Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

IDS on IAPs

This thread has been viewed 7 times

  • 1.  IDS on IAPs

    Posted Dec 27, 2016 01:41 PM

    Hello,

     

    I would like to implement some containment regarding some rogue access points (3G and 4G devices).

     

    It's not very clear to me how does this work on IAP.

     

    Does it only work with Monitor mode IAPs?

     

    What would be your recommended settings?

     

    Thank you!



  • 2.  RE: IDS on IAPs

    EMPLOYEE
    Posted Dec 29, 2016 12:16 PM

    Please review the user guide for IDS. There is no requirement to have a dedicated Air Monitor to perform containment and there are also wired containment options available as well. 

     

    Note that if you have Aruba or HPE Aruba switches, you can automatically have the IAP inform the upstream switch that there is a rogue and the switch itself will admin down the port.



  • 3.  RE: IDS on IAPs

    Posted Dec 29, 2016 03:21 PM

    Thank you!

     

    I was testing some settings...

     

    Right now I have set to High in terms of detection and also protection but I can't see actual difference.

     

    I setup a rogue 4G Wifi Hotspot right next to an IAP 205 but the clients seems to be able to connect to it and have proper network access...

     

    I set the wireless containment to "Tarpit all stations"



  • 4.  RE: IDS on IAPs

    EMPLOYEE
    Posted Dec 29, 2016 08:10 PM

    I would leave it to the defaults.  High has unintended consequnces and can deny legitimate traffic.



  • 5.  RE: IDS on IAPs

    Posted Apr 28, 2017 10:22 AM

    I'm back to this topic because I would like to really see this working.

     

    Basically let's imagine that I have  rogue AP (not connected to the wired network) with SSID My_Example. My_Example SSID is a corporate SSID.

     

    I can't see any containment in terms of clients beeing disconnected from that rogue AP.

     

    Any hint?

     

    Thank you!



  • 6.  RE: IDS on IAPs

    MVP EXPERT
    Posted Apr 28, 2017 01:27 PM

    Is your IAP able to see the wired MAC of the rogue IAP? It will only be able to classify it as rogue and start the containment if it can see the rogue AP in both the air and on the wired side. If you run the below you will be able to determine what is being observed by the IAP and its classification.

     

    #show ids aps


  • 7.  RE: IDS on IAPs

    Posted Apr 28, 2017 01:42 PM

    The Rogue AP is not on the same wired network but I reclassified it manually to "Rogue AP"