Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

AM not disabling N mode AP

This thread has been viewed 0 times

  • 1.  AM not disabling N mode AP

    Posted Jan 17, 2012 03:40 PM

    I've got an AP 105 that I've got configured as an AM.

     

    It seems to work great at keeping my B/G clients from connecting to a rouge AP but not my N clients.

     

    What might I be doing wrong?

     

    Thanks



  • 2.  RE: AM not disabling N mode AP

    EMPLOYEE
    Posted Jan 17, 2012 03:47 PM

    I'm not sure this matters, but is High throughput enabled on both 2.4 and 5 in the radio profiles for your AM?



  • 3.  RE: AM not disabling N mode AP

    Posted Jan 18, 2012 01:00 PM
    Perhaps my post was premature...
    It does seem to be working, but it's not as quick to kill machines that have an existing connection to the rouge on N. B/G detection/protecting seemed to knock down connections to rogue APs almost instantally.

     



  • 4.  RE: AM not disabling N mode AP

    EMPLOYEE
    Posted Jan 18, 2012 02:19 PM

    mcolwell,

     

    Do you have the IDS/IPS (RF Protect License)?  If so, tarpitting is more effective than the standard deauth with the base license.

     



  • 5.  RE: AM not disabling N mode AP

    Posted Jan 20, 2012 05:27 PM
    @cjoseph wrote:

    mcolwell,

     

    Do you have the IDS/IPS (RF Protect License)?  If so, tarpitting is more effective than the standard deauth with the base license.

     

    I'm licensed for WIP, PEF, Next Gen PEF



  • 6.  RE: AM not disabling N mode AP

    EMPLOYEE
    Posted Jan 20, 2012 06:12 PM
    @mcolwell wrote:
    @cjoseph wrote:

    mcolwell,

     

    Do you have the IDS/IPS (RF Protect License)?  If so, tarpitting is more effective than the standard deauth with the base license.

     

    I'm licensed for WIP, PEF, Next Gen PEF

    Okay.  First check to see what kind of wireless containment you are doing:

     

    (orion.arubanetworks.com) (IDS General Profile "default") #show ids general-profile default
IDS General Profile "default"
-----------------------------
Parameter Value
--------- -----
Stats Update Interval 60 sec
Monitored Device Stats Update Interval 0 sec
AP Inactivity Timeout 20 sec
Adhoc (IBSS) AP Inactivity Timeout 5 sec
AP Max Unseen Timeout 600 sec
Adhoc AP Max Unseen Timeout 180 sec
STA Inactivity Timeout 60 sec
STA Max Unseen Timeout 600 sec
Min Potential AP Beacon Rate 25 %
Min Potential AP Monitor Time 2 sec
Signature Quiet Time 900 sec
Wireless Containment deauth-only  <----------------
Debug Wireless Containment false
Wired Containment false
Wired Containment of AP's Adj MACs false
Mobility Manager RTLS false
IDS Event Generation on AP none
Send Adhoc Info to Controller true

     

     

    You can change that to tarpit, instead:

     

    (3600.arubanetworks.com) (config) #ids general-profile default
(3600.arubanetworks.com) (IDS General Profile "default") #wireless-containment tarpit-all-sta

     

    Check to make sure you changed it:

     

    (3600.arubanetworks.com) (config) #show ids general-profile default

IDS General Profile "default"
-----------------------------
Parameter                               Value
---------                               -----
Stats Update Interval                   60 sec
Monitored Device Stats Update Interval  0 sec
AP Inactivity Timeout                   20 sec
Adhoc (IBSS) AP Inactivity Timeout      5 sec
AP Max Unseen Timeout                   600 sec
Adhoc AP Max Unseen Timeout             180 sec
STA Inactivity Timeout                  60 sec
STA Max Unseen Timeout                  600 sec
Min Potential AP Beacon Rate            25 %
Min Potential AP Monitor Time           2 sec
Signature Quiet Time                    900 sec
Wireless Containment                    tarpit-all-sta  <-----------
Debug Wireless Containment              false
Wired Containment                       false
Wired Containment of AP's Adj MACs      false
Mobility Manager RTLS                   false
IDS Event Generation on AP              none
Send Adhoc Info to Controller           true

     Now the AP should use tarpitting, instead of deauths.

     



  • 7.  RE: AM not disabling N mode AP

    Posted Jan 23, 2012 11:54 AM

    I don't seem to have those options.

     

    It looks like you need RFProtect for tarpit options??

     

    If you can do this without RFProtect, what's the minimum OS you need?



  • 8.  RE: AM not disabling N mode AP

    EMPLOYEE
    Posted Jan 23, 2012 12:09 PM

    When you upgrade to AOS 6.x, the WIP license will automatically be upgraded to the RFProtect license.  You are currently licensed for WIP which means you will be licensed for RFProtect once you upgrade.  AOS 6.0 introduced a lot of new IDS features including tarpitting, a new configuration wizard, new IDS signatures, better channel scanning, etc.  I would recommend upgrading to AOS 6.1.2.7 if your controller supports it.  Legacy controllers (200, 800, 2400, sup1, sup2) do not support 6.x.  The current generation of controllers (6xx, 3xxx, M3) support AOS 6.x.

     

    Another option to consider is enabling wired containment in addition to the wireless containment.  It will help keep the rogue device off of the network.



  • 9.  RE: AM not disabling N mode AP

    Posted Jan 23, 2012 03:34 PM
    I'm stuck on 5.x because about 1/2 of my controllers are too old.
    I'd considered pulling the old ones off my master controller and creating a second master/local system that contained just the non 6.x compatible equipment - but I don't know if it's worth the added admin time.