How to manually override an IDS classification.

Aruba Employee

Summary : Procedure to override IDS classification on Aruba Instant AP

 

Introduction : There maybe instances where administrator would like to manually override IDS classification done by Aruba Instant. This article explains the procedure to do this.

 

Feature Notes :

 

"show ids aps" wouldn't show valids APs while "show ap monitor ap-list" would also include valid APs
As of 4.1 release; Instant AP maintain the highest classification it made and wouldn't automatically switch to lower value when there is a change in environment.

 

Environment : Aruba Instant deployment with IDS classification enabled

 

Network Topology : Aruba Instant Cluster with APs in neighborhood

 

Configuration Steps :

 

 

IDS reclassification is done using ids-reclassify command. To use the command; we would need to input value of phy-type and classification-type.

These values can be obtained using below commands.

 

vijay# show ids phy-types
 
Physical Types
--------------
Keyword  Value
-------  -----
b        0
a        1
g        2
ag       3
 
vijay# show ids rap-types
 
RAP Types
---------
Keyword            Value
-------            -----
valid              0
interfering        1
rogue              2
dos-attack         3
unknown            4
known-interfering  5
suspect-rogue      6

vijay# show ids aps | include HQ  Chandan
d8:c7:c8:13:2b:60  Chandan-SSID1                     Interfering     1      GN 20MZ  03:04:17
d8:c7:c8:13:2b:68  Chandan-SSID1                     Interfering     36     AN 40MZ  03:05:17
d8:c7:c8:89:cd:51  Chandan-SSID2                     Interfering     48     AN 40MZ  03:05:17
d8:c7:c8:89:cd:41  Chandan-SSID2                     Interfering     11     GN 20MZ  03:05:17

vijay# ids-reclassify                show ap mo  nitor ap-list | include Chandan
d8:c7:c8:89:cd:41  Chandan-SSID2              11    interfering  80211b/g-HT-20  disable  1139619/590365   0/0    wpa2-psk-aes     0      40        41         0      no    
d8:c7:c8:89:cd:51  Chandan-SSID2              48    interfering  80211a-HT-40    disable  1062682/8246     23/0   wpa2-psk-aes     0      47        47         0      no    
d8:c7:c8:13:2b:68  Chandan-SSID1                36    interfering  80211a-HT-40    disable  461911/7293    85/0   wpa2-psk-aes    0      0         43         0      no    
d8:c7:c8:13:2b:60  Chandan-SSID1                1     interfering  80211b/g-HT-20  disable  6692/2575    145/2    wpa2-psk-aes    0      0         46         0      no    


vijay# ids-reclassify ap d8:c7:c8:13:2b:60 2 2
vijay# ids-reclassify ap d8:c7:c8:13:2b:68 1 2
vijay# ids-reclassify ap d8:c7:c8:89:cd:51 1 2
vijay# ids-reclassify ap d8:c7:c8:89:cd:41 2 2

 

 

Verification :

 

 

Reissuing the command would confirm that they have been reclassified.


vijay#show ap monitor ap-list | include Chandan
d8:c7:c8:89:cd:41  Chandan-SSID2              11    rogue        80211b/g-HT-20  disable  1139723/590469   0/0    wpa2-psk-aes     0      40        41         0      no    
d8:c7:c8:89:cd:51  Chandan-SSID2              48    rogue        80211a-HT-40    disable  1062786/8246     9/0    wpa2-psk-aes     0      0         47         0      no    
d8:c7:c8:13:2b:68  Chandan-SSID1                36    rogue        80211a-HT-40    disable  462015/7295    3/0    wpa2-psk-aes    0      44        45         0      no    
d8:c7:c8:13:2b:60  Chandan-SSID1                1     rogue        80211b/g-HT-20  disable  6796/2575    249/2   wpa2-psk-aes    0      0         46         0      no 

   
vijay#show ids aps | include Chandan
d8:c7:c8:13:2b:60  Chandan-SSID1                     Rogue           1      GN 20MZ  03:04:17
d8:c7:c8:13:2b:68  Chandan-SSID1                     Rogue           36     AN 40MZ  03:08:18
d8:c7:c8:89:cd:51  Chandan-SSID2                     Rogue           48     AN 40MZ  03:08:18
d8:c7:c8:89:cd:41  Chandan-SSID2                     Rogue           11     GN 20MZ  03:08:18

 

 

Troubleshooting :

 

 

Set syslog to “Notice” level  for security category  and it would generate logs for IDS classification::

Example ::

 

Jul 30 13:16:30 2014 10.64.99.209 sapd[1558]: <106000> <NOTI> <10.64.99.209 0.0.0.0> |ids-ap| AM 00:24:6c:24:0a:d8: Potentially rogue AP detected BSSID 6c:f3:7f:a8:9b:d0 SSID gotonet MATCH MAC 00:27:10:cf:f5:8c



If it's suspected that IDS classification is inconsistent; following command output from the AP reporting IDS event would help to identify the root cause.


·         show ap monitor pot-ap-list
·         show ap monitor ap-list  | include rogue
·         show log security 
·         show log security | include rogue
·         show ap monitor ap-wired-mac  <BSSID as per security logs>  (for all APs in the cluster)
·         show ids aps

 

Version history
Revision #:
1 of 1
Last update:
‎11-10-2014 05:04 AM
Updated by:
 
Labels (2)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: