There is a setting in the IDS Unauthorized Device profile called ‘protect ssid.’ It can be configured as follows:
(MC-01) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(MC-01) (config) #ids unauthorized-device-profile default
(MC-01) (IDS Unauthorized Device Profile "default") #?
protect-ssid Enable/disable use of SSID by only valid Aps
valid-and-protected-ssid Configure valid and protected SSID
(MC-01) (IDS Unauthorized Device Profile "default") #valid-and-protected-ssid ?
(MC-01) (IDS Unauthorized Device Profile "default") #valid-and-protected-ssid test
(MC-01) (IDS Unauthorized Device Profile "default") #protect-ssid
Behavior When Protect SSID Setting is Enabled
If enabled, this tells the APs/Controller to not let any 3rd party AP (or interfering AP) to broadcast the SSID that is configured in the "valid-and-protected-ssid" of the IDS unauthorized device profile. This means that an Aruba AP with SSID test (as configured above) will attempt to contain any non-valid AP that is advertising SSID test.
The AP does the containment by sending deauths to anything trying to associate to it (by spoofing the AP's bssid) and it should be sending deauths to the AP (by spoofing the wireless client mac address that was trying to associate to it).
Note: This setting should be used very carefully as it prevents station associations.