ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 21
Registered: ‎04-07-2011

Rogue detection and notification/logging

Not sure if this is the correct location for this question, but here it is.

I need to be able detect and log (syslog) when a rogue AP is active on my network. I have purposely installed a couple of non-Aruba APs to get logging setup correctly. The problem I am having is that I can see the AP as interfering, but it never gets detected as a rogue. Once the detection is corrected, what logging settings do I need to set to get this information sent to my syslog machine?

Thanks in advance.
Guru Elite
Posts: 20,981
Registered: ‎03-29-2007

Re: Rogue detection and notification/logging

When you say "corrected" what do you mean?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 21
Registered: ‎04-07-2011

Re: Rogue detection and notification/logging

Currently the Rogue(s) are not being classified as rogues, just interfering. So corrected means getting the Aruba to correctly classify the rouge AP as a Rogue.

For what it's worth.....Way back when I was running a 2.x release of the OS, the Rogues were classified correctly, ever since going to 3.x releases, I have not seen any Rogues classified as rogues, just interfering.
Guru Elite
Posts: 20,981
Registered: ‎03-29-2007

Re: Rogue detection and notification/logging

There are a few more ways to classify rogues, as the behavior and types of rogue access points has also changed over time. The wireless intrusion protection chapter of the user guide details the additional options that you can turn on for classifying rogue access points. It will also detail what those options are..


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 6
Registered: ‎01-07-2011

Re: Rogue detection and notification/logging

Do you use dedicated air monitors (AM) with thin access point's for your clients, if so then as long as the rogue AP is 'seen' by a specific AM on the same wired subnet and in the air, then it should be detected in seconds.
If you do not have dedicated AM's then a scanning AP may take minutes to find a
rogue operating on a different channel, or it may never discover the rogue at all. This is because a lightly used rogue AP may not generate traffic during the brief period an AP is monitoring that channel.

Also I had an issue where test rogues were not being detected and this was because on a converged network that is fully routed to the desk an AM is needed on every separate data subnet/VLAN, we had some switches (and therefore some data VLAN's) that didn't have a dedicated AM.

I don't auto contain rogues because I now have email alerts when a rogue is detected and can then locate it before the offender removes it because they have no connectivity.

I hope that helps.
Moderator
Posts: 123
Registered: ‎04-17-2009

Re: Rogue detection and notification/logging

Terminology can get a little tricky in this instance. AirWave will allow you to define a rogue however you want. That could be a device using your SSID or on your LAN or anything heard wirelessly, etc.

In this case I think you are using the controllers definition of 'rogue' which is a device that is connected to the wire and discovered wirelessly. There are a few different ways we detect them.

One of the ways is alluded to by Tufty. The APs, AMs and Controller listen to information on the wire and compare that with what is heard coming out of a rogue AP over the air.

In early versions of AOS you needed to trunk all of your vlans to the AMs/APs so that they could get visibility into the wired traffic. In AOS 6.1, you need to trunk the vlans to a single AM or a single AP or to the controller. One AP or AM or controller will share the discovered wire information with all of the other devices on the controller for device classification.

Another thing to be aware of is having clients associated to a rogue AP will help it get discovered significantly faster since we are looking at the traffic coming out of the rogue.

That isn't including any of the ways that AirWave can detect wired rogues. If rogues aren't getting detected I would recommend following up with TAC to make sure everything is configured properly in your system.
Occasional Contributor II
Posts: 21
Registered: ‎04-07-2011

Re: Rogue detection and notification/logging

I did get the ROGUES to be detected, so now I would like to have a notification sent (email, text, etc.). Currently, I need to be logged into the controller in order to see the rogue detection. Is there any way to have the controller send this info automatically (either directly to an email or to a syslogger)? We are looking at Airwave...will that do this notification?

Thanks!
Search Airheads
Showing results for 
Search instead for 
Did you mean: