@mcolwell wrote:
@cjoseph wrote:
mcolwell,
Do you have the IDS/IPS (RF Protect License)? If so, tarpitting is more effective than the standard deauth with the base license.
I'm licensed for WIP, PEF, Next Gen PEF
Okay. First check to see what kind of wireless containment you are doing:
(orion.arubanetworks.com) (IDS General Profile "default") #show ids general-profile default
IDS General Profile "default"
-----------------------------
Parameter Value
--------- -----
Stats Update Interval 60 sec
Monitored Device Stats Update Interval 0 sec
AP Inactivity Timeout 20 sec
Adhoc (IBSS) AP Inactivity Timeout 5 sec
AP Max Unseen Timeout 600 sec
Adhoc AP Max Unseen Timeout 180 sec
STA Inactivity Timeout 60 sec
STA Max Unseen Timeout 600 sec
Min Potential AP Beacon Rate 25 %
Min Potential AP Monitor Time 2 sec
Signature Quiet Time 900 sec
Wireless Containment deauth-only <----------------
Debug Wireless Containment false
Wired Containment false
Wired Containment of AP's Adj MACs false
Mobility Manager RTLS false
IDS Event Generation on AP none
Send Adhoc Info to Controller true
You can change that to tarpit, instead:
(3600.arubanetworks.com) (config) #ids general-profile default
(3600.arubanetworks.com) (IDS General Profile "default") #wireless-containment tarpit-all-sta
Check to make sure you changed it:
(3600.arubanetworks.com) (config) #show ids general-profile default
IDS General Profile "default"
-----------------------------
Parameter Value
--------- -----
Stats Update Interval 60 sec
Monitored Device Stats Update Interval 0 sec
AP Inactivity Timeout 20 sec
Adhoc (IBSS) AP Inactivity Timeout 5 sec
AP Max Unseen Timeout 600 sec
Adhoc AP Max Unseen Timeout 180 sec
STA Inactivity Timeout 60 sec
STA Max Unseen Timeout 600 sec
Min Potential AP Beacon Rate 25 %
Min Potential AP Monitor Time 2 sec
Signature Quiet Time 900 sec
Wireless Containment tarpit-all-sta <-----------
Debug Wireless Containment false
Wired Containment false
Wired Containment of AP's Adj MACs false
Mobility Manager RTLS false
IDS Event Generation on AP none
Send Adhoc Info to Controller true
Now the AP should use tarpitting, instead of deauths.