Security, WIDS/WIPS and Aruba ECS

Reply
Occasional Contributor II
Posts: 45
Registered: ‎04-06-2010

Failed authentication results in denied access

In our remote ap testing we have noticed that if someone associates with very poor signal they sometimes get only machine authentication (We use machine and user authentication). At that point even if they are right next to the AP they cannot get user auth to work unless I disconnect them from the console OR they shut off their laptop for about 5 minutes and start over in range.

I suspect that this is the IDS kicking off, we use the default ids-low-setting profile and ids-dos-low-setting for the IDS DOS profile. Essentially everything is set to the default.

I have a few questions about this:
1) I was looking at a report showing all events and I cannot determine if any of these resulted in a station being blocked for a specific period. Is there a place to see when a station may have been blocked due to IDS or should it show up on the normal blacklist?

2) Does anyone have any experience with IDS and Remote AP's? Any tips on tuning the signatures? Should we disable all the rogue AP alerts since people often plug a remote AP in 5 feet from their home ap.
Guru Elite
Posts: 20,348
Registered: ‎03-29-2007

Client Behavior

- At a remote location, what is of the greatest concern is the latency between the access point and the controller, because a number of 802.1x supplicants will not complete a key exchange if the latency is over 100 milliseconds. This is further exacerbated when the client has marginal signal coverage. If you get closer to the access point and this fixes itself, that is your problem.

If you have a problem with a client, you can turn on logging for that specific client by going to the controller's commandline:

config t
logging level debug user-debug

You can then see the debug messages by doing a "show log user " or submitting your logs to support for analysis.

If you have not changed any of the IDS settings, your client should not get blacklisted. To get blacklisted for authentication failures, your would have to configure an authentication failure limit in the 802.1x profile, as well as turn on blacklisting in the virtual AP for that client to be blacklisted.

I will let others mention what they do about remote AP users and rogue APs...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 45
Registered: ‎04-06-2010

Re: Failed authentication results in denied access


- At a remote location, what is of the greatest concern is the latency between the access point and the controller, because a number of 802.1x supplicants will not complete a key exchange if the latency is over 100 milliseconds. This is further exacerbated when the client has marginal signal coverage. If you get closer to the access point and this fixes itself, that is your problem.

If you have a problem with a client, you can turn on logging for that specific client by going to the controller's commandline:

config t
logging level debug user-debug

You can then see the debug messages by doing a "show log user " or submitting your logs to support for analysis.

If you have not changed any of the IDS settings, your client should not get blacklisted. To get blacklisted for authentication failures, your would have to configure an authentication failure limit in the 802.1x profile, as well as turn on blacklisting in the virtual AP for that client to be blacklisted.

I will let others mention what they do about remote AP users and rogue APs...




As always Colin thank you for your reply! I had not realized the 100ms issue, we have been doing our testing in the US and Europe with no issues but we have a number of sites on Satellite that will have 800ms+ latency. I guess we will just need to test that and see how it works.

I haven't seen any error in the debug when I enabled it but I will enable debug for myself and reproduce the issue on my RAP.
Search Airheads
Showing results for 
Search instead for 
Did you mean: