Monitoring, Management & Location Tracking

This article describes Aruba SNMP Traps that are supported in 7.0 and earlier (there's a separate article for AirWave versions 7.1 and later).

IDS Traps are discussed in the 'AirWave and Aruba Best Practice Guide':
http://www.airwave.com/download/docs/70/AirWaveandArubaBestPracticesGuide.pdf

These are the current IDS Traps that are supported by AMP:

1. Auth Traps Utilized by AWMS
– wlsxNUserAuthenticationFailed
– wlsxNAuthServerReqTimedOut

2. IDS Traps Utilized by AWMS
– wlsxSignatureMatchAP
– wlsxSignatureMatchSta
– wlsxSignAPNetstumbler
– wlsxSignStaNetstumbler
– wlsxSignAPAsleap
– wlsxSignStaAsleap
– wlsxSignAPAirjack
– wlsxSignStaAirjack
– wlsxSignAPNullProbeResp
– wlsxSignStaNullProbeResp
– wlsxSignAPDeauthBcast
– wlsxSignStaDeauthBcast

3. IDS Traps Integrated into AMP
AP Flood Attack
AP Impersonation
Channel Frame Error Rate Exceeded
Channel Frame Fragmentation Rate Exceeded
Channel Frame Retry Rate Exceeded
Channel Rate Anomaly
Disconnect Station Attack (AP)
Disconnect Station Attack (Station)
EAP Rate Anomaly
Frame Band Width Rate Exceeded
Frame Fragmentation Rate Exceeded
Frame Low Speed Rate Exceeded
Frame Non-Unicast Rate Exceeded
Frame Receive Error Rate Exceeded
Frame Retry Rate Exceeded
Invalid MAC OUI (AP)
Invalid MAC OUI (Station)
Node Rate Anomaly (AP)
Node Rate Anomaly (Station)
Repeat WEP-IV Violation (AP)
Repeat WEP-IV Violation (Station)
Reserved Channel Violation
Sequence Number Anomaly (AP)
Sequence Number Anomaly (Station)
Signal Anomaly
Station Associated to Rogue AP
Station Impersonation
Station Unassociated from Rogue AP
Valid SSID Violation
Valid Station Policy Violation
Weak WEP-IV Violation
Weak WEP-IV Violation (Station)
Signature - AP AirJack
Signature - Station AirJack
Signature - AP Asleap
Signature - Station Asleap
Signature - Deauth Broadcast
Signature - AP Netstumbler
Signature - Null Probe Response
Signature - Impersonate AP
Signature - Impersonate Station

To view the status of all traps (on the controller):
# show snmp trap-list

To view with focus on the supported traps (again, on the controller):
# show snmp trap-list | include wlsx
-----

To enable the supported traps:
snmp-server trap enable wlsxNUserAuthenticationFailed
snmp-server trap enable wlsxNAuthServerReqTimedOut
snmp-server trap enable wlsxSignatureMatchAP
snmp-server trap enable wlsxSignatureMatchSta
snmp-server trap enable wlsxSignAPNetstumbler
snmp-server trap enable wlsxSignStaNetstumbler
snmp-server trap enable wlsxSignAPAsleap
snmp-server trap enable wlsxSignStaAsleap
snmp-server trap enable wlsxSignAPAirjack
snmp-server trap enable wlsxSignStaAirjack
snmp-server trap enable wlsxSignAPNullProbeResp
snmp-server trap enable wlsxSignStaNullProbeResp
snmp-server trap enable wlsxSignAPDeauthBcast
snmp-server trap enable wlsxSignStaDeauthBcast

Note: You will need to issue the “write mem” command.

To Test IDS traps:

Create a signature profile that triggers when a specific MAC connects to an AP. Below are the commands to create such a profile (this assumes that your AP Groups are using the signature matching profile called "default") for "My Laptop":

(Aruba-Controller) (config) #ids signature-profile "My Laptop"
(Aruba-Controller) (IDS Signature Profile "My Laptop") #frame-type assoc
(Aruba-Controller) (IDS Signature Profile "My Laptop") #src-mac 00:1F:3B:32:63:7E
(Aruba-Controller) (IDS Signature Profile "My Laptop") #!

(Aruba-Controller) (config) #ids signature-matching-profile "default"
(Aruba-Controller) (IDS Signature Matching Profile "default") #signature "My Laptop"
(Aruba-Controller) (IDS Signature Matching Profile "default") #!

After that, just associate to an AP and a trap should show up very quickly.