Co-authored by: Shreyas Trivedi and Balaji Mani

The total number of global DDoS attacks is expected to double from 7.9 million in 2018 to 15.4 million by 2023. In parallel, 70% of the global population is estimated to have mobile connectivity by 2023. Hence, the gargantuan ask to keep wireless networks secured. The risk of intrusion is greater than ever with several freeware tools and knowledgebase available on the internet. From rogue access points to denial-of-service attacks and unauthorized devices, you’ve got your hands full.

Cisco’s Adaptive Wireless Intrusion Prevention System (aWIPS) is a fully infrastructure-integrated solution which constantly monitors radio spectrum to detect, analyze and thwart attacks. aWIPS incorporates signature-based technique, traffic analysis and anomaly detection to provide an intuitive Wi-Fi threat prevention system.

An aWIPS architecture consists of a Cisco Catalyst 9800 Series wireless controller, either a Cisco Catalyst 9100 Wi-Fi 6 Access Point or a Cisco Aironet 802.11ac Wave 2 (Wi-Fi 5) Access Point and Cisco DNA Center. Now let’s have a look at the rundown of the flow.

Figure 1: aWIPS flow and architecture

As you can see in the above, when a user enables the aWIPS feature for an Access Point(AP), the aWIPS configuration will be pushed from Cisco DNA Center to a Catalyst wireless controller through Netconf/Yang and hereafter the controller will push aWIPS configuration to an access point  via a CAPWAP tunnel. Signatures of different attack types would be bundled with the aWIPS application inside the access point. Now, when an access point detects a threat, a corresponding alarm would be generated which will be sent to the controller through a CAPWAP channel. Then the controller will extract and decode the alarm details received from the access point and store the alarm details in its database for local display.

The alarm details will be forwarded to Cisco DNA Center. Cisco DNA Assurance on Cisco DNA Center will aggregate, de-duplicate and correlate the alarms with location intelligence to provide comprehensive threat information. aWIPS can be fully managed via Cisco DNA Center including configuration, policy management, and threat reports.

Here are some examples of common DOS attacks:



Snapshot from Cisco DNA Center exhibiting aWIPS Alarm Summary

Access Point Deployment Modes with aWIPS. The aWIPS solution is supported on Cisco access points in Local, Flex-Connect and Monitor modes.

A Monitor Mode access point has off-channel detection capabilities. This means that the access point will dwell on each channel for a duration of time to detect attacks. The 2.4 Ghz and 5 Ghz radios will scan channels on their respective bands. Clients are not served in this mode.

A Local and Flex-connect Mode Access Point has “on-channel” detection capacity. In this case, the access point’s radios will periodically go “off-channel” for a short period of time to scan non-serving channels in a round robin fashion. In short, client serving channels on both bands are continuously monitored for attacks, whereas for all other channels, a best effort approach is taken. For instance, if an access point is operating on channel 36 then all attacks in this frequency will be caught. If the attack is on any other channel, say 149, then it will be detected only during off-channel scan on channel 149.


Figure 2: aWIPS functionally in Local & Flex AP modes

Cisco’s RF ASIC Module with the Catalyst 9130 and 9120 Access Points

To curb the best effort approach on non-serving channels, the Cisco Catalyst 9130 and 9120 Wi-Fi 6 capable Access Points comes with a powerful custom RF ASIC based auxiliary radio. It has versatile functionalities of Radar detection, Clean Air, Off-Channel RRM, WIPS/WIDS, Rogue and Location services.

Figure 3: aWIPS functionally with custom RF ASIC

In regard to aWIPS, the access point uses a hybrid “on-channel” and “off-channel” methodology.

This means that the access point’s 2.4 GHz and 5 GHz radios will continue to serve clients uninterruptedly and oversee only the operating channel. Conversely, the additional built-in radio conducts ceaseless operation in monitor mode and scans all channels for possible threats.

This comprehensive aWIPS solution on the Cisco Catalyst 9130 and 9120 Access Points gives us another reason to consider them for network deployments. Other key new features are Tri-Radio mode, Flexible Radio Assignment, OFDMA and TWT, to name a few. Learn more about  Cisco Catalyst 9100 Access Points.

Learn more about Cisco Catalyst 9800 Wireless Controllers, Cisco DNA Center, and Cisco Aironet Access Points.


Subscribe to the Networking blog



Shreyas Trivedi

Technical Leader - Wireless Engineering

Enterprise Networking Group