03-09-2017 05:03 AM
I configure Airwave and RAPIDS with IAP (iap-115 and iap-225).
I configure rapids to classify an specific AP with specific SSID like valid (using rpiads rules), so the WIPS don't containment this AP (valid) and containment only the rogue AP.
When I enable containment in the IAP (groups -> instant config-> ids -> proteciont). the IAP attacks my valid AP/SSID.
Somebody could help me on this?
Are there somthing else to configure in the Airwave/RAPIDS/IAP?
Thanks in advanced.
Solved! Go to Solution.
03-09-2017 05:21 AM
If you want to contain Rogue AP discovered by IAP using RAPIDS from Airwave, you need to enable containment option in RAPIDS > Setup page.
once we enable this option, you will see containment option in drop down list in Rapids>Rules page.
Create a containment rule, for example if you want to contain a rogue device broadcasting your valid SSID, create below rule
In SSID box, provide your valid SSID. once you add, this rule, Airwave will contain rouge AP which is broadcasting your valid SSID.
We could manually contain rogue aswell from Rouge RAPIDS>Details in Airwave.
Click on any rogue device in Airwave , it will take us to detial page, under this we have RAPIDS Classification Override: option, select containment option from drop down list and click apply.
03-09-2017 06:06 AM
I did exactly what you say and even so I can connect to 'not desire' SSID at tha Rogue AP.
IAP and Airwave can contained a specific rogue AP?
I classify AP manually to contained rogue but I can connect on it.
03-09-2017 06:12 AM
Did containment pushed to rogue AP ? If you are manually pushing the containment in RAPIDS>Detail page of rogue you will see the status down the page whether AP is contained or not?
Did you enabled settings in RAPIDS>Setup page, before containing the rogue manually?
when you logged in to IAPs does that AP showing as rogue or contained?
03-09-2017 06:21 AM
03-09-2017 06:48 AM
in rapids>detail page screen shot i could see controller already classifed that particular rogue device as contained and in IAP, status is showing as disabled.
Have you enabeld IDS>proticetion setting in Airwave? If yes, I beileve those setting got pushed to IAP, based on this setting IAP containing the rogue AP.
If you want to contain through Airwave set those settings to low and try manual contain the rogue.
Based on output it looks rogue is already disabled and we should not able to connect to the SSID. Can you try with a different rogue devices and check the status.
03-09-2017 08:23 AM
03-09-2017 08:29 AM
what exact mismatch it is showing, can you click on mismatch , it will take you to the page where it shows the mismatch configuation.
We dont need to worry much regarding mismatch, did you click apply after making changes?
Have you tried testing the containment with different rogue AP?
03-09-2017 08:39 AM
it looks you havent click apply button after making changes in IDS. Try click apply to push configuration to IAP,
Instead of setting to low,set to off , click apply. once configuraton get pushed test containment with Airwave RAPIDS.
As I mentioned in my preivous post, IAP classifed the device as contained (based on IDS setting) and also you manually contained rogue from Airwave. It looks rogue is already contained, if you still connecting to the device, try test with different one.