Security

Reply
fm
Contributor II

IDS on IAPs

Hello,

 

I would like to implement some containment regarding some rogue access points (3G and 4G devices).

 

It's not very clear to me how does this work on IAP.

 

Does it only work with Monitor mode IAPs?

 

What would be your recommended settings?

 

Thank you!

Re: IDS on IAPs

Please review the user guide for IDS. There is no requirement to have a dedicated Air Monitor to perform containment and there are also wired containment options available as well. 

 

Note that if you have Aruba or HPE Aruba switches, you can automatically have the IAP inform the upstream switch that there is a rogue and the switch itself will admin down the port.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
fm
Contributor II

Re: IDS on IAPs

Thank you!

 

I was testing some settings...

 

Right now I have set to High in terms of detection and also protection but I can't see actual difference.

 

I setup a rogue 4G Wifi Hotspot right next to an IAP 205 but the clients seems to be able to connect to it and have proper network access...

 

I set the wireless containment to "Tarpit all stations"

Guru Elite

Re: IDS on IAPs

I would leave it to the defaults.  High has unintended consequnces and can deny legitimate traffic.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

fm
Contributor II

Re: IDS on IAPs

I'm back to this topic because I would like to really see this working.

 

Basically let's imagine that I have  rogue AP (not connected to the wired network) with SSID My_Example. My_Example SSID is a corporate SSID.

 

I can't see any containment in terms of clients beeing disconnected from that rogue AP.

 

Any hint?

 

Thank you!

Re: IDS on IAPs

Is your IAP able to see the wired MAC of the rogue IAP? It will only be able to classify it as rogue and start the containment if it can see the rogue AP in both the air and on the wired side. If you run the below you will be able to determine what is being observed by the IAP and its classification.

 

#show ids aps 
ACMA, ACMP
If my post addresses your query, give kudos:)
fm
Contributor II

Re: IDS on IAPs

The Rogue AP is not on the same wired network but I reclassified it manually to "Rogue AP"

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: