The Tarpit Shielding feature is a type of wireless containment. Detected devices that are classified as rogues are contained by forcing client association to a fake channel or BSSID. This method of tarpitting is more efficient than rogue containment via repeated de-authorization requests.
The tarpitting process:
1.The AM detects that the client has connected to a rogue device.
2.The AM sends de-authenticate (de-auth) messages to the client and the rogue, in each case impersonating to be the other device.
3.The client attempts to reconnect to the rogue device.
4.The AM answers the client request and completes the association handshake.
5.The client attempts to communicate to send data, and the AM ignores the client.
Understanding Tarpit Shielding Licensing
In the ids general-profile default wireless-containment command, the ‘tarpit-non-valid-sta’ and ‘tarpit-all-sta’ options are available only with a RFprotect license. The ‘deauth-only’ and ‘none’ options are available with the Base OS license.
Environment : This article applies to Aruba Mobility Controllers running ArubaOS version 22.214.171.124.
Configuration Steps :
Configuring Tarpit Shielding
Tarpit shielding is configured on an AP using one of two methods:
Disable all clients— In this method, any client that attempts to associate with an AP marked for containment is sent spoofed frames.
Disable non-valid clients— In this method, only non-authorized clients that attempt to associate with an AP is sent to the tarpit.
The choices for disabling Tarpit Shielding on an AP are:
Deauth-wireless-containment with tarpit-shielding (excluding-valid-clients)
Deauth-wireless-containment with tarpit-shielding
Enabling Tarpit Shielding
Use the ids-general-profile command to configure Tarpit Shielding (for detailed information on commands refer to the Command Line Reference Guide).
ids general-profile default
wireless-containment [deauth-only | none | tarpit-all-sta | tarpit-non-valid-sta]
Use the following show commands to view updated Tarpit Shielding status and the spoofed frames generated for an AP:
show ap monitor stats …
show ap monitor containment-info
A station is determined to be in the Tarpit when we see it sending data frames in the fake channel. With some clients, the station remains in tarpit state until the user manually disables and re-enables the wireless interface.