How does Overlay Rogue AP Classification work?
Overlay Rogue AP Classification option can be used to reduce false positives when detecting Rogue APs.
It is possible that Aruba AP/AM can mark an AP as Rogue if it does not see all the frames for a station but does see some frames that are relayed on behalf of the station. Internal mechanism to what causes this issue is out of scope of the article.
If "Overlay Rogue AP Classification" is enabled, AP/AM will use the wired-MAC addresses that Aruba AP/AM collect on the air for Valid/Rogue APs, as addresses of devices on the trusted network. We will then use these addresses to compare against wired-MAC addresses that are collected on the air for an interfering AP, to detect a rogue. If there is a match we will mark AP as rogue as a Match-Type of "AP Wired MAC".
If "Overlay Rogue AP Classification" is disabled, then we will not use these MAC addresses for detecting AP as Rogue. We will only use wired-MAC addresses that are collected on the Aruba AP's Ethernet interface to detect a rogue. This means that the Match-Type of "AP-Wired-MAC" will not be triggered.
In 3.x onwards this option is part of 'ids unauthorized device profile'. In 2.5.4.x onwards it can be configured using command 'wms ap-policy overlay-classification <enable / disable>.