- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Rogue detection false positives on wired and wireless rule
Rogue detection false positives on wired and wireless rule
01-10-2017 11:18 AM
We are seeing what appears to be neighbors listed as being detected both wired and wirelessly using a match rule called "Minus-One-Match" which appears to detect consecutive mac-addresses. One such example lists 38:ED:18:BA:B8:31 as the wired mac and 38:ED:18:BA:B8:30 as the wireless. However further review shows that mac address ending in 31 has the SSID xxxx-pwhse and the mac address ending in 30 has the SSID xxxx-user
Thus both macs are wireless macs, likely the same device but no mac is identified showing wired connectivity. Likewise a review of the site's switches does not reflect any mac beginning with 38:ED:18 attached to the network. This was on a detection most recently made within the past few minutes.
Signal strength is high enough to identify as a suspect rogue but LAN connection identification appears to be a false positive. The SSID matches are not replicating ours so this is not an instance of SSID spoofing.
Thus I see this as a false postive and probable neighbor given the multi-tenant nature of the site.
Question, am I interpreting the function of the Minus-one-Match method correctly and if so, how does one disable this method as it is is obviously causing false positives?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Rogue detection false positives on wired and wireless rule
Re: Rogue detection false positives on wired and wireless rule
01-10-2017 11:28 AM
Are those wireless mac addresses your access points, or no?
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Rogue detection false positives on wired and wireless rule
Re: Rogue detection false positives on wired and wireless rule
01-10-2017 11:33 AM
no they are not our APs and they are not physically attached to our network, they appear to be neighbors being automatically classified as rogues, best I can tell is the Minus-one-match method is assuming that two consecutive macs must represent wired and wireless interfaces but does not take into account two consecutive wireless macs, E.g. 2.4 and 5 Ghz radios on one AP having separate mac addresses.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Rogue detection false positives on wired and wireless rule
Re: Rogue detection false positives on wired and wireless rule
01-10-2017 11:34 AM
One of those macs would need to be wired for it to classify using the +1 rule.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Rogue detection false positives on wired and wireless rule
Re: Rogue detection false positives on wired and wireless rule
01-10-2017 11:37 AM
Alan Mercer
Technical Systems Architect
Catholic Charities Information Technology
1966 Greenspring Dr.
Suite 200
Timonium, Md. 21093
667-600-2270
Fax: (410) 561-7755
amercer@cc-md.org
Please note phone number change above effective on 9/23/2016
For support issues please contact the Support Desk at : (1-844-323-5477) or support@cc-md.org
To find out more about Catholic Charities please visit: www.cc-md.org
[cid:image001.png@01CF63AF.EE50C0D0] [cid:image002.png@01CF63AF.EE50C0D0]
Please follow us on Facebook and Twitter
[cid:image003.png@01CF63AF.EE50C0D0]
Our Mission: Inspired by the Gospel mandates to love, serve and teach, Catholic Charities provides care and services to improve the lives of Marylanders in need.
Disclaimer: This message is confidential, intended only for the named recipient(s), and may contain information that is legally privileged. If you are not the intended recipient(s), you are notified that the disclosure, dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and delete this e-mail from your computer. Thank you.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Rogue detection false positives on wired and wireless rule
Re: Rogue detection false positives on wired and wireless rule
01-10-2017 11:37 AM
Alan Mercer
Technical Systems Architect
Catholic Charities Information Technology
1966 Greenspring Dr.
Suite 200
Timonium, Md. 21093
667-600-2270
Fax: (410) 561-7755
amercer@cc-md.org
Please note phone number change above effective on 9/23/2016
For support issues please contact the Support Desk at : (1-844-323-5477) or support@cc-md.org
To find out more about Catholic Charities please visit: www.cc-md.org
[cid:image001.png@01CF63AF.EE50C0D0] [cid:image002.png@01CF63AF.EE50C0D0]
Please follow us on Facebook and Twitter
[cid:image003.png@01CF63AF.EE50C0D0]
Our Mission: Inspired by the Gospel mandates to love, serve and teach, Catholic Charities provides care and services to improve the lives of Marylanders in need.
Disclaimer: This message is confidential, intended only for the named recipient(s), and may contain information that is legally privileged. If you are not the intended recipient(s), you are notified that the disclosure, dissemination, distribution or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at either the e-mail address or telephone number above and delete this e-mail from your computer. Thank you.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Rogue detection false positives on wired and wireless rule
Re: Rogue detection false positives on wired and wireless rule
01-10-2017 11:42 AM
My remark is that is how it is supposed to work. Have you seen the article here? http://community.arubanetworks.com/t5/Controller-less-WLANs/How-to-troubleshoot-rogue-on-IAP/ta-p/213315
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Rogue detection false positives on wired and wireless rule
Re: Rogue detection false positives on wired and wireless rule
01-18-2017 05:15 AM
That article does not explain the plus one rule nor why two consecutive macs both associated with wireless SSIDs would be detected as wired. Everything about this still says false positive and and one that would likely occur quite frequently. It appears to be a flawed signature used for rogue detection and would not be the first bug in Airwave and the instant OS I have reported in our short time using the product.
I'm at the point that I will have to open a support ticket on this given the answer is not here.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator
Re: Rogue detection false positives on wired and wireless rule
Re: Rogue detection false positives on wired and wireless rule
01-18-2017 06:06 AM
That is the best approach.
Colin Joseph
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Alert a Moderator