Wireless Access

Reply
Occasional Contributor II
Posts: 44
Registered: ‎10-06-2009

AM not disabling N mode AP

I've got an AP 105 that I've got configured as an AM.

 

It seems to work great at keeping my B/G clients from connecting to a rouge AP but not my N clients.

 

What might I be doing wrong?

 

Thanks

Aruba Employee
Posts: 571
Registered: ‎04-17-2009

Re: AM not disabling N mode AP

I'm not sure this matters, but is High throughput enabled on both 2.4 and 5 in the radio profiles for your AM?

Thanks,

Zach Jennings
Occasional Contributor II
Posts: 44
Registered: ‎10-06-2009

Re: AM not disabling N mode AP

Perhaps my post was premature...
It does seem to be working, but it's not as quick to kill machines that have an existing connection to the rouge on N. B/G detection/protecting seemed to knock down connections to rogue APs almost instantally.

 

Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: AM not disabling N mode AP

mcolwell,

 

Do you have the IDS/IPS (RF Protect License)?  If so, tarpitting is more effective than the standard deauth with the base license.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 44
Registered: ‎10-06-2009

Re: AM not disabling N mode AP


cjoseph wrote:

mcolwell,

 

Do you have the IDS/IPS (RF Protect License)?  If so, tarpitting is more effective than the standard deauth with the base license.

 


I'm licensed for WIP, PEF, Next Gen PEF

Guru Elite
Posts: 21,026
Registered: ‎03-29-2007

Re: AM not disabling N mode AP


mcolwell wrote:

cjoseph wrote:

mcolwell,

 

Do you have the IDS/IPS (RF Protect License)?  If so, tarpitting is more effective than the standard deauth with the base license.

 


I'm licensed for WIP, PEF, Next Gen PEF


Okay.  First check to see what kind of wireless containment you are doing:

 

(orion.arubanetworks.com) (IDS General Profile "default") #show ids general-profile default
IDS General Profile "default"
-----------------------------
Parameter Value
--------- -----
Stats Update Interval 60 sec
Monitored Device Stats Update Interval 0 sec
AP Inactivity Timeout 20 sec
Adhoc (IBSS) AP Inactivity Timeout 5 sec
AP Max Unseen Timeout 600 sec
Adhoc AP Max Unseen Timeout 180 sec
STA Inactivity Timeout 60 sec
STA Max Unseen Timeout 600 sec
Min Potential AP Beacon Rate 25 %
Min Potential AP Monitor Time 2 sec
Signature Quiet Time 900 sec
Wireless Containment deauth-only  <----------------
Debug Wireless Containment false
Wired Containment false
Wired Containment of AP's Adj MACs false
Mobility Manager RTLS false
IDS Event Generation on AP none
Send Adhoc Info to Controller true

 

 

You can change that to tarpit, instead:

 

(3600.arubanetworks.com) (config) #ids general-profile default
(3600.arubanetworks.com) (IDS General Profile "default") #wireless-containment tarpit-all-sta

 

Check to make sure you changed it:

 

(3600.arubanetworks.com) (config) #show ids general-profile default

IDS General Profile "default"
-----------------------------
Parameter                               Value
---------                               -----
Stats Update Interval                   60 sec
Monitored Device Stats Update Interval  0 sec
AP Inactivity Timeout                   20 sec
Adhoc (IBSS) AP Inactivity Timeout      5 sec
AP Max Unseen Timeout                   600 sec
Adhoc AP Max Unseen Timeout             180 sec
STA Inactivity Timeout                  60 sec
STA Max Unseen Timeout                  600 sec
Min Potential AP Beacon Rate            25 %
Min Potential AP Monitor Time           2 sec
Signature Quiet Time                    900 sec
Wireless Containment                    tarpit-all-sta  <-----------
Debug Wireless Containment              false
Wired Containment                       false
Wired Containment of AP's Adj MACs      false
Mobility Manager RTLS                   false
IDS Event Generation on AP              none
Send Adhoc Info to Controller           true

 Now the AP should use tarpitting, instead of deauths.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 44
Registered: ‎10-06-2009

Re: AM not disabling N mode AP

I don't seem to have those options.

 

It looks like you need RFProtect for tarpit options??

 

If you can do this without RFProtect, what's the minimum OS you need?

Moderator
Posts: 123
Registered: ‎04-17-2009

Re: AM not disabling N mode AP

When you upgrade to AOS 6.x, the WIP license will automatically be upgraded to the RFProtect license.  You are currently licensed for WIP which means you will be licensed for RFProtect once you upgrade.  AOS 6.0 introduced a lot of new IDS features including tarpitting, a new configuration wizard, new IDS signatures, better channel scanning, etc.  I would recommend upgrading to AOS 6.1.2.7 if your controller supports it.  Legacy controllers (200, 800, 2400, sup1, sup2) do not support 6.x.  The current generation of controllers (6xx, 3xxx, M3) support AOS 6.x.

 

Another option to consider is enabling wired containment in addition to the wireless containment.  It will help keep the rogue device off of the network.

Occasional Contributor II
Posts: 44
Registered: ‎10-06-2009

Re: AM not disabling N mode AP

I'm stuck on 5.x because about 1/2 of my controllers are too old.
I'd considered pulling the old ones off my master controller and creating a second master/local system that contained just the non 6.x compatible equipment - but I don't know if it's worth the added admin time.
Search Airheads
Showing results for 
Search instead for 
Did you mean: