07-19-13 Expert Day

Reply
Contributor II

Containing ADHoc networks

Hello,

We have various clients who create Windows Adhoc networks and turn on Internet Connection Sharing to share their wired connection via an Adhoc WiFi network (sometimes OPEN) to their neighbors.

I have turned on Adhoc detection and Adhoc protection, but this doesn't seem to contain them.  I also changed our wireless containment from "deauth" to "tarpit-all-sta" which didn't help.  

Is there a way to contain ADHoc networks?  We are on 6.1.3.3 code and have AirMonitors.



Thanks,
Bryan

Re: Containing ADHoc networks

Can u see this AD-HOC network in your dashboard > security? how the controller tagging it? as rouge or suspect rouge? and what the prectenges % rules did u configure for rouge and suspect rouge?

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba Employee

Re: Containing ADHoc networks

Bryan,

 

If you have RFP (RF Protect) license you can use the option "Detecting adhoc networks using valid SSID" and "Detecting ad-hoc network with different SSID"

Detecting adhoc networks using valid SSID

 

Screen Shot 1

WIPS 2.png

 

Screen Shot 2

WIPS 1.png

 

Screen Shot 3

WIPS 2.png

 

Detecting ad-hoc network with different SSID

 

Screen Shot 1

WIPS 1.png

 

Screen Shot 2

WIPS 1.png

 

Screen Shot 3

 

WIPS 2.png

 

Thanks,

MKS

Re: Containing ADHoc networks

But he would like to contain = block thoese adhoc and not just detect them...as far as i understood

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba Employee

Re: Containing ADHoc networks

When you say the setup was not able to perform adhoc containment, do you mean that the deauth frame counts were incrementing during the test (please confirm this with below command), but the adhocs were still not contained?

 

#show ap monitor containment-info ap-name <ap-name>

 

Thanks,

MKS
Contributor II

Re: Containing ADHoc networks

We are detecting the ADHoc networks -- but the containment doesn't seem to work as it does for Infrastructure APs and MiFi devices.

 

If I look at Security, Events, Containment, I see:

 

Adhoc Containment Enforced

 

Low,"17:13:23 Jul 18, 2013",Adhoc Containment Enforced,00:00:0c:07:ac:10,Infrastructure,51,BSSID:82:ae:45:7f:50:b9; SSID:C; Channel:11; SNR:34

 

 

So it is marked for Containment, but out on the floor I can still connect to the ADhoc network.  At my desk I see the same results on my test ADHoc SSID ( with an AM closeby). 

 

Thanks,

Bryan

 

Aruba Employee

Re: Containing ADHoc networks

Could you get the below commands output

 

#show wms counters events
#show ap monitor containment-info ap-name <ap-name>

 

Thanks,

MKS
Contributor II

Re: Containing ADHoc networks

Hello,

 

I just fired up my test SSID "beaconeater50" ( Windows 7 Laptop ADHoc/ICS and iPad Client).   I see this as marked to contain under Discovered AP & Clients as "interfering"

ea:91:7a:c5:70:2e,2.4 GHz,g-HT,beaconeater50,11,3,Interfering,WEP,Yes

I see this under Events, detection:

Low,"09:18:07 Jul 19, 2013",Adhoc Network,00:00:0c:07:ac:10,Infrastructure,4,SSID:beaconeater50; BSSID:ea:91:7a:c5:70:2e; Channel:11; SNR:18
Low,"09:20:43 Jul 19, 2013",Adhoc Network,a4:d1:d2:10:4c:f3,Infrastructure,9,SSID:beaconeater50; BSSID:ea:91:7a:c5:70:2e; Channel:11; SNR:14
Low,"09:20:30 Jul 19, 2013",Adhoc Network,ac:81:12:9d:7e:1f,Infrastructure,9,SSID:beaconeater50; BSSID:ea:91:7a:c5:70:2e;

And this under Events Containment:

Level,Last Seen,Type,Target,Target Type,Occurrences,Details
Low,"09:21:47 Jul 19, 2013",Adhoc Containment Enforced,a4:d1:d2:10:4c:f3,Infrastructure,12,BSSID:ea:91:7a:c5:70:2e; SSID:beaconeater50; Channel:11; SNR:29
High,"09:18:40 Jul 19, 2013",AP Deauth Containment,ea:91:7a:c5:70:2e,Infrastructure,18,SSID:beaconeater50; Channel:11; MAC:a4:d1:d2:10:4c:f3
Low,"09:21:07 Jul 19, 2013",Adhoc Containment Enforced,ac:81:12:9d:7e:1f,Infrastructure,12,BSSID:ea:91:7a:c5:70:2e; SSID:beaconeater50; Channel:11; SNR:19


But I am still surfing away with my iPad through the ADHoc Network.

I ran the CLI command against the AM at my desk and it appears as though the deauth frames are incrementing but the tarpit ones are not.  We have 300+ APs and 50+ AMs so I am not sure which particular AP/AM is doing containment.



(Aruba6000-primary) #show ap monitor containment-info ap-name DL155-TEST-2


wifi0: Wireless Containment Counters
-------------------------------------
Parameter                            Value
---------                            -----
Last Deauth Timer Tick               0
Deauth frames to AP                  0
Deauth frames to Client              0
Last Tarpit Timer Tick               0
Tarpit Frames: Probe Response        0
Tarpit Frames: Association Response  0
Tarpit Frames: Authentication        0
Tarpit Frames: Data from AP          0
Tarpit Frames: Data from Client      0

wifi1: Wireless Containment Counters
-------------------------------------
Parameter                            Value
---------                            -----
Last Deauth Timer Tick               1192590
Deauth frames to AP                  3535
Deauth frames to Client              3535
Last Tarpit Timer Tick               0
Tarpit Frames: Probe Response        3786
Tarpit Frames: Association Response  101
Tarpit Frames: Authentication        175
Tarpit Frames: Data from AP          0
Tarpit Frames: Data from Client      256

br0: Wired Containment Counters
--------------------------------
Parameter                                 Value
---------                                 -----
Last Wired Containment Timer Tick         0
Last Tagged Wired Containment Timer Tick  0
Spoof frames sent                         0
Spoof frames sent on tagged vlan          0

Wired Containment Activity
---------------------------
Device-Type  Device-MAC  Target-MAC  Target-IP
-----------  ----------  ----------  ---------





(Aruba6000-primary) #show wms counters events

Related Event Configuration
---------------------------
Name                          Value
----                          -----
wms-on-master                 enable
event-correlation             logs-and-traps
event-correlation-quiet-time  900
Event Counters
--------------
ID   Name                                            Rx-AP   Rx-WMS  DB Updated  DB Inserted  DB Deleted  Corr EvGen  Corr EvSupp
--   ----                                            -----   ------  ----------  -----------  ----------  ----------  -----------
2    Rogue AP                                        2405    298     29          160          109         0           0
3    Interfering AP                                  126127  5484    0           0            0           0           0
16   Adhoc Containment Enforced                      1460    0       1412        48           0           48          1412
39   Adhoc Network                                   1808    0       1680        128          0           128         1680
41   Disconnect Station Attack                       23223   0       20088       3135         0           5507        17716
42   Wireless Bridge                                 14059   0       13962       97           0           10231       3828
43   Station Associated to Rogue AP                  312     0       190         56           32          88          190
45   Windows Bridge                                  29      0       25          4            0           4           25
50   Signature Match: Deauth Broadcast               705     0       565         140          0           269         436
51   Suspect Rogue AP                                0       2528    0           0            0           0           0
73   Valid Client Not Using Encryption               450605  0       446360      4245         0           86233       364372
74   Signature Match: Disassoc Broadcast             1141    0       825         316          0           544         597
76   Adhoc Network Using Valid SSID                  1574    0       1567        7            0           177         1397
77   AP Spoofing                                     97620   0       54614       43006        0           97620       0
78   Omerta Attack                                   873     0       415         458          0           695         178
82   Valid Client Misassociation to Rogue AP         16      0       13          3            0           3           13
83   Valid Client Misassociation to External AP      5457    0       4818        639          0           642         4815
85   Valid Client Misassociation to Adhoc Network    1606    0       1533        73           0           73          1533
86   Neighbor AP                                     0       65      0           0            0           0           0
97   Block ACK DoS Attack                            189229  0       178566      10663        0           47944       141285
99   Station Unassociated to Rogue AP (Deprecated)   66      0       0           0            0           0           0
105  Signature Match: Deauth Broadcast (Deprecated)  705     0       0           0            0           0           0
106  AP Deauth Containment                           21946   0       21292       654          0           3106        18840
112  Tarpit Containment                              662903  0       662852      51           0           308         662595
113  Power Save DoS Attack                           6048    0       3798        2250         0           4467        1581

 

Thanks,

Bryan

 

Aruba Employee

Re: Containing ADHoc networks

What is the chipset you are using? is it broadcom?

 

Thanks,

MKS
Contributor II

Re: Containing ADHoc networks

My test laptop is an HP laptop with a Broadcom 43224AG.  Other client machines could be of any variety.  Yesterday the client had a Dell laptop, don't know the chipset.

 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: