ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 17
Registered: ‎04-30-2010

STA DOS Protection

I have a wireless guest network, (3200 controller) and several visitors keep getting blacklisted.

I don't know how or why these specific user are being affected, and want to determine what caused it and how to correct it. I see user-defined, but I can't relate any setting that is doing it.

I don't want to disable blacklisting completely, but better handle this specific issue.

Can this be set only the the one guest Virtual AP?

Sample Log:
Aug 11 09:59:21 :501103: |stm| Blacklist add: 00:21:6a:96:92:2c: Reason: session-blacklist
Aug 11 09:59:21 :501097: |stm| Assoc request: 00:21:6a:96:92:2c: Dropped AP 172.25.30.7-00:24:6c:aa:02:d1-wap7.mydomain.com for STA DoS protection
Aug 11 09:59:21 :501103: |AP wap7.mydomain.com@172.25.30.7 stm| Blacklist add: 00:21:6a:96:92:2c: Reason: user-defined
Aug 11 09:59:21 :501097: |AP wap7.mydomain.com@172.25.30.7 stm| Assoc request: 00:21:6a:96:92:2c: Dropped AP 172.25.30.7-00:24:6c:aa:02:d1-wap7.mydomain.com for STA DoS protection
Aug 11 09:59:46 :501115: |stm| Blacklist del: 00:21:6a:96:92:2c: by administrator
Aug 11 09:59:50 :501097: |AP wap7.mydomain.com@172.25.30.7 stm| Assoc request: 00:21:6a:96:92:2c: Dropped AP 172.25.30.7-00:24:6c:aa:02:d1-wap7.mydomain.com for STA DoS protection
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Virtual AP level

Dos protection is enabled/disabled at the Virtual AP level. Uncheck it on the guest Virtual AP profile to see if you have the same behavior.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎04-30-2010

Re: STA DOS Protection

I did disable it at the virtual AP and the clients got on.

How can you determine exactly what was detected and caused the BL. I had 2 clients from a visiting company with something causing it to trigger; apparently they had some common software running.

It this something that can be tuned or certian senerios whiletlisted?
OR
Can you Whitelist a mac address if you needed to?


As they are visitors, I can really tie up thier machines running packet scans and don't have a way to reproduce it.

Suggestions?
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

User debugging

Without sending you to support, you can start debugging for that individual user, or all users and it will detail what triggered the DOS or blacklist:

config t
logging level debug user-debug mac

show log user-debug -- to see the debug log for that user.

config t
logging level debug user

show log user --- to see the debug log for all users.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 17
Registered: ‎04-30-2010

Re: STA DOS Protection

Hi Colin,

I did list some of the debug user info in the beginning thread.
I see Reason: user-defined, and session-blacklist in several of the lines.

This does not focus on anything to determine what caused the reasion to blacklist. There must be more info to narrow the problem down.

I did disable dos protection at the VAP level, and the clients are connecting.
A question regarding disabling this, Does this overide other policy driven blacklisting as well or just the Dos attacks? I have a policy which detects domain users and kicks them off the guest network.


Thanks
Guru Elite
Posts: 20,578
Registered: ‎03-29-2007

Session Blacklist

Klose,

Session Blacklist means that the user is blacklisted based on a firewall policy (acl). If you are logging on that firewall policy, it will show up in detail in "show log security "

DOS protection at the VAP level is the master switch for automatic blacklisting as well as other automatic IDS/IPS events. You can still manually blacklist users.

Another strategy that another organization had was to push out group policy that adds the guest SSID with a WEP key on each laptop, so that they would never be able to connect to it.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: