12-28
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-30644-01
Chapter12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wi reless Intrusion Detection
Configuring Access Points to Participate in WIDS
Configuring Monitor Mode Limits
You can configure threshold values that the access point uses in monitor mode. When a threshold value
is exceeded, the access point logs the information or sends an alert.

Configuring an Authentication Failure Limit

Setting an authentication failure limit protects your network against a denial-of-service attack called
EAPOL flooding. The 802.1X authentication that takes place between a client and the access point
triggers a series of messages between the access point, the authenticator, and an authentication server
using EAPOL messaging. The authentication server, typically a RADIUS server, can quickly become
overwhelmed if there are too many authentication attempts. If not regulated, a single client can trigger
enough authentication requests to impact your network.
In monitor mode the access point tracks the rate at which 802.1X clients attempt to authenticate through
the access point. If your network is attacked through excessive authentication attempts, the access point
generates an alert when the authentication threshold has been exceeded.
You can configure these limits on the access point:
Number of 802.1X attempts through the access point
EAPOL flood duration in seconds on the access point
When the access point detects excessive authentication attempts it sets MIB variables to indicate this
information:
An EAPOL flood was detected
Number of authentication attempts
��MAC address of the client with the most authentication attempts
Beginning in privileged EXEC mode, follow these steps to set authentication limits that trigger a fault
on the access point:
Command Purpose
Step1 configure terminal Enter global configuration mode.
Step2 dot11 ids eap attempts number
period seconds
Configure the number of authentication attempts and the
number of seconds of EAPOL flooding that trigger a fault on
the access point.
Step3 end Return to privileged EXEC mode.