Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor I

AM recognises controller as attacker?

Our WLAN was freezing several times per day, so i had a look at the logs:

R029@141.68.21.11 sapd| AM: Wired Containment: Station MAC:00:0b:86:61:7e:20 IP:141.68.21.2 Nov 6 10:04:33 aruba sapd: <106009> |AP

MAC:00:0b:86:61:7e:20 IP:141.68.21.2 < The aruba controller's MAC and IP!!

I disabled wired contaiment in the IDS-general-high-setting profile and the WLAN is working fine now. But why does the AM recognise the controller as an attacker?

Any recommendations on how to troubleshoot this?

Cheers,

Stefan
Aruba Employee

Re: AM recognises controller as attacker?

Any chance someone is spoofing the controller on the network with a home router? Seems a bit unlikely, but that's the first thing that came to mind.

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Aruba Employee

Re: AM recognises controller as attacker?

One of our developers would like to see the following:
show ap monitor debug status ap-name
> show ap monitor wired-mac ap-name enet-mac
> show ap monitor ap-list ap-name
> show ap monitor client-list ap-name
> show ap monitor debug profile-config ap-name ids-general
> show ap monitor debug profile-config ap-name ids-unauthorized-device
> show ap monitor debug profile-config ap-name ids-dos
> show ap monitor stats ap-name mac 00:0b:86:61:7e:20 verbose

-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor I

Re: AM recognises controller as attacker?

Spoofing is quite unlikely, the events also occured during the night when the whole campus was closed.

Meanwhile I updated the controller to 3.4.0.6 an enabled wired containment. As soon as the WLAN is freezing again I'll post the output of the commands above.

Stefan
Aruba Employee

Re: AM recognises controller as attacker?

That is odd, please keep us informed on your progress. Can you tell us what the code version was that you had running previously, and anything else about how the AM is connected to the network and it's ability to reach the controller?

thanks,
-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Occasional Contributor I

Re: AM recognises controller as attacker?

Hi,

the previous version was 3.4.0.5. I had a close look at the controller for the last two weeks, the messages didn't reappear. I didn't do any changes to the configuration.

Seems like it either was a spoofing attack (very unlikely but not impossible) or the update to version 3.4.0.6 fixed it somehow.

The access points are connected to the controller across the same subnet, no routing, plain layer 2. The switches are the Extreme Summit with latest firmware, all gigabit, new cabling.

Strange, anyway.

Cheers,

Stefan
Aruba Employee

Re: AM recognises controller as attacker?

Thanks for the update Stefan, please feel free to contact us again if that issue reappears.

thanks,
-awl
Andy Logan, ACDX
Director, Strategic Account Solutions
Aruba Networks
Moderator

Multi Masters?

This can occur if you have more than one master controller in the same broadcast domain. controllers use a common mac address for all ports. If you have two masters, they are running independent domains and could perceive the other master as a rogue device.

Kevin


Hi,

the previous version was 3.4.0.5. I had a close look at the controller for the last two weeks, the messages didn't reappear. I didn't do any changes to the configuration.

Seems like it either was a spoofing attack (very unlikely but not impossible) or the update to version 3.4.0.6 fixed it somehow.

The access points are connected to the controller across the same subnet, no routing, plain layer 2. The switches are the Extreme Summit with latest firmware, all gigabit, new cabling.

Strange, anyway.

Cheers,

Stefan


Occasional Contributor I

Re: AM recognises controller as attacker?

Hi Kevin,

there's only one controller.

WLAN is fine since I updated the controller to 3.4.0.6.

Stefan
Occasional Contributor I

Re: AM recognises controller as attacker?

Hi everybody,

the WLAN was fine until last week, then the same issue as described above reappeared. Firmware version is 3.4.2.1.

I wasn't even able to access the controller via telnet or web interface until I powered it off. Meanwhile I disabled wired containment.

Any suggestions?
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: