Network Management

Reply
Occasional Contributor II
Posts: 10
Registered: ‎02-24-2017

IDS/IPS system for IAP doesn't work?

Good day,

 

I have had a really hard time understanding the main differences between security features in Controller vs IAP-VPN based solutions. 

 

I wanted to test a really basic security feature on IAP cluster, AP impersonation, by setting an access point with same SSID and MAC address. I set the security settings to MAX on everything detection and protection. Yet some clients still joined my fake AP... and stayed there for more than 3 hours!? 

 

I also tried sending Deauth broadcasts with AP's MAC address and they worked, all the clients were disconnecting and connecting to my fake AP.

 

Shouldn't these IPS features be working?

Would a Controller with RFProtect license solve these flaws?

Has anyone had similar issues?

Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: IDS/IPS system for IAP doesn't work?

You cannot just simply set the IDS/IPS features to max and have them  just work.  You need to configure what you need and test.  You need to configure detection, protection and containment specific to what you want to protect.  Lastly, maximum protection occurs when the device doing the protection is an Air Monitor and not serving clients.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎02-24-2017

Re: IDS/IPS system for IAP doesn't work?

I actually tried it with only specific options enabled and got the same results, at the very end I put everything to max in hopes that something will happen. I will do these tests with one of AP's working as AM, but does this mean that without Air Monitor enabled on one of AP's I am able to deauth and spoof that SSID?

 

 

Guru Elite
Posts: 20,819
Registered: ‎03-29-2007

Re: IDS/IPS system for IAP doesn't work?

The protection is greater if you have an Air Monitor because it is dedicated to protection and it is not splitting its time between IDS and serving clients.  You need to configure a custom policy and choose your containment to make sure your policy is being enforced.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 10
Registered: ‎02-24-2017

Re: IDS/IPS system for IAP doesn't work?

I am sorry for the late reply, I was sick and out of country for a while.

I did as you suggested and setup one of the Aruba's devices as an Air Monitor.

 

To go really basic here, I created a hotspot on my mobile phone with the same SSID, and after deauthenticating (from Kali Linux) OR just plain restarting the wifi interface, it joined my mobile phone's wifi interface.

It stayed there for more than 1 hour!

 

Shouldn't it be deauthenticating it from my phone's hotspot!? Why aren't these basic IPS functions working, as they are written on the specs sheet?

 

I have all of the IDS/IPS functionality enabled and an one of the devices is functioning as an Air monitor...

Search Airheads
Showing results for 
Search instead for 
Did you mean: