Higher Education

Reply
This is an open group. Sign in and click the "Join Group" button to become a group member and start posting.
Highlighted
Frequent Contributor II
Posts: 250
Registered: ‎09-14-2011
Wireless IDS Attacking Authorized AP's

The quick and dirty of my set up:

 

                                                             3200XM Local   Downtown Campus

3200XM Dedicated Master ------>  3400US Local   North Campus

                                                             3600US Local   Downtown Campus

 

ArubaOS ver. 6.2.0.2 on all controllers

 

So the other day the Wireless IDS freaks out and starts tarpitting / de-auth attacking its own authorized AP's causing a wide spread outage. The only way I found to stop it was to disable the WIDS and then reboot the Master. I tried re-enabling the WIDS with just the recommended settings through the WIDS Wizard and it did the same thing. Again, to stop it I had to disable WIDS altogether and then reboot the master.

 

Anyone seen this before and can offer some insight? Any ideas on configuration? ummm help? (haven't opened a ticket with Aruba TAC yet as i will be in and out of the office today)

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Aruba
Posts: 1,377
Registered: ‎12-12-2011
Re: Wireless IDS Attacking Authorized AP's

Can you go through WIDS and disable any tarpitting options to see what the controller is detecting?  A TAC case is your best option here...

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor II
Posts: 250
Registered: ‎09-14-2011
Re: Wireless IDS Attacking Authorized AP's

I'll double check that this evening Seth. I don't want to do it right now just incase it does it again and causes another outage during our main "business" hours. And yeah, I figured I would have to open a case with TAC but I always like to try here first. I have gotten a lot of help and useful info from these boards :-)

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Aruba
Posts: 1,377
Registered: ‎12-12-2011
Re: Wireless IDS Attacking Authorized AP's

You should be ok.  However, I understand your reservations.  In the IDS wizard, just set the protection to OFF.  It will just detect the "attacks" and not do anything to prevent/supress them.

 

Screenshot 2014-04-08 09.18.27.png

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor II
Posts: 250
Registered: ‎09-14-2011
Re: Wireless IDS Attacking Authorized AP's

So to clarify, I should be able to set what ever I want but as long as the protection services in step 5 of the wizard are turned off, there should be no actual effect on the wireless services. Correct?

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Aruba
Posts: 1,377
Registered: ‎12-12-2011
Re: Wireless IDS Attacking Authorized AP's

Yes - keep those settings OFF and the system will be in a detect only mode.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Frequent Contributor II
Posts: 250
Registered: ‎09-14-2011
Re: Wireless IDS Attacking Authorized AP's

So far so good. I just got the baseline detection up and running with protection turned off. However, I am not seeing all of the crazyness of my own AP's as a threat like I was before. Thoughts?

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Frequent Contributor II
Posts: 250
Registered: ‎09-14-2011
Re: Wireless IDS Attacking Authorized AP's

So I was wrong, I am seeing something wrong. All of the clients are marked as invalid. That is not cool. If I were to enable protection again I bet it would start seeing its own AP's as a threat again...

 

 

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Guru Elite
Posts: 21,280
Registered: ‎03-29-2007
Re: Wireless IDS Attacking Authorized AP's
[ Edited ]

americanmcneill,

 

Clients are only marked as valid if they ever have connected to your wireless network with encryption.

 

Honestly, you should probably contact TAC to make sure that you are making the right moves....



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II
Posts: 250
Registered: ‎09-14-2011
Re: Wireless IDS Attacking Authorized AP's

Hey CJ!

 

Have you read through the whole thread? It's weird man. Currently I have protection disabled as per Seths suggestion until I can figure this out. Take a gander at the attachment if you would, do you see any config issues?

Scott McNeil - IT Specialist, Global Process Automation
Network+ | CWNA | CWTS | ACSP | ACMP | ACMA | BREC
Search Airheads
Showing results for 
Search instead for 
Did you mean: