Intelligent Capture Hardening

This document provides information on Cisco's Intelligent Capture Hardening (iCAP) feature, focusing on anomaly detection and RF statistics.

Feature History for Cisco Intelligent Capture Hardening

This table provides release and related information about the feature explained in this section. This feature is also available in all the releases subsequent to the one in which they are introduced in, unless noted otherwise.

Table 1: Feature History for Cisco Intelligent Capture Hardening
Release	Feature	Feature Information
Cisco IOS XE Dublin 17.12.1	Cisco Intelligent Capture (iCAP) Hardening	The following enhancements are made to the iCAP feature: Anomaly Detection RF Statistics

Information About Cisco Intelligent Capture Hardening

The Cisco Intelligent Capture (iCAP) feature aims at making troubleshooting for wireless clients and APs easier. When there are onboarding issues for wireless clients or AP transmission issues, network operators can find out the cause by using the Cisco DNA Center GUI. The Cisco DNA Center gathers data from the wireless controller and APs, and displays an aggregated view.

The following enhancements are made to the iCAP feature:

Anomaly Detection
RF Statistics

Anomaly Detection

Anomaly Detection is the capability of Cisco APs to detect possible anomalies in the lifecycle of wireless clients and APs. This functionality is crucial as it allows you to determine if there is an issue in the network, to identify what happened, and avoid the same problem in the future.

APs send individual anomalies to Cisco DNA Center every time an anomaly is detected. To prevent Cisco DNA Center from getting bombarded with anomaly events of the same type and from the same client, enhancements are made to collapse repeated events, and multiple events are aggregated for the same client if the events occur within a certain time frame.

Anomaly-detection configurations are enhanced on the controller to provision and display the iCAP status.

RF Statistics

The Cisco DNA Center receives RF statistics of connected APs. Until Cisco IOS XE Dublin 17.11.1, the data received was basic statistical information. However, from Cisco IOS XE Dublin 17.12.1 onwards, per AP statistical information is directly sent from the wireless controller through iCAP subscription to specific APs.

Configuring Anomaly Detection in AP Profile (CLI)

This section outlines the procedure for configuring anomaly detection within an AP profile using the Command Line Interface (CLI).

Procedure
Step	Command or Action	Purpose
Step 1	`configure terminal` Example: Device# configure terminal	Enters global configuration mode.
Step 2	`ap profile ap-profile` Example: Device (config)# ap profile ap-profile	Configures an AP profile and enters AP profile configuration mode.
Step 3	`icap subscription client anomaly-detection report-individual enable` Example: Device (config-ap-profile) % icap subscription client anomaly-detection report-individual enable	Enables individual reports for client anomaly-detection subscription.
Step 4	`icap subscription client anomaly-detection report-individual enable aggregate` Example: Device (config-ap-profile) % icap subscription client anomaly-detection report-individual enable aggregate	Enables individual reports aggregation for client anomaly-detection subscription. This command is disabled by default.
Step 5	`icap subscription client anomaly-detection report-individual per-client throttle number-of-event-reports` Example: Device (config-ap-profile) #2 icap subscription client anomaly-detection report-individual per-client throttle 20	Configures event reports per client, every five minutes. The value of an event report ranges from 0 to 50 reports. The default value is five reports.
Step 6	`icap subscription client anomaly-detection report-individual per-type throttle number-of-event-reports` Example: Device (config-ap-profile) #2 icap subscription client anomaly-detection report-individual per-type throttle 50	Configures event reports per type, every five minutes. The value of an event report ranges from 0 to 100 reports. The default value is five reports.

Configuring Anomaly Detection in an Access Point (CLI)

This section details how to configure anomaly detection for a specific access point (AP) using the CLI.

Procedure
Step	Command or Action	Purpose
Step 1	`enable` Example: Device> enable	Enters privileged EXEC mode.
Step 2	`ap name ap-name icap subscription client anomaly-detection report-individual enable` Example: Device# ap name apl icap subscription client anomaly-detection report-individual enable	Enables individual reports for client anomaly-detection subscription for a single AP.
Step 3	`ap name ap-name icap subscription client anomaly-detection report-individual enable aggregate` Example: Device# ap name apl icap subscription client anomaly-detection report-individual enable aggregate	Enables individual reports aggregation for client anomaly-detection subscription, for a single AP.
Step 4	`ap name ap-name icap subscription client anomaly-detection report-individual per-client throttle number-of-event-reports` Example: Device# ap name apl icap subscription client anomaly-detection report-individual per-client throttle 20	Configures event reports per client, every five minutes, for a single AP. The value of an event report ranges from 0 to 50 reports.
Step 5	`ap name ap-name icap subscription client anomaly-detection report-individual per-type throttle number-of-event-reports` Example: Device# ap name apl icap subscription client anomaly-detection report-individual per-type throttle 50	Configures event reports per type, every five minutes, for a single AP. The value of an event report ranges from 0 to 100 reports.

Verifying Anomaly Detection and RF Statistics

To verify the current status of the anomaly-detection subscription of an AP, use the following command:

Device# show ap name cisco-AP icap subscription client anomaly-detection chassis active RO

Per-AP ICap configuration:

Anomaly detection subscription: enabled
Client filter: 006b.f107.a520
Client filter: 006b.f107.a521
DHCP timeout (seconds): 5
Trigger AP packet trace: enabled
Report Individual: enabled
Report Individual aggregate: enabled
Report Individual throttled events (per 5 minute): 5
Report Individual per type throttled events (per 5 minute): 14
Report Individual per client throttled events (per 5 minute): 15
Report Summary: disabled
Report Summary frequency (minutes): 5

To verify RF statistics, use the following command:

Note: The controller show command is enhanced to display data from the txTotalDrops counter.

Device# show wireless client mac-address 00XX.ecXX.7aXX detail

Client Statistics:

Number of Bytes Received from Client: 62861
Number of Bytes Sent to Client: 6754
Number of Packets Received from Client: 455
Number of Packets Sent to Client: 65
Number of Data Retries: 0
Number of RTS Retries: 0
Number of Tx Total Dropped Packets: x
Number of Duplicate Received Packets: 0
Number of Decrypt Failed Packets: 0
Number of Mic Failured Packets: 0
Number of Mic Missing Packets: 0
Number of Policy Errors: 0

Radio Signal Strength Indicator: -21 dBm

Signal to Noise Ratio: 73 dB

	Cisco Catalyst 9300 Switches Software Configuration Guide: Cisco IOS XE Dublin 17.12.x Learn how to configure Cisco Catalyst 9300 Switches with Cisco IOS XE Dublin 17.12.x. This guide covers initial setup, Web UI configuration, network settings, and best practices for enterprise network deployment.
	Cisco Factory Reset Guide for Routers A comprehensive guide on how to perform a factory reset on Cisco routers, including detailed steps for 'factory-reset all' and 'factory-reset all secure' commands, explanations of storage components, and prerequisites.
	Cisco Catalyst 9136 Series Access Points Deployment Guide A comprehensive deployment guide for Cisco Catalyst 9136 Series Access Points, covering Wi-Fi 6E technology, hexa-radio architecture, installation, configuration, and advanced features like IoT integration and AI/ML-driven scanning.
	Cisco FlexConnect Bonjour Deployment Guide for Cisco DNA Service A comprehensive guide detailing the deployment of Cisco DNA Service for Bonjour with Cisco FlexConnect wireless networks, enabling seamless service discovery and distribution across wired and wireless environments.
	Installing and Upgrading Cisco IOS XE Software on 4000 Series ISRs A comprehensive guide detailing the process of installing and upgrading software, including ROMMON images and licenses, on Cisco 4000 Series Integrated Services Routers running Cisco IOS XE.
	Upgrading Cisco CBR Series Converged Broadband Routers for Cisco IOS XE Release 3.18SP This document provides detailed instructions for upgrading Cisco CBR Series Converged Broadband Routers to Cisco IOS XE Release 3.18SP. It covers software and firmware upgrades, including specific procedures for consolidated and subpackage modes, as well as firmware verification and troubleshooting.
	Cisco TrustSec Configuration Guide for Catalyst 9200 Switches with Cisco IOS XE Dublin 17.12.x A comprehensive guide to configuring Cisco TrustSec features on Catalyst 9200 Series Switches running Cisco IOS XE Dublin 17.12.x. Learn about security group-based access control, SGT exchange protocols, and more.
	Cisco IOS Voice Troubleshooting and Monitoring Guide A comprehensive guide to troubleshooting and monitoring Cisco IOS Voice features, covering call flows, debugging techniques, and command-line interface usage for network professionals.