Security, WIDS/WIPS and Aruba ECS

Reply
MVP
Michael_Clarke
Posts: 921
Registered: ‎08-29-2007

IDS, Protect SSID and Contain Suspected Rogue

Hi,

I am trying to test the functionality of the unauthorised-device-profile within IDS.

I'd like to contain certain ssids that are configured on the controller but coming from unauthorised (non Aruba) access points. These unauthorised devices are not on the network as well, but would like to prevent any user from connecting to them.

I have tried to test this but can't seem to get it to work.

The 'protect ssid' is enable and the ssid added to the valid-and-protected-ssid. Contain-suspected-rogue is also enabled.

When the device is turned on the following log entry is added.



I was under the impression that the AP would automatically get classified as suspected-rogue, but when I look at the wms entry it stays classified as Interfering.

When I mannually clasify it using
 the following log entry is generated.



however, I am still able to connect to this AP. If I reclassify it as rogue and enable rogue-containment, the same thing...I'm still able to connect to it.

Is there something I'm missing here. I simply can't see any evidence of containment happening.

Many thanks

Michael

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCA, ACMP, ACMX #294
Securedata Europe Ltd
Moderator
cjoseph
Posts: 12,335
Registered: ‎03-29-2007

Rogue Containment

Do you have any dedicated Air monitors in this deployment? Access points that are serving clients can only provide IDS/IPS protection on the channel that they are currently on. Air monitors can provide protection on ANY channel. With that being fully said, if this is anything but a test network, all of your variables need to be understood before we change any settings, because we do not want to deny any type of service. Please open a case if this is a production network.
Colin Joseph
Aruba Customer Engineering
MVP
Michael_Clarke
Posts: 921
Registered: ‎08-29-2007

Re: IDS, Protect SSID and Contain Suspected Rogue

Just testing at the moment for the time being Colin to establish what our capabilities can be. Eventually it may be deployed in a production environment.

I'm sure the Aruba AP was on the same channel as the rogue, but I'll test again tomorrow with it as an Air Monitor.

Thanks

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCA, ACMP, ACMX #294
Securedata Europe Ltd
Moderator
cjoseph
Posts: 12,335
Registered: ‎03-29-2007

Rogue Containment

You can see what rogue APs are being contained by that AP by using:



To see how many deauths were sent to a client, you would use
Colin Joseph
Aruba Customer Engineering
MVP
Michael_Clarke
Posts: 921
Registered: ‎08-29-2007

Re: IDS, Protect SSID and Contain Suspected Rogue

Hi Colin,

I changed the AP to be an airmonitor.

(Aruba) #show ap monitor active-laser-beams ap-name TEST_AP_Build_Room_00:0b:86:c6:3d:b0test phy g          
Active Laser Beam Sources
-------------------------
bssid channel rssi ap name lms ip master ip inactive time
----- ------- ---- ------- ------ --------- -------------

(Aruba) #show ap monitor stats advanced ap-name TEST_AP_00:0b:86:c6:3d:b0test client-mac 00:18:41:05:b2:13

DoS Frames
----------
tx old-tx rx old-rx
-- ------ -- ------
0 0 0 0
Interference Baseline
---------------------
FRR FRER
--- ----
4 4
Handoff Assist
--------------
rssi-index cur-signal old-cur-signal
---------- ---------- --------------
0 47 0
High Throughput Parameters
--------------------------
ht-type primary-channel sec-channel gf-supported 40mhz-intolerance
------- --------------- ----------- ------------ -----------------
none 0 0 0 0



The log entries are generated as before, but can still connect.

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCA, ACMP, ACMX #294
Securedata Europe Ltd
Aruba Employee
jbennett
Posts: 19
Registered: ‎04-27-2009

Wireless containment

Can you confirm that wireless containment is enabled?

(home200) #show ids general-profile default

IDS General Profile "default"
-----------------------------
Parameter Value
--------- -----
Stats Update Interval 60 sec
Monitored Device Stats Update Interval 0 sec
AP Inactivity Timeout 20 sec
STA Inactivity Timeout 60 sec
Min Potential AP Beacon Rate 25 %
Min Potential AP Monitor Time 2 sec
Signature Quiet Time 900 sec
Wireless Containment true
Debug Wireless Containment false
Wired Containment true
Mobility Manager RTLS false
Search Airheads
Showing results for 
Search instead for 
Do you mean