
Related Links: