Configuring Adaptive Wireless Intrusion Prevention System

Finding Feature Information

Prerequisites for Configuring wIPS

  • The regular local mode access point has been extended with a subset of Wireless Intrusion Prevention System (wIPS) capabilities. This feature enables you to deploy your access points to provide protection without needing a separate overlay network.

How to Configure wIPS on Access Points

Configuring wIPS on an Access Point (CLI)


    1.    ap name Cisco_AP mode local

    2.    ap name Cisco_AP dot11 5ghz shutdown

    3.    ap name Cisco_AP dot11 24ghz shutdown

    4.    ap name Cisco_AP mode monitor submode wips

    5.    ap name Cisco_AP monitor-mode wips-optimized

    6.    show ap dot11 24ghz monitor

    7.    ap name Cisco_AP no dot11 5ghz shutdown

    8.    ap name Cisco_AP no dot11 24ghz shutdown

     Command or ActionPurpose
    Step 1 ap name Cisco_AP mode local

    Switch# ap name AP01 mode local

    Configures an access point for monitor mode.

    A message appears that indicates that changing the AP's mode causes the access point to reboot. This message also displays a prompt that enables you to specify whether or not you want to continue with changing the AP mode. Enter y at the prompt to continue.

    Step 2ap name Cisco_AP dot11 5ghz shutdown

    Switch# ap name AP01 dot11 5ghz shutdown

    Disables the 802.11a radio on the access point.

    Step 3ap name Cisco_AP dot11 24ghz shutdown

    Switch# ap name AP02 dot11 24ghz shutdown

    Disables the 802.11b radio on the access point.

    Step 4ap name Cisco_AP mode monitor submode wips

    Switch# ap name AP01 mode monitor
     submode wips

    Configures the wIPS submode on the access point.


    To disable wIPS on the access point, enter the ap name Cisco_AP modemonitor submode none command.

    Step 5ap name Cisco_AP monitor-mode wips-optimized

    Switch# ap name AP01 monitor-mode

    Enables wIPS optimized channel scanning for the access point.

    The access point scans each channel for 250 milliseconds. It derives the list of channels to be scanned from the monitor configuration. You can choose the following options:
    • All—All channels supported by the access point’s radio.

    • Country—Only the channels supported by the access point’s country of operation.

    • DCA—Only the channel set used by the dynamic channel assignment (DCA) algorithm, which by default includes all of the nonoverlapping channels allowed in the access point’s country of operation.

    Step 6show ap dot11 24ghz monitor

    Switch# show ap dot11 24ghz monitor

    Displays the monitor configuration channel set.


    The 802.11b Monitor Channels value in the output of the command indicates the monitor configuration channel set.

    Step 7ap name Cisco_AP no dot11 5ghz shutdown

    Switch# ap name AP01 no dot11
     5ghz shutdown

    Enables the 802.11a radio on the access point.

    Step 8ap name Cisco_AP no dot11 24ghz shutdown

    Switch# ap name AP01 no dot11
     24ghz shutdown

    Enables the 802.11b radio on the access point.


    Configuring wIPS on an Access Point (GUI)

      Step 1   Choose Configuration > Wireless > Access Points > All APs

      The All APs page is displayed.

      Step 2   Click the access point name.

      The AP > Edit page is displayed.

      Step 3   From the AP Mode drop-down list, choose one of the following options to configure the AP mode parameters:
      • Local
      • Monitor
      Step 4   From the AP Sub Mode drop-down list, choose WIPS.
      Step 5   Click Apply.
      Step 6   Click Save Configuration.

      Monitoring wIPS Information


      The procedure to perform this task using the switch GUI is not currently available.


        1.    show ap name Cisco_AP config general

        2.    show ap monitor-mode summary

        3.    show wireless wps wips summary

        4.    show wireless wps wips statistics

        5.    clear wireless wips statistics

         Command or ActionPurpose
        Step 1 show ap name Cisco_AP config general

        Switch# show ap name AP01 config general

        Displays information on the wIPS submode on the access point.

        Step 2show ap monitor-mode summary

        Switch# show ap monitor-mode summary

        Displays the wIPS optimized channel scanning configuration on the access point.

        Step 3show wireless wps wips summary

        Switch# show wireless wps wips summary

        Displays the wIPS configuration forwarded by NCS or Prime to the switch.

        Step 4show wireless wps wips statistics

        Switch# show wireless wps wips statistics

        Displays the current state of wIPS operation on the switch.

        Step 5clear wireless wips statistics

        Switch# clear wireless wips statistics

        Clears the wIPS statistics on the switch.


        Configuration Examples for Configuring wIPS on Access Points

        Displaying the Monitor Configuration Channel Set: Example

        This example shows how to display the monitor configuration channel set:

        Switch# show ap dot11 24ghz monitor
        Default 802.11b AP monitoring
        802.11b Monitor Mode........................... enable
        802.11b Monitor Channels....................... Country channels
        802.11b AP Coverage Interval................... 180 seconds
        802.11b AP Load Interval....................... 60 seconds
        802.11b AP Noise Interval...................... 180 seconds
        802.11b AP Signal Strength Interval............ 60 seconds

        Displaying wIPS Information: Examples

        This example shows how to display information on the wIPS submode on the access point:

        Switch# show ap name AP01 config general
        Cisco AP Identifier.............. 3
        Cisco AP Name.................... AP1131:46f2.98ac
        AP Mode ......................... Monitor
        Public Safety ................... Disabled Disabled
        AP SubMode ...................... WIPS

        This example shows how to display the wIPS optimized channel scanning configuration on the access point:

        Switch# show ap monitor-mode summary
        AP Name       Ethernet MAC   Status   Scanning
        ------------- -------------- -------- ---------
        AP1131:4f2.9a 00:16:4:f2:9:a WIPS     1,6,NA,NA

        This example shows how to display the wIPS configuration forwarded by WCS to the switch:

        Switch# show wireless wps wips summary
        Policy Name.............. Default
        Policy Version........... 3

        This example shows how to display the current state of wIPS operation on the switch:

        Switch# show wireless wps wips statistics
        Policy Assignment Requests............ 1
        Policy Assignment Responses........... 1
        Policy Update Requests................ 0
        Policy Update Responses............... 0
        Policy Delete Requests................ 0
        Policy Delete Responses............... 0
        Alarm Updates......................... 13572
        Device Updates........................ 8376
        Device Update Requests................ 0
        Device Update Responses............... 0
        Forensic Updates...................... 1001
        Invalid WIPS Payloads................. 0
        Invalid Messages Received............. 0
        CAPWAP Enqueue Failed................. 0
        NMSP Enqueue Failed................... 0
        NMSP Transmitted Packets.............. 22950
        NMSP Transmit Packets Dropped......... 0
        NMSP Largest Packet................... 1377