Product and Software: This article applies to all Aruba controllers and ArubaOS 3.4 and later.
To protect a valid client, that client must be disconnected if it is associated to a nonvalid AP.
To enable valid station protection, issue the "ids unauthorized-device-profile protect-valid-sta" command.
When a valid client is contained, the Aruba AP sends deauths when it hears frames going from the AP to the valid station while it is scanning the channel that your station is on. So, a few things affect the containment in your test configuration.
- Assuming that the Aruba AP doing the protection is in AM mode, then it is scanning through multiple channels. How often it hits the channel that your client is on affects containment.
- Deauths are sent only when the AP sees AP-to-STA (Station) frames. So the frequency with which frames are sent from the AP to the valid station affects containment.
To test whether this explains your results, you can lock the AM to the channel that the client is on (only for testing) using the command in enable mode:
#am scan <am_ip> channel bssid <radio bssid>
You can also try increasing the activity in the wireless connection to the external AP.