Re: aWIPs operation on DNAC

sajidabbas · ‎06-26-2023

Hi,

We have recently deployed C9800 WLC and enabled Rogue and aWIPs on it. What we've done for aWIPs is create a new policy and assigned to WLC. We can see all the threat events matching the signature showing in the dashboard. However, I'm not clear of how it operates and what happens from here on and we're also seeing some unusual events. Could someone assist with the following queries

When threat or attack is detected and matching a signature e.g. Authentication Flood, does the WLC take action on it. I can't see any containment of counter action taken like it shows for Rogue Threat detection. Do we need to configure something is there something happening automatically in the backend
In the threats list, we can see MAC Addresses of our own Radio APs e.g. AP5 detects an Authentication Flood type from AP4. Is this something normal. I can add AP4 in allowed list but shouldn't it already be known to DNAC

I've gone through documentation of Rogue and aWIPs but don't see much information on tweaking profiles and policies.

Sajid

Dilip Thakur · ‎07-16-2023

Hi Sajid,

The aWIPS threats need to be contained manually based on the the threat signature; the WLC or DNAC does not contain them automatically. Most of the times these threats are caused by Rogue devices and that can be contained by the Rogue rules and containment policies.

For your second concern, I would suggest you to open a TAC case to investigate the root cause for the behaviour which does not seem normal.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco DNA Center through our live Ask the Experts (ATXs) session. Check out Cisco DNA Center ATXs Resources [https://community.cisco.com/t5/networking-knowledge-base/cisco-dna-center-ask-the-experts-resources/ta-p/4394489] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.