If an entry is not detected within the interval, it is deleted from the detected device table. If the deleted entry is that of a rogue, it is added to the rogue history table.

Examples

# Specify the age time for device entries as 1200 seconds.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] device aging-duration 1200

device attack mac-address

Syntax

device attack mac-address mac-address

undo device attack mac-address [ mac-address ]

View

WLAN IDS view

Default level

2: System level

Parameters

mac-address: MAC address of an AP or client.

Description

Use device attack mac-address to add an entry to the static attack list.

Use undo device attack mac-address to remove the specified entry or all entries from the static attack list.

The maximum number of entries in the static attack list is 64.

Examples

# Add a MAC address to and then remove it from the static attack list.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] device attack mac-address aabb-cc00-0001

[Sysname-wlan-ids] undo device attack mac-address aabb-cc00-0001

# Remove all entries from the static attack list.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] undo device attack mac-address

device permit

Syntax

device permit { mac-address mac-address | ssid ssid | vendor oui }

undo device permit { mac-address [ mac-address ] | ssid [ ssid ] | vendor [ oui ] }

View

WLAN IDS view

Default level

2: System level

Parameters

mac-address: MAC address of an AP or client, such as known devices which are to be ignored during RF scan. The maximum number of entries in the permitted MAC address list is 256.

ssid: Service set identifier, a case-sensitive string of characters including spaces, digits, and special characters, which is in the range of 1 to 32. The maximum number of entries in the permitted SSID list is 128.

oui: Organizational unique identifier of an AP, a string of six hexadecimal digits. The maximum number of entries in the permitted vendor list is 64.

Description

Use device permit to add an entry to the permitted MAC address list, permitted SSID list, or permitted vendor list.

Use undo device permit to remove a specified entry, or, if no entry is specified, all entries from the permitted MAC address list, permitted SSID list, or permitted vendor list.

Examples

# Add a MAC address to the MAC address list and then remove it from the list.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] device permit mac-address aabb-cccc-dddd

[Sysname-wlan-ids] undo device permit mac-address aabb-cccc-dddd

device-detection enable

Syntax

device-detection enable

undo device-detection enable

View

AP template view

Default level

2: System level

Parameters

None

Description

Use device-detection enable to enable the AP to provide both device detection and WLAN services.

Use undo device-detection enable to restore the default.

By default, the AP provides only WLAN data services. For an AP in monitor mode, this command is invisible.

Device detection in normal AP mode can be enabled or disabled only when all radios of the AP are disabled.



NOTE:

The AP starts device detection only when the radio has been provisioned and is ready to provide WLAN data service. To support this, at least one service template has to be configured and be operational on the detecting AP. If device detection is desired and no service template configuration is required, you can change the AP operating mode to monitor.

Examples

# Enable device detection for an AP in normal mode.

<Sysname> system-view

[Sysname] wlan ap 2 model WA2100

[Sysname-wlan-ap2] device-detection enable

display wlan ids attack-list

Syntax

display wlan ids attack-list { config | all | ap ap-name } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

config: Displays the static attack list.

all: Displays the dynamic attack list established based on the rules for detection of rogue devices, for all APs. If the number of entries for an AP exceeds 256, only the first 256 entries are sent and present in the attack list of that AP.

ap ap-name: Displays dynamic attack list information about the specified AP. Its name is a string of characters. If the number of entries for the AP exceeds 256, only the first 256 entries are sent and present in the attack list of the AP.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display wlan ids attack-list to display attack list information in the order of MAC address.

Examples

# Display dynamic attack list information for all APs.

<Sysname> display wlan ids attack-list all

Total Number of Entries: 2

Flags: a = adhoc, w = ap, c = client

#AP = number of active APs detecting, Ch = channel number

Attack List - All

--------------------------------------------------------------------------

MAC Address type #AP Ch Last Detected Time SSID

--------------------------------------------------------------------------

0009-5b94-2fb0 --c 1 1 2008-05-16/14:16:05 -

001b-1109-a32b --c 1 5 2008-05-16/14:16:17 -

--------------------------------------------------------------------------

Table 1 Command output

Field	Description
MAC address	MAC address of the device that is to be attacked by the monitor AP
Flags	Type of the device, which can be ad hoc, AP, or client.
#AP	Number of active APs that detect the device If WIDS is enabled on multiple APs, these APs may detect the same device.
Ch	Channel in which the device was last detected
Last Detected Time	Time at which the entry was last detected
SSID	Service set identifier for the ESS of the entry

# Display attack list information for AP 6.

<Sysname> display wlan ids attack-list ap ap6

Total Number of Entries: 22

Flags: a = adhoc, w = ap, c = client

#AP = number of active APs detecting, Ch = channel number

Attack List - AP

--------------------------------------------------------------------------

MAC Address type #AP Ch Last Detected SSID

--------------------------------------------------------------------------

000b-6b8f-fc6a --c 1 11 2008-01-22/15:33:21 -

000f-e000-0052 -w- 1 10 2008-01-22/15:33:58 "xxxx-xxxx-xxxx"

000f-e200-0000 -w- 1 9 2008-01-22/15:33:59 "6103_kaifang"

000f-e200-0001 -w- 1 9 2008-01-22/15:33:59 "6103_youxian"

000f-e200-0002 -w- 1 9 2008-01-22/15:33:59 "6103_zhengshu"

000f-e200-0003 -w- 1 9 2008-01-22/15:33:59 "6103_zhengshu+WPA2"

000f-e200-00a2 --c 1 9 2008-01-22/15:33:29 -

000f-e25d-f4b0 -w- 1 9 2008-01-22/15:33:58 "6103_kaifang"

000f-e25d-f4b1 -w- 1 9 2008-01-22/15:33:59 "6103_youxian"

000f-e25d-f4b2 -w- 1 9 2008-01-22/15:33:59 "6103_zhengshu"

000f-e25d-f4b3 -w- 1 9 2008-01-22/15:33:59 "6103_zhengshu+WPA2"

000f-e26c-2250 -w- 1 11 2008-01-22/15:33:59 "bjwifidata"

000f-e26c-2251 -w- 1 11 2008-01-22/15:33:58 "bjwifivoice"

000f-e26c-2252 -w- 1 11 2008-01-22/15:33:58 "voice"

000f-e26c-28d0 -w- 1 11 2008-01-22/15:33:58 "wyg3000"

000f-e278-8020 -w- 1 6 2008-01-22/15:33:58 "test11"

000f-e278-8181 -w- 1 7 2008-01-22/15:33:59 "nsw-wep"

000f-e27b-3f80 -w- 1 6 2008-01-22/15:33:38 "ytj-a"

000f-e27b-4230 -w- 1 4 2008-01-22/15:33:58 "test2"

0011-9548-4007 --c 1 7 2008-01-22/15:33:49 -

0019-5bcf-cce3 --c 1 5 2008-01-22/15:33:25 -

001a-9228-2d3e --c 1 11 2008-01-22/15:33:53 -

--------------------------------------------------------------------------

For related information, see Table 1.

display wlan ids detected

Syntax

display wlan ids detected { all | rogue { ap | client } | adhoc | ssid | mac-address mac-address } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

all: Displays all devices detected (rogues and friends) in the WLAN.

rogue: Displays rogue devices detected (AP or clients) in the WLAN.

ap: Displays all rogue APs detected in the WLAN.

client: Displays all rogue clients detected in the WLAN.

adhoc: Displays clients which belong to adhoc networks detected in the WLAN.

ssid: Displays all SSIDs detected in the WLAN.

mac-address mac-address: Displays information about an AP or client.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display wlan ids detected to display detected devices in the WLAN in the order of MAC address or SSID.

Examples

# Display information about all detected devices.

<Sysname> display wlan ids detected all

Total Number of Entries : 18

Flags: r = rogue, p = permit, a = adhoc, w = ap, b = wireless-bridge,

c = client

#AP = number of active APs detecting, Ch = channel number

Detected Device(s) List

--------------------------------------------------------------------------

MAC Address Vendor Type #AP Ch Last Detected SSID

--------------------------------------------------------------------------

000f-e281-1322 XEROX CORP... -p-w- 1 4 2008-05-16/10:49:15 "cyh-psk2"

000f-e281-1323 XEROX CORP... -p-w- 1 4 2008-05-16/10:49:05 "cyh-ccmp"

000f-e281-1460 XEROX CORP... -p-w- 1 6 2008-05-16/10:49:26 "fl"

000f-e281-1461 XEROX CORP... -p-w- 1 6 2008-05-16/10:49:26 "fg2"

0012-f0cc-4789 XEROX CORP... -p--c 1 1 2008-05-16/10:49:11 -

0013-f702-dbd2 XEROX CORP... -p--c 1 7 2008-05-16/10:46:58 -

0016-6f99-fbf6 XEROX CORP... -p--c 1 11 2008-05-16/10:49:02 -

0016-6f99-fc21 XEROX CORP... -p--c 1 6 2008-05-16/10:49:25 -

0017-9a00-7986 XEROX CORP... -p--c 1 8 2008-05-16/10:48:04 -

0017-9a00-79bd XEROX CORP... -p--c 1 7 2008-05-16/10:47:18 -

0017-9a00-7b47 XEROX CORP... r---c 1 10 2008-05-16/10:48:49 -

0017-9a00-7cb8 XEROX CORP... -p--c 1 1 2008-05-16/10:49:20 -

0019-5bcf-ccfd XEROX CORP... -p--c 1 11 2008-05-16/10:49:24 -

001b-111d-b46f XEROX CORP... -p--c 1 6 2008-05-16/10:48:56 -

001c-f017-41dc XEROX CORP... -p--c 1 6 2008-05-16/10:48:00 -

001c-f017-41dd XEROX CORP... -p--c 1 6 2008-05-16/10:49:19 -

001d-0f32-4305 XEROX CORP... -p--c 1 1 2008-05-16/10:48:33 -

0810-741a-1b4c XEROX CORP... -p--c 1 11 2008-05-16/10:49:04 -

--------------------------------------------------------------------------

Table 2 Command output

Field	Description
MAC Address	MAC address of the device detected.
Vendor	Vendor of the detected device.
Flags	Whether the device detected is an AP, wireless bridge, ad hoc, or client, and whether it is permitted or a rogue.
#AP	Number of active APs that detect the device. If WIDS is enabled on multiple APs, these APs may detect the same device.
Ch	Channel in which the device was last detected.
Last Detected	Time at which the entry was last detected.
SSID	Service set identifier for the ESS of the entry.

# Display information about detected rogue APs.

<Sysname> display wlan ids detected rogue ap

Total Number of Entries : 6

#AP = number of active APs detecting, Ch = channel number

Detected Rogue AP(s) List

--------------------------------------------------------------------------

MAC Address Vendor #AP Ch Last Detected Time SSID

--------------------------------------------------------------------------

000B-8580-738F Aires... 1 10 2007-03-16/12:44:11 "Diamond"

000F-E212-1230 Hangz... 1 5 2007-03-16/12:44:11 "1"

000F-E234-0200 Hangz... 1 11 2007-03-16/12:44:11 "VClear"

000F-E2AA-CC04 Hangz... 1 12 2007-03-16/12:44:11 "baba"

000F-E2BB-CCD0 Hangz... 1 1 2007-03-16/12:44:11 "Rogue AP Team B..."

000F-E2F2-2230 Hangz... 1 7 2007-03-16/12:44:11 "int-RT"

--------------------------------------------------------------------------

For the command output description, see Table 2.

# Display information about the detected rogue clients.

<Sysname> display wlan ids detected rogue client

Total Number of Entries : 1

#AP = number of active APs detecting, Ch = channel number

Detected Rogue Client(s) List

--------------------------------------------------------------------------

MAC Address Vendor #AP Ch Last Detected SSID

--------------------------------------------------------------------------

0017-9a00-7b47 XEROX CORP... 1 9 2008-05-16/10:49:30 -

--------------------------------------------------------------------------

For the command output description, see Table 2.

# Display information about all the detected adhoc devices.

<Sysname> display wlan ids detected adhoc

Total Number of Entries : 4

#AP = number of active APs, Ch = channel number

Detected Adhoc(s) List

----------------------------------------------------------------------

MAC Address Vendor #AP Ch Last Detected Time SSID

----------------------------------------------------------------------

000F-E212-1230 Hangz... 1 5 2007-03-16/12:44:11 -

000F-E234-0200 Hangz... 1 11 2007-03-16/12:44:11 -

000F-E2AA-CC04 Hangz... 1 12 2007-03-16/12:44:11 -

000F-E2BB-CCD0 Hangz... 1 1 2007-03-16/12:44:11 -...

----------------------------------------------------------------------

For the command output description, see Table 2.

# Display information about all detected SSIDs.

<Sysname> display wlan ids detected ssid

Total Number of Entries : 7

#Device = number of devices using SSID

Detected SSID List

--------------------------------------------------------------------------

SSID #Device Last Detected Time

--------------------------------------------------------------------------

"Crywep" 1 2007-03-16/12:44:37

"H3COMTEST11" 1 2007-03-16/12:44:37

"autowep" 2 2007-03-16/12:44:37

"baba" 2 2007-03-16/12:44:37

"s1" 1 2007-03-16/12:44:37

"s2" 1 2007-03-16/12:44:37

"s4crypto" 1 2007-03-16/12:43:48

--------------------------------------------------------------------------

For the command output description, see Table 3.

# Display detailed information about a device detected.

<Sysname> display wlan ids detected mac-address 000F-E2BB-CCD0

Detected Device Profile

--------------------------------------------------------------------------

MAC Address : 000F-E2BB-CCD0

BSSID : 000F-E2BB-CCD0

Type : Rogue-AP

SSID : "H3C"

Vendor : Hangzhou H3C Tech. Co., Ltd

Number of APs detected it : 2

Channel : 11

Maximum RSSI Detected : 47

Beacon Interval : 100

First Detected(yyyy-mm-dd/hh:mm:ss) : 2007-03-16/11:32:54

Reported AP 1

MAC Address : 000F-E210-2000

AP Name : ap1

Radio Type : 11g

RSSI : 75

Last Detected(yyyy-mm-dd/hh:mm:ss): 2007-03-16/12:43:37

Reported AP 2:

MAC Address : 000F-E210-2001

AP Name : ap12

Radio Type : 11g

RSSI : 75

Last Detected(yyyy-mm-dd/hh:mm:ss): 2007-03-16/12:44:37

--------------------------------------------------------------------------

Table 3 Command output

Field	Description
MAC Address	MAC address of the device detected.
BSSID	Basic service set identifier of the detected device.
Type	Whether the device detected is an AP, wireless bridge, ad hoc device, or client, and whether it is permitted or a rogue.
SSID	Service set identifier for the ESS of the entry.
Vendor	Vendor for the detected device.
Number of APs detected it	Number of active APs that detected the device. If WIDS is enabled on multiple APs, these APs may detect the same device. In this output, the value indicates that there are two APs detecting the device with the MAC address 000F-E2BB-CCD0, and considering the device as a rogue device.
Channel	Channel in which the device was last detected.
RSSI	Maximum detected RSSI of the device.
Beacon Interval	Beacon interval for the detected AP.
First Detected	Time at which the entry was first detected.
Reported AP
Mac Address	MAC address of the AP that detected the device.
AP name	Name of the AP.
Radio type	Radio type of the AP.
RSSI	Maximum detected RSSI of the device.
Last Detected (yyyy-mm-dd/hh:mm:ss)	Time at which the rogue AP was detected.

display wlan ids permitted

Syntax

display wlan ids permitted { mac-address | ssid | vendor } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

mac-address: Displays the permitted MAC address list.

ssid: Displays the permitted SSID list.

vendor: Displays the permitted vendor OUI list.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display wlan ids permitted to display the list of permitted MAC addresses, permitted SSIDs, or permitted vendor OUIs.

Examples

# Display the permitted MAC-address list.

<Sysname> display wlan ids permitted mac-address

Total Number of Entries: 4

Flags: a = adhoc, w = ap, b = wireless-bridge, c = client

Permitted Mac Address(s)

--------------------------------------------------------------------------

MAC Address Detected Type

--------------------------------------------------------------------------

0000-0000-0001 Yes a--

0000-1111-1111 Yes -b-

0000-1111-1234 No -

0000-1111-5634 Yes --c

--------------------------------------------------------------------------

Table 4 Command output

Field	Description
MAC address	MAC address of the device permitted.
Detected	Whether the device is detected or not.
Type	Type of the device, which can be adhoc, wireless bridge, AP, or client.

# Display information about the permitted SSID list.

<Sysname> display wlan ids permitted ssid

Total Number of Entries: 5

Permitted SSID(s)

--------------------------------------------------------------------------

SSID Detected

--------------------------------------------------------------------------

"s1" Yes

"s2" Yes

"s3" Yes

"s4" Yes

"s5" No

--------------------------------------------------------------------------

Table 5 Command output

Field	Description
SSID	Service set identifier for the ESS.
Detected	Whether the device has been detected or not.

# Display information about the permitted OUI list.

<Sysname> display wlan ids permitted vendor

Total Number of Entries: 3

Permitted Vendor(s)

--------------------------------------------------------------------------------

OUI Vendor Name

--------------------------------------------------------------------------------

Hangzhou H3C Tech. Co., Ltd.Netgear Inc.Cisco Systems, Inc.

--------------------------------------------------------------------------------

Table 6 Command output

Field	Description
OUI	OUI (organizational unique identifier) of the AP
Vendor	Vendor of the device

display wlan ids rogue-history

Syntax

display wlan ids rogue-history [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display wlan ids rogue-history to display all expired rogue devices which have been deleted from the list of detected rogue devices because they could not be detected within the device aging duration.

Examples

# Display information about all expired rogue devices.

<Sysname> display wlan ids rogue-history

Total Number of Entries: 6

Flags: a = adhoc, w = ap, b = wireless-bridge, c = client

Ch = channel number

Rogue History List

--------------------------------------------------------------------------

MAC Address Vendor Type Ch Last Detected SSID

--------------------------------------------------------------------------

00E0-9855-1D9A AboCo... -w- 11 2007-03-16/11:38:22 "ATNet"

000F-E2CC-0005 Hangz... -b- 4 2007-03-16/11:37:06 -

000F-E2CC-0004 Hangz... --c 4 2007-03-16/11:36:20 -

000F-E2CC-DD00 Hangz... -w- 2 2007-03-16/11:36:17 "AKHIL"

000F-E2CC-0003 Hangz... --c 4 2007-03-16/11:35:34 -

0013-4651-23E7 D-Lin... -w- 6 2007-03-16/11:35:10 "home"

--------------------------------------------------------------------------

Table 7 Command output

Field	Description
MAC Address	MAC address of the device.
Vendor	Vendor for the device.
Flags	Type of the device, which can be ad hoc, wireless bridge, AP, or client.
Ch	Channel in which the device was last detected.
Last Time Heard	Time at which the entry was last detected.
SSID	Service set identifier for the ESS of the entry.

wlan ids

Syntax

wlan ids

View

System view

Default level

2: System level

Parameters

None

Description

Use wlan ids to enter WLAN IDS view.

Examples

# Enter WLAN IDS view.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids]

work-mode monitor

Syntax

work-mode monitor

undo work-mode

View

AP template view

Default level

2: System level

Parameters

monitor: Configures the AP to operate in monitor mode.

Description

Use work-mode monitor to configure the AP to operate in monitor mode to scan rogue devices.

Use undo work-mode to restore the default.

By default, the AP operates in normal mode to provide WLAN services.

If the AP operates in monitor mode, the AP can only operate as a monitor AP and cannot operate as an access AP, and cannot provide WLAN services.

Examples

# Set the monitor operation mode for the AP.

<Sysname> system-view

[Sysname] wlan ap ap2 model WA2100

[Sysname-wlan-ap-ap2] work-mode monitor

reset wlan ids detected

Syntax

reset wlan ids detected { all | rogue { ap | client } | adhoc | ssid | mac-address mac-address }

View

User view

Default level

1: Monitor level

Parameters

all: Clears information about all devices detected in the WLAN.

rogue: Clears information about detected rogue devices (AP or clients) in the WLAN.

ap: Clears information about rogue APs detected in the WLAN.

client: Clears information about rogue clients detected in the WLAN.

adhoc: Clears information about ad hoc devices detected in the WLAN.

ssid: Clears information about SSIDs detected in the WLAN.

mac-address mac-address: Clears information about the device (AP or client) detected in the WLAN.

Description

Use reset wlan ids detected to clear information about specified or all devices detected in the WLAN.

Examples

# Clear information about all devices (permitted and non-permitted) detected in the WLAN.

<Sysname> reset wlan ids detected all

reset wlan ids rogue-history

Syntax

reset wlan ids rogue-history

View

User view

Default level

1: Monitor level

Parameters

None

Description

Use reset wlan ids rogue-history to clear all entries from the rogue history table.

Examples

# Delete all entries from the rogue history table.

<Sysname> reset wlan ids rogue-history

WLAN IDS attack detection configuration commands

attack-detection enable

Syntax

attack-detection enable { all | flood | weak-iv | spoof | all }

undo attack-detection enable

View

WLAN IDS view

Default level

2: System level

Parameters

all: Enables detection of all kinds of attacks.

flood: Enables detection of flood attacks.

spoof: Enables detection of spoof attacks.

weak-iv: Enables weak-IV detection.

Description

Use attack-detection enable to enable the WIDS detection of various DoS attacks.

Use undo attack-detection enable to restore the default.

By default, no WIDS detection is enabled.

Examples

# Enable spoof attack detection.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] attack-detection enable spoof

display wlan ids history

Syntax

display wlan ids history [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display wlan ids history to display the history of attacks detected in the WLAN system. It supports a maximum of 512 entries.

Examples

# Display the history of attacks.

<Sysname> display wlan ids history

Total Number of Entries: 5

Flags:

act = Action Frame asr = Association Request

aur = Authentication Request daf = Deauthentication Frame

dar = Disassociation Request ndf = Null Data Frame

pbr = Probe Request rar = Reassociation Request

saf = Spoofed Disassociation Frame

sdf = Spoofed Deauthentication Frame

wiv = Weak IV Detected

AT - Attack Type, Ch - Channel Number, AR - Average RSSI

WIDS History Table

--------------------------------------------------------------------------

MAC Address AT Ch AR Detected Time AP

--------------------------------------------------------------------------

0027-E699-CA71 asr 8 44 2007-06-12/19:47:54 ap12

0015-E9A4-D7F4 wiv 8 45 2007-06-12/19:45:28 ap48

0027-E699-CA71 asr 8 20 2007-06-12/19:18:17 ap12

003d-B5A6-539F pbr 8 43 2007-06-12/19:10:48 ap56

0015-E9A4-D7F4 wiv 8 50 2007-06-12/19:01:28 ap48

--------------------------------------------------------------------------

Table 8 Command output

Field	Description
MAC Address	In case of spoof attacks, this field provides the BSSID which was spoofed. In case of other attacks, this field provides the MAC address of the device which initiated the attack.
AT	Type of attack.
Ch	Channel in which the attack was detected.
AR	Average RSSI of the attack frames.
Detected time	Time at which this attack was detected.
AP	Name of the AP that detected this attack.

display wlan ids statistics

Syntax

display wlan ids statistics [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display wlan ids statistics to display the count of attacks detected.

Examples

# Display WLAN IDS statistics.

<Sysname> display wlan ids statistics

Current attack tracking since: 2007-06-21/12:46:33

----------------------------------------------------------------------

Type Current Total

----------------------------------------------------------------------

Probe Request Frame Flood Attack 2 7

Authentication Request Frame Flood Attack 0 0

Deauthentication Frame Flood Attack 0 0

Association Request Frame Flood Attack 1 1

Disassociation Request Frame Flood Attack 4 8

Reassociation Request Frame Flood Attack 0 0

Action Frame Flood Attack 0 0

Null Data Frame Flood Attack 0 0

Weak IVs Detected 12 21

Spoofed Deauthentication Frame Attack 0 0

Spoofed Disassociation Frame Attack 0 2

----------------------------------------------------------------------

Table 9 Command output

Field	Description
current	This field provides the count of attacks detected since the time specified by the current attack tracking time (specified in the field "Current attack tracking since:"). The current attack tracking time is started at the system startup and is refreshed each hour subsequently.
total	This field provides the total count of the attacks detected since the system startup.
Probe Request Frame Flood Attack	Number of probe request frame flood attacks detected.
Authentication Request Frame Flood Attack	Number of authentication request frame flood attack detected.
Deauthentication Frame Flood Attack	Number of deauthentication frame flood attacks detected.
Association Request Frame Flood Attack	Number of association request frame flood attacks detected.
Disassociation Request Frame Flood Attack	Number of disassociation request frame flood attacks detected.
Reassociation Request Frame Flood Attack	Number of reassociation request frame flood attacks detected.
Action Frame Flood Attack	Number of action frame flood attacks detected.
Null Data Frame Flood Attack	Number of null data frame flood attacks detected.
Weak IVs Detected	Number of weak IVs detected.
Spoofed Deauthentication Frame Attack	Number of spoofed deauthentication frame attacks detected.
Spoofed Disassociation Frame Attack	Number of spoofed disassociation frame attacks detected.

reset wlan ids history

Syntax

reset wlan ids history

View

User view

Default level

1: Monitor level

Parameters

None

Description

Use reset wlan ids history to clear the history information of attacks detected in the WLAN.

After this command is executed, all the history information regarding attacks is cleared, and the history table becomes empty.

Examples

# Clear all history information of attacks.

<Sysname> reset wlan ids history

reset wlan ids statistics

Syntax

reset wlan ids statistics

View

User view

Default level

1: Monitor level

Parameters

None

Description

Use reset wlan ids statistics to clear the statistics of attacks detected in the WLAN system.

This command clears both the "current" and "total" of all attack types in the WLAN IDS statistics table.

Examples

# Clear WLAN IDS statistics.

<Sysname>reset wlan ids statistics

WLAN frame filtering configuration commands

display wlan blacklist

Syntax

display wlan blacklist { static | dynamic } [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

2: System level

Parameters

static: Displays static blacklist entries.

dynamic: Displays dynamic blacklist entries.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display wlan blacklist to display the static or dynamic blacklist entries.

Examples

# Display information about the static blacklist.

<Sysname> display wlan blacklist static

Total Number of Entries: 3

Static Blacklist

--------------------------------------------------------------------------

MAC-Address

--------------------------------------------------------------------------

0014-6c8a-43ff

0016-6F9D-61F3

0019-5B79-F04A

--------------------------------------------------------------------------

Table 10 Command output

Field	Description
MAC-Address	MAC addresses of clients

# Display information about the dynamic blacklist.

<Sysname> display wlan blacklist dynamic

Total Number of Entries : 3

Dynamic Blacklist

--------------------------------------------------------------------------

MAC-Address Lifetime(s) Last Updated Since(hh:mm:ss) Reason

----------------------------------------------------------------------

000f-e2cc-0001 60 00:02:11 Assoc-Flood

000f-e2cc-0002 60 00:01:17 Deauth-Flood

000f-e2cc-0003 60 00:02:08 Auth-Flood

Table 11 Command output

Field	Description
MAC-Address	MAC address of the device inserted into the dynamic blacklist
Lifetime(s)	Lifetime of the corresponding entry in seconds
Last Updated Since(hh:mm:ss)	Time elapsed since the entry was last updated
Reason	Reason why the entry was added into the dynamic blacklist

display wlan whitelist

Syntax

display wlan whitelist [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display wlan whitelist to display the configured white list.

Examples

# Display the white list.

<Sysname> display wlan whitelist

Total Number of Entries: 3

Whitelist

--------------------------------------------------------------------------

MAC-Address

--------------------------------------------------------------------------

000e-35b2-000e

0019-5b8e-b709

001c-f0bf-9c92

--------------------------------------------------------------------------

Table 12 Command output

Field	Description
MAC-Address	MAC addresses of clients in the white list

dynamic-blacklist enable

Syntax

dynamic-blacklist enable

undo dynamic-blacklist enable

View

WLAN IDS view

Default level

2: System level

Parameters

enable: Enables the dynamic blacklist feature.

Description

Use dynamic-blacklist enable to enable the dynamic blacklist feature.

Use undo dynamic-blacklist enable to disable the dynamic blacklist feature.

By default, the dynamic blacklist feature is disabled.

With this feature, a WLAN device, upon detecting flood attacks from a device, adds the device to the dynamic blacklist, and denies any packets from this device until the dynamic blacklist entry ages out.

Examples

# Enable the dynamic blacklist feature.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] dynamic-blacklist enable

dynamic-blacklist lifetime

Syntax

dynamic-blacklist lifetime lifetime

undo dynamic-blacklist lifetime

View

WLAN IDS view

Default level

2: System level

Parameters

lifetime: Interval, in the range of 60 to 3600 seconds.

Description

Use dynamic-blacklist lifetime to set the lifetime for dynamic blacklist entries.

Use undo dynamic-blacklist lifetime to restore the default.

By default, the lifetime is 300 seconds.

If a dynamic blacklist entry is not detected within the lifetime, the entry is removed from the dynamic blacklist.

Examples

# Specify a lifetime of 1200 seconds for dynamic blacklist entries.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] dynamic-blacklist lifetime 1200

reset wlan dynamic-blacklist

Syntax

reset wlan dynamic-blacklist { mac-address mac-address | all }

View

User view

Default level

1: Monitor level

Parameters

mac-address mac-address: Removes an entry with the specified MAC address from the dynamic blacklist.

all: Removes all entries from the dynamic blacklist.

Description

Use reset wlan dynamic-blacklist to remove a specified entry or all entries from the dynamic blacklist.

The maximum number of entries depends on the device model. For more information, see "About the WX Series Access Controllers Command References."

Examples

# Remove a client with MAC address 001d-0f31-87d from the dynamic blacklist.

<Sysname> reset wlan dynamic-blacklist mac-address 001d-0f31-87d

static-blacklist mac-address

Syntax

static-blacklist mac-address mac-address

undo static-blacklist { mac-address mac-address | all }

View

WLAN IDS view

Default level

2: System level

Parameters

mac-address: Adds/deletes a client to/from the static blacklist.

all: Deletes all entries from the static blacklist.

Description

Use static-blacklist mac-address to add a client with a specified MAC address to the static blacklist.

Use undo static-blacklist to remove the client with the specified MAC address or all clients from the static blacklist.

Clients in the static blacklist cannot get associated with the AP.

The maximum number of entries depends on the device model. For more information, see "About the WX Series Access Controllers Command References."

Examples

# Add the client with MAC address 0014-6c8a-43ff to the static blacklist.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] static-blacklist mac-address 0014-6c8a-43ff

whitelist mac-address

Syntax

whitelist mac-address mac-address

undo whitelist { mac-address mac-address | all }

View

WLAN IDS view

Default level

2: System level

Parameters

mac-address: Adds/deletes the client with the MAC address to/from the white list.

all: Deletes all entries from the white list.

Description

Use whitelist mac-address to add a client with a specified MAC address to the white list.

Use undo whitelist to remove the client with the specified MAC address or all clients from the white list.

Clients in the white list can be associated with the AP.

The maximum number of entries in the white list is 255.

Examples

# Add the client with MAC address 001c-f0bf-9c92 to the white list.

<Sysname> system-view

[Sysname] wlan ids

[Sysname-wlan-ids] whitelist mac-address 001c-f0bf-9c92

02-WLAN Command Reference

WLAN IDS rogue detection configuration commands

device attack mac-address

display wlan ids attack-list

display wlan ids permitted

wlan ids

reset wlan ids detected

reset wlan ids rogue-history

WLAN IDS attack detection configuration commands

WLAN frame filtering configuration commands

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us