Higher Education

The quick and dirty of my set up:

                                                             3200XM Local   Downtown Campus

3200XM Dedicated Master ------>  3400US Local   North Campus

                                                             3600US Local   Downtown Campus

ArubaOS ver. 6.2.0.2 on all controllers

So the other day the Wireless IDS freaks out and starts tarpitting / de-auth attacking its own authorized AP's causing a wide spread outage. The only way I found to stop it was to disable the WIDS and then reboot the Master. I tried re-enabling the WIDS with just the recommended settings through the WIDS Wizard and it did the same thing. Again, to stop it I had to disable WIDS altogether and then reboot the master.

Anyone seen this before and can offer some insight? Any ideas on configuration? ummm help? (haven't opened a ticket with Aruba TAC yet as i will be in and out of the office today)

Can you go through WIDS and disable any tarpitting options to see what the controller is detecting?  A TAC case is your best option here...

I'll double check that this evening Seth. I don't want to do it right now just incase it does it again and causes another outage during our main "business" hours. And yeah, I figured I would have to open a case with TAC but I always like to try here first. I have gotten a lot of help and useful info from these boards :-)

You should be ok.  However, I understand your reservations.  In the IDS wizard, just set the protection to OFF.  It will just detect the "attacks" and not do anything to prevent/supress them.

So to clarify, I should be able to set what ever I want but as long as the protection services in step 5 of the wizard are turned off, there should be no actual effect on the wireless services. Correct?

Yes - keep those settings OFF and the system will be in a detect only mode.

So far so good. I just got the baseline detection up and running with protection turned off. However, I am not seeing all of the crazyness of my own AP's as a threat like I was before. Thoughts?

So I was wrong, I am seeing something wrong. All of the clients are marked as invalid. That is not cool. If I were to enable protection again I bet it would start seeing its own AP's as a threat again...

americanmcneill,

Clients are only marked as valid if they ever have connected to your wireless network with encryption.

Honestly, you should probably contact TAC to make sure that you are making the right moves....

Hey CJ!

Have you read through the whole thread? It's weird man. Currently I have protection disabled as per Seths suggestion until I can figure this out. Take a gander at the attachment if you would, do you see any config issues?

Attachment(s)

AP Wizard Summary.pdf   33 KB 1 version

I just read the thread.  I know you have protection turned off, but what are you trying to do?

Trying to figure out why my AP's started attacking one another and causing an outage. I am trying to see if its a config issue or a bug/glitch somewhere... I also haven't had time to open a case with TAC yet as I have been bouncing between campuses this week.

Is there any way you can put the IDS back on the default profiles?

Well, I thought that is what I did yet when I re-enabled protection it happened again. Hence the WIDs config I posted. Are those settings the actual default? (not including my three custome rules at the top that are disabled) or do those not look correct?