Controllerless Networks

I have a basic question. 

Can Aruba IAP be used to control non-Aruba APs.

I already have a network, with non Aruba APs, in which I deployed the Aruba IAP to detect rogue APs.

But I could not find a way to add the existing APs as authorized APs. (Even after disabling the Auto Join mode and adding the AP manually, it is shown as non-active while the AP is up and distributing the network) 

Thanks

IAPs can only manage other IAPs.  

An IAP, however, can detect and quarantine Rogue Access points.

Thanks AirHeads. 

Appreciate your quick response. 

Does that mean a non-Auba AP can not be configured as authorised AP in Aruba instant. 

Also, Does the Rogue AP containment requires RFProtect license or something like Mobility Access Switch or some special configuration as I could not contain a test Rogue AP using wired containment and Rogue containment protections.

Thanks.

From a management perspective, IAPs can only manage IAPs.

When you refer to "authorised AP" are you referring to the ability to manage it or are you referring to taking an AP that has been flagged as a Rogue and changing its flagged status to "Neighbor" or "Authorized".

IAPs do not require any SW licensing -- all features are built-in including Rogue detection and containment.  The IAP can do containment on its own; however, if you are using it with a Mobility Access Switch (MAS) the MAS can also do containment.  The IAP will tell the MAS the BSSID (MAC) of the Rogue then the MAS will disable the port and PoE where the Rogue is connected (on access port) or blacklist the MAC of the Rogue plus any clients connected to the Rogue (on Trunk ports).

When I refer to authorized APs, I am referring to taking an AP that has been flagged as a Rogue and changing its flagged status to "Neighbor" or "Authorized". How can that be done. 

Also, I could not contain a test rogue AP. The clients were still able to connect to it. am I missing something..?

Thanks.

In IAP the classification cannot be changed like it can in our controller-based solutions.

Clients cannot be prevented from connected to a Rogue AP.  Once they connect we can deauthenticate them.  We can also present a 'Tarpit' which is a fake copy of the Rogue.  Hopefully the client drivers will find the Tarpit more attactive that the Rogue and stay connected to the Tarpit.  See the attached screen capture.

Thanks for clarifying my doubts Marcus.

+If classification can not be changed, is there a way that a Non Aruba AP is not classified as Rogue in firat place..

+ If clients can not be stopped from conencting to Rogue AP, How can I make sure that the AP that has been classified as Rogue as contained, when Rogue containment and Wired Containment is on..?

Thanks,
Atul

Be sure you enable Infrastructure protection in case you have not already which is required to enable containment. Also, enable Client Protection which enables "Protect Valid Station".  If a client connects to a Rogue this Deauth's the client off the Rogue.

Lastly, take a look at the IAP CLI reference guide for several commands that can help troubleshoot containment.

What can I do to make non Aruba AP authorised i.e it is not classified as Rogue AP?

Thanks

In IAP the Rogue AP classification cannot be changed like it can in our controller-based solutions.

Does that mean IAP will always call a non-Aruba AP as rogue even though it is a genuine AP distributing the network ?

An IAP classifies all other non IAP APs as Rogue.

Just wondering wha the underlying logic that IAP is using to classify an AP as rogue. eg. cisco lwaps use an IE in beacon/probe frames to determine if the neighboring AP is actually a neighbor or Rogue.

What is the logic that Aruba IAPs use for determining Rogue. 

Thanks,

Atul