Header Only - DO NOT REMOVE - Extreme Networks
Solved

WIPS and "ap-ssid-broadcast-in-beacon" event

  • 28 May 2020
  • 7 replies
  • 219 views

Hi,

I recently enabled onboard WIPS functionality on my WING 7.2.1. (Rogue AP detection plus all wips events) and got a lot of "ap-ssid-broadcast-in-beacon" events with MAC addresses of APs out of my system/control. 

I cannot find any explenation of this event in WING documentation. Do you know what does it mean exactly? Is it dangerous? Do you know any place where wips evets are described more

extensively?

 

Regards

icon

Best answer by Ron Galien 28 May 2020, 23:25

This appears to be an informational event seen by your onboard wips > WING AP / sensors which are detecting neighboring devices / APs that have their SSID’s configuration set to broadcast. Every wireless router (or wireless access point) has a network name assigned to it. The technical term is a Service Set Identifier (SSID). By default, a router will broadcast its SSID in beacons, so all users within its range can see the network on their PC or other device.For your own security purposes you should not have your own SSID’s configured to “broadcast” . 

View original

7 replies

Userlevel 4

This appears to be an informational event seen by your onboard wips > WING AP / sensors which are detecting neighboring devices / APs that have their SSID’s configuration set to broadcast. Every wireless router (or wireless access point) has a network name assigned to it. The technical term is a Service Set Identifier (SSID). By default, a router will broadcast its SSID in beacons, so all users within its range can see the network on their PC or other device.For your own security purposes you should not have your own SSID’s configured to “broadcast” . 

That make sense. This is why I saw this event orginated from other APs but also from my own APs. At first I thought that this event says that my own SSID are broadcastet by other APs (SSID spoofing).

In such case this is usles for me and I tried to disable this event BUT I probably hit on a bug.

I disabled this event for specific RF-domain but nothing happened. Then I disabled all event and leave only Rouge AP detection but the event is generated all the time:

Although in configuration all events are disabled:

>show running-config device xxx

wips-policy Rogue_AP_detect
ap-detection


ap505 xx-xx-xx-xx-xx-xx
...
use wips-policy Rogue_AP_detect
...

What do you think of that? My Wing version is 7.2.1.8-005R.

 

And last question. I read in other articles that there is no description for onboadr WIPS events in any Extreme documentation ( maybe Extreme should think about doing this) but there are similar events in AirDefence documentation wich are described more extensively. Can you show me where exactly? I cannot find it.

Thank you in advance!

Userlevel 6

el_magneto,

I think you’re correct in that there’s no documentation for the WiNG WIPS events.

If you have any questions about a particular one though, feel free to ask about it here though.

Hi,

Next one I can see is “aggresive-scanning”

Userlevel 6

el_magneto:

 

The idea here is that the system has detected a wireless client that is scanning (probe requests) for wireless networks at a higher than normal/expected rate.  The concern is that this is a malicious user scanning for networks for the purpose of collecting information for a future attack.

There’s some uncertainty here though because some older clients operated this way as part of their normal behavior (newer clients don’t scan this aggressively).  This would be considered a reconnaissance threat (attacker is collecting information for a future attack). The caveat here though is that even the newer wireless reconnaissance tools no longer scan like this either.  So the assumption is that this is either coming from a ‘safe’ old client or an older version of reconnaissance software.

 

 

Thank you Chris for that detailed explanation.

I’m gonna disable this event therefore as not very useful.

I have recently noticed couple more. Can you also expleain on them?

dos-assoc-or-auth-flood

dos-unicast-deauth-or-disassoc

eap-flood

Thanks in advanced!

 

And nex one:

ad-hoc-violation

auth-server-failures

Reply