In this post I'm going to show a feature out of many that you can use if you have a Cisco MSE with wIPS enabled service in your WLAN. MSE has been there for a while, but in my experience very few people make use of it.
Just as a brief introduction MSE is Cisco Mobility Service Engine that can be deployed as a physical or virtual appliance, depending on how you size it you may be able to support up to 5,000 Access Points. Unlike the IDS signature based service available natively in the cisco controllers, wIPS works based on behavior or by adjusting thresholds for each of the attacks it can detect.
MSE/wIPS can detect a lot of attacks including Fake AP, Honeypot AP, bad EAP-TLS frames, DoS attackes, Asleap, Queensland attack, and many others. For the sake of this example, since it may take me longer to replicate some of the attacks, I will show the results of the Honeypot AP attack, however I'm also enabling a feature on the controller and Cisco Prime that many people don't use, maybe because they don't know it is possible, that is switch port tracing for rogue APs (Cisco Prime) and RLDP (Rogue Location Discovery Protocol-WLC).
In order to use wIPS you need to have compatible APs and use one of these two options: convert your AP to monitor mode or with an AP in local mode, change the sub-mode to wIPS, this last one is called Enhanced Local Mode (ELM), you may need a special license for this one.
Of course you will need the MSE with wIPS service running (properly licensed for the number of APs), a cisco controller and Cisco Prime. This labwas done with WLC v 188.8.131.52, CPI 184.108.40.206.132 and MSE 220.127.116.11.
So, the goal is to detect the Honeypot alert in the WLC and to detect or trace the port where that rogue AP is connected to. As a side note, you need to add you switches to Prime as well, with the right RW SNMP community.
Internal SSID: GT (WPA2-PSJ)
Honeypot SSID: GT (Open)
The idea of a Honeypot AP, which is basically a rogue AP is to make client devices to connect to tha roghe AP so the attacker can get all the traffic.
Even though you can enable most of the attacks in MSE/wIPS, I only enable few of them including the honeypot AP as shown here:
After applying the wIPS profile to the controller, converting my AP to ELM and I connected to my switch an autonomous AP to act as a rogue, I was able to detect the honeypot AP alarm in the controller right after.
If you go to Prime you should be able to see the alarm about the Rogue AP, but pay attention to the following details, basically the internal AP connects to the Honeypot AP and if it finds its way back to the controllers, that means the rogue AP is in the network. This work because I had all my equipment in one vlan, in order to detect rogues in multiple vlans, you might need to install an AP in Rogue detector mode, which is basically an AP that turns its radios off and scan all vlans through its trunk port.
Here is another view on Cisco Prime Maps of the rogue AP.
So, here is the exciting and interesting thing, since Prime was able to detect the port where that rogue is connected to, you can pretty much disable the port from Prime and even add a port description, that will show as well if you SSH into the switch:
And here is the final result, the description was added to the port, the port was shutdown and any communication to that rogue AP was broken.
You can re-enable the port back up again from Prime, if you don't want to do it directly from the switch.