Network Management

I have my controller pointed to my airwave server for SNMP traps, however, I am having the following issue.  If I go to the Security Dashboard on the controller I can see that I have several detected events, but if I go to the RAPIDS tab in airwave then the ids events subtab I have no events listed.  Should this screen be populated by the detected events on the controller's security dashboard?

Thanks

Hi -

If you go to APs/Devices and select the controller, click "Poll Now".  Does this generate any errors?  (Just to confirm the AirWave config is correct for the controller in question.)

Also, how old are these IDS events on the controller?  Remember that the dashboard on the controller is realtime, whereas the AirWave console is subject to a polling interval.  If the events are brand-new, they may not have been caught by AirWave yet.

Additionally, if you go into AMP Setup, confirm the settings on the General tab.  (Display RAPIDS: Yes, etc.)

Finally, you can go to System -> Alerts to see the SNMP traps come in.  Do you see any traps from that particular controller?

I hope this helps!

- Jay

The "IDS Events" page on Airwave is populated by SNMP traps as you indicated, not SNMP polling. The first thing to do is verify your AMP is actually receiving traps from the controller. If you are running a recent version of AMP, you can go to the controller's monitoring page (on Airwave) and look at the "Device Events" table. This will contain all SNMP traps and syslog messages Airwave receives from the controller. You should see a bunch of SNMP traps there. If you are not running a recent version of AMP then there are other slightly more complicated ways of determining if you are receiving traps at all.

I believe I now have it solved.  I upgraded to the latest release of airwave and now have IDS events showing under the RAPIDS tab in airwave.

Thakns

I am running AMP 7.5.5 (latest version)

I also see snmp-traps and syslogs in AMP (under System - Syslog/Traps)

I do not see IDS events.

the mgmt-server of my controllers is AMP's IP

Trap-host on the controllers is set to AMP

Trap-source is the controllers-ip

Any thoughts?

Please see the Aruba and AMP best practices guide here:  http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=8053

It will go over, in detail what needs to be done.  Somethings, you might have already done; I understand.

Do you have the IDS/IPS license installed on your controller?  Do you have the attacks configured as "detect" in the IDS profile in the Aruba controller?

I have followed every step of that guide and everything should be configured correctly.

I have set this up before and it has worked in the past, this new customer for some reason I do not see anything.

Unfortunately, I am not the one who configured the controllers but none of the attacks are selected as "detect", except for like "Detect bad WEP", "Detect Station Association To Rogue AP".

I have asked for clarification as to why none of those attacks are configured.

Could this be the case why no IDS events are showing up?

There is an RF Protect license on all of the controllers.

Yes.

Thank you.

That answers that.