Product and Software: This article applies to all Aruba controllers and ArubaOS 6.x and later.
Protecting a valid client involves disconnecting that client if it is associated to a non-valid AP.
To enable valid station protection, issue the "ids unauthorized-device-profile protect-valid-sta" command.
In general, it is difficult to achieve 100% containment with a single AM. Achieving containment for "protect valid station" is different than something like rogue containment. For rogue containment, the rogue is stationary on a channel, and we can keep going back to the rogue's channel to contain it. However, for the Protect Valid Station feature, the client behavior cannot be predicted. After the client is deauthorized, it can decide to associate with a BSSID on a completely different channel. The AM must continue to scan other channels to find the client quickly and contain it. Also, combined with this is the fact that we want to continue detecting attacks on all the other channels. So you can see some pings go through on the clients while the AM is scanning other channels. Having other APs or AMs will help.
ArubaOS 6.x provides the flexibility to tune the amount of time that an AM spends on channels that it scans. You can adjust these settings and see if you get better results using this configuration:
rf am-scan-profile default
dwell-time-active-channel 400 (The default is 500. You can change this value between 250 and 500.)
dwell-time-reg-domain-channel 100 (The default is 250. Reduce this value to 100.)
dwell-time-other-reg-domain-channel 100 (The default is 200. Reduce this value to 100.)