Security

last person joined: 12 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Getting Deauth'ed when connecting to protected ESSID

This thread has been viewed 2 times

  • 1.  Getting Deauth'ed when connecting to protected ESSID

    Posted Nov 16, 2016 09:57 PM

    I have a 3400 and 7205 running parallel in my environment, as I test to transition all APs from the 3400 to the 7205. I have created a 'TestGUEST' SSID on the 7205, and assigned it to the one AP homed to that controller. That SSID is opmode opensystem, as I am trying to send it to a captive portal for guests. When I try to connect to that SSID, I am getting Deauth'ed. I have made TestGUEST a valid-and-protected-ssid in both the 7205 AND the 3400. I also created a rule in AirWave to see the MAC of the AP and the SSID as valid. I have a different SSID dropping users into the same vlan correctly, so I know the network is good. I have tried adding a preshared key and using wpa2-psk-aes, but the real goal is to make this an open SSID so people don't have to log in to the SSID, and only interact with the captive portal page. I have to believe that there is a security setting that is killing the open SSID, but I can't find it,  Why am I still getting deauth'ed?

     

    Thanks,

    Russell

    Here are logs of it killing my connection:

    Nov 16 16:51:37 sapd[1131]: <127102> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:00): AP Deauth Containment: An AP attempted to contain an access point (BSSID ac:a3:1e:b3:f7:03) by disconnecting its client (MAC fc:db:b3:46:24:7d) on channel 11.
    Nov 16 16:51:38 sapd[1131]: <127102> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:10): AP Deauth Containment: An AP attempted to contain an access point (BSSID ac:a3:1e:b3:f7:13) by disconnecting its client (MAC fc:db:b3:46:24:7d) on channel 36.
    Nov 16 16:51:39 sapd[1131]: <127065> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:00): Valid Client Not Using Encryption: An AP detected an unencrypted frame between a valid client (fc:db:b3:46:24:7d) and access point (BSSID 00:1c:12:a3:22:f5), with source fc:db:b3:46:24:7d and receiver 33:33:ff:46:24:7d. SNR value is 36.
    Nov 16 16:51:39 sapd[1131]: <127075> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:00): Valid Client Misassociation: An AP detected a misassociation between valid client fc:db:b3:46:24:7d and access point (BSSID 00:1c:12:a3:22:f5 and SSID TestGUEST on CHANNEL 11). Association type is (Association To External AP), SNR of client is 0.
    Nov 16 16:51:39 sapd[1131]: <127075> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:00): Valid Client Misassociation: An AP detected a misassociation between valid client fc:db:b3:46:24:7d and access point (BSSID 00:1c:12:a3:22:f5 and SSID TestGUEST on CHANNEL 11). Association type is (Association To Honeypot AP), SNR of client is 0.
    Nov 16 16:51:40 sapd[1131]: <127035> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:00): Disconnect Station Attack: An AP detected a disconnect attack of client fc:db:b3:46:24:7d and access point (BSSID 00:1c:12:a3:22:f5 and SSID TestGUEST on CHANNEL 11). SNR of client is 33. Additional Info: Avg-AssocResp-PktRate(pps):0.5; Interval(sec):10.
    Nov 16 16:51:43 sapd[1131]: <127102> <WARN> |AP QA-AP00-7205-3f:70@10.25.0.215 sapd| |ids-ap| AP(ac:a3:1e:b3:f7:10): AP Deauth Containment: An AP attempted to contain an access point (BSSID ac:a3:1e:b3:f7:13) by disconnecting its client (MAC fc:db:b3:46:24:7d) on channel 36.

     



  • 2.  RE: Getting Deauth'ed when connecting to protected ESSID

    Posted Nov 17, 2016 03:55 AM
    Do you have IDS configured on your controller? You might need to set the test ssid as valid on the controller it's not configured on.


    #AirheadsMobile


  • 3.  RE: Getting Deauth'ed when connecting to protected ESSID

    Posted Nov 17, 2016 07:45 AM
      |   view attached

    I have the SSID set as a valid-and-protected-ssid in both controllers.

    I was thinking there might be a setting - or more than one that work in conjunction - that doesn't like it because it is open. If I add a psk to it, I can connect.

    Russell

     



  • 4.  RE: Getting Deauth'ed when connecting to protected ESSID

    Posted Nov 17, 2016 11:26 AM

    If your controllers are not associated with each other in a master-local type of configuration then setting SSIDs as valid-and-protected-ssid can cause deauths. I'm assuming you have the same SSIDs on both controllers protected.

     

    -----------

    What Does Protect SSID Setting Accomplish?

     

    Behavior When Protect SSID Setting is Enabled

    If enabled, this tells the APs/Controller to not let any 3rd party AP (or interfering AP) to broadcast the SSID that is configured in the "valid-and-protected-ssid" of the IDS unauthorized device profile.  This means that an Aruba AP with SSID test (as configured above) will attempt to contain any non-valid AP that is advertising SSID test.

    The AP does the containment by sending deauths to anything trying to associate to it (by spoofing the AP's bssid) and it should be sending deauths to the AP (by spoofing the wireless client mac address that was trying to associate to it).

    Note:  This setting should be used very carefully as it prevents station associations