Wired Networks

How does Tarpit shielding work? How is this parameter configured on the controller ?

Aruba Employee

Introduction :

The Tarpit Shielding feature is a type of wireless containment. Detected devices that are classified as rogues are contained by forcing client association to a fake channel or BSSID. This method of tarpitting is more efficient than rogue containment via repeated de-authorization requests. 

The tarpitting process:

1.The AM detects that the client has connected to a rogue device.

2.The AM sends de-authenticate (de-auth) messages to the client and the rogue, in each case impersonating to be the other device.

3.The client attempts to reconnect to the rogue device.

4.The AM answers the client request and completes the association handshake.

5.The client attempts to communicate to send data, and the AM ignores the client.

 

 

rtaImage.png
 

 

Feature Notes:

 

Understanding Tarpit Shielding Licensing

In the ids general-profile default wireless-containment command, the ‘tarpit-non-valid-sta’ and ‘tarpit-all-sta’ options are available only with a RFprotect license. The ‘deauth-only’ and ‘none’ options are available with the Base OS license.

 

 

Environment : This article applies to Aruba Mobility Controllers running ArubaOS version 6.3.0.0.

 

Configuration Steps :

Configuring Tarpit Shielding

 

Tarpit shielding is configured on an AP using one of two methods:

 

Disable all clients— In this method, any client that attempts to associate with an AP marked for containment is sent spoofed frames.

 

Disable non-valid clients— In this method, only non-authorized clients that attempt to associate with an AP is sent to the tarpit.


The choices for disabling Tarpit Shielding on an AP are:

 

Deauth-wireless-containment

Deauth-wireless-containment with tarpit-shielding (excluding-valid-clients)

Deauth-wireless-containment with tarpit-shielding

 

Enabling Tarpit Shielding

 

Use the ids-general-profile command to configure Tarpit Shielding (for detailed information on commands refer to the Command Line Reference Guide).

 

ids general-profile default

 

wireless-containment [deauth-only | none | tarpit-all-sta | tarpit-non-valid-sta]

 

 

Verification :

 

Use the following show commands to view updated Tarpit Shielding status and the spoofed frames generated for an AP:

show ap monitor stats …
show ap monitor containment-info

 

Troubleshooting :

 

A station is determined to be in the Tarpit when we see it sending data frames in the fake channel. With some clients, the station remains in tarpit state until the user manually disables and re-enables the wireless interface.

 

Version history
Revision #:
1 of 1
Last update:
‎07-18-2014 05:45 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.