Knowledge Search


×
 

[WLA/WLC] How to configure WLA Intrusion Detection System Logging

  [KB32679] Show Article Properties


Summary:

This article describes the procedure for configuring WLA Intrusion Detection System (IDS) Logging.

Symptoms:

When configuring the WLA IDS logging, the rogue and attack information is retained by the remote WLA until the WLC reconnects to it. This information can be forwared directly to a log server from the WLA.

The following types of attacks and client issues are detected:

  • Probe request flooding
  • Other reserved management frame flooding including subtypes 6, 7, D, E, and F
  • Decrypt errors
  • Weak WEP key used by client
  • FakeAP beacon flooding
Solution:

Steps to configure WIDS Logging

  1. Run the following command:

    WLC# set remote-site site-name log server ip-address port port severity severity

    Site-name — an alphanumeric string up to 32 characters long
    IP Address — IP address in dotted decimal notation
    Port - sets the TCP port for sending messages to the log server. You can specify a number from 1 to 65535. The default value is 524.

  2. To enable or disable remote site logging on the AP, use the following command:

    WLC# set remote-site site-name log mode {enable | disable}

  3. To log the severity level, use the following command and specify the severity level from the options:

    WLC# set remote-site site-name log severity severity

    Specify one of the following for the severity level:

    • emergency — the WLA is unusable.
    • alert — action must be taken immediately.
    • critical — you must resolve the critical conditions.
    • warning — a possible problem exists z notice — events that can potentially cause system problems have occured and are logged for diagnostic purposes. No action is required.
    • info — informational messages only. No problem exists.
    • debug — output from debugging
Related Links: