Wireless Access

In reviewing my IDS logs today I noticed that I have several entries where it's being reported that the AP's at one location are spoofing other AP's at the same location.  This is happening at a remote office (6 AP's) that we manage from a centralized 7220 that also manages several other remote offices, all in the same AP Group. The issue seems to be happening primarily at 1 physical location.  Although they're all AP-225's, they have different MAC OUI's and I notice that it's always one OUI attacking the other.  Are these false positives due to the different OUI's, and if so how can I avoid this alert?

 

 

What version of ArubaOS is this?

 

It is quite possible that you have new AP-225s that have a new ArubaOUI, but the version of code is not aware of it:

 

Type:

show wms system

See if under Learned OUIs that allof the OUIs of your deployed Aruba APs are in there.

 

If they are not, add them by doing this:

 

config t

config t
valid-network-oui-profile
  oui <oui not listed>

 

We're on 6.4.4.16.

 

The OUI's of the attacking and attacked OUI's are learned:

Detail	Count	Attacker	Target
AP Spoofing Detected	-	40:E3:D6:CE:AE:73	18:64:72:40:10:B3

 

 

 

Learned OUIs for Deployed APs
------------------------------
OUI
---
40:e3:d6:00:00:00
b4:5d:50:00:00:00
a8:bd:27:00:00:00
f0:5c:19:00:00:00
04:bd:88:00:00:00
44:48:c1:00:00:00
9c:1c:12:00:00:00
18:64:72:00:00:00
84:d4:7e:00:00:00
70:3a:0e:00:00:00
94:b4:0f:00:00:00

 

I'm stumped!

 

Please open a TAC case.  It is not immediately apparent what your issue is.

I'll get a case open because as I look even closer at the report, I see that I also have AP's spoofing themselves...

 

Detail	Count	Attacker	Target	Time	AP/Device
AP Spoofing Detected	-	94:B4:0F:21:E8:66	94:B4:0F:21:E8:66	11/13/2017 3:10 PM EST	001-CAN3-AP-C3-05
AP Spoofing Detected	-	04:BD:88:17:36:C6	04:BD:88:17:36:C6	11/13/2017 3:12 PM EST	001-MR41-AP-P2-4-08
AP Spoofing Detected	-	04:BD:88:17:39:26	04:BD:88:17:39:26	11/17/2017 9:31 AM EST	001-MRG1-AP-P2-G-01

 Hi 

 

Did you find a fix for this? 

 

Thanks.

No, but thanks for the reminder to re-visit the issue. It doesn't seem to cause a tangible problem but it's a symptom of something amiss for sure.







CONFIDENTIALITY NOTICE:
This email message and any accompanying data or files is confidential and may contain privileged information intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. Receipt by anyone other than the named recipient(s) is not a waiver of any attorney-client, work product, or other applicable privilege.

Having this same issue.  Did you ever get this resolved? Seems to be AirWave reporting much more than the controller interface is.

 

Airwave shows this (~55 attacks/2hr):

F0:5C:19:A0:40:F0	F0:5C:19:A0:2F:F0	1/3/2019 12:11 AM CST
F0:5C:19:A0:40:E0	F0:5C:19:A0:51:E0	1/3/2019 12:12 AM CST
F0:5C:19:A0:3A:20	40:E3:D6:A6:AD:20	1/3/2019 12:13 AM CST
F0:5C:19:A0:51:F0	F0:5C:19:A0:2F:F0	1/3/2019 12:15 AM CST

Mobility Controller doesnt even list the ones airwave shows

High	12/31/2018 4:32	AP Spoofing	f0:5c:19:a0:36:21	Infrastructure	1	Rx-MAC:01:40:96:ff:ff:00; Type:Data; BSSID:b4:5d:50:b3:ca:c1; Channel:6; SNR:3; SSID:
High	12/28/2018 11:15	AP Spoofing	b4:5d:50:b3:a2:c1	Infrastructure	1	Rx-MAC:01:40:96:ff:ff:00; Type:Data; BSSID:b4:5d:50:b3:ca:c1; Channel:6; SNR:4; SSID:
High	12/23/2018 1:44	AP Spoofing	f0:5c:19:a0:3f:d0	Infrastructure	2	Rx-MAC:f0:5c:19:a0:3f:d0; Type:Mgmt; BSSID:f0:5c:19:a0:3f:d0; Channel:149; SNR:11; SSID:
High	12/19/2018 22:19	AP Spoofing	f0:5c:19:a0:41:30	Infrastructure	1	Rx-MAC:f0:5c:19:a0:41:30; Type:Mgmt; BSSID:f0:5c:19:a0:41:30; Channel:149; SNR:14; SSID:

I have a case open on this now.  The only thing we've been able to deduce so far is that the "attacking" and "attacked" BSS MAC's are from the Guest SSID.  Which code version are you on and which WLC / AP models?

Running a 7030 in standalone with ArubaOS 8.3 with 32xAP-215 and 1xAP-225.  Currently we are just using employee vlans with ACL policies.  All of the routing/dhcp/nat/gateway is on a mikrotik ccr.

 

The solution my TAC rep gave me was to disable it under the security tab for the ap profile.  The controller was just reporting them as warnings, still odd.  Gonna upgrade to 8.4 on sunday, re-enable it, and see if its still there.

 

Let me know if they ever get you a solution, other than disabling it.

Good day. We are having a similar issue and was curious if you were able to make any progress in resolving your issue and if so, what was done? 

VZRob,

 

Aruba declared it a "cosmetic bug" and had me disable the IDS alert.  We've since moved to 6.5.4.14 code (from 6.4.4.16, I think), so I'll re-enable the alert and see if it's still there.