Wireless Access

Reply
Occasional Contributor II

AP's spoofing each other?

In reviewing my IDS logs today I noticed that I have several entries where it's being reported that the AP's at one location are spoofing other AP's at the same location.  This is happening at a remote office (6 AP's) that we manage from a centralized 7220 that also manages several other remote offices, all in the same AP Group. The issue seems to be happening primarily at 1 physical location.  Although they're all AP-225's, they have different MAC OUI's and I notice that it's always one OUI attacking the other.  Are these false positives due to the different OUI's, and if so how can I avoid this alert?

 

 

Guru Elite

Re: AP's spoofing each other?

What version of ArubaOS is this?

 

It is quite possible that you have new AP-225s that have a new ArubaOUI, but the version of code is not aware of it:

 

Type:

show wms system

See if under Learned OUIs that allof the OUIs of your deployed Aruba APs are in there.

 

If they are not, add them by doing this:

 

config t

config t
valid-network-oui-profile
oui <oui not listed>

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: AP's spoofing each other?

We're on 6.4.4.16.

 

The OUI's of the attacking and attacked OUI's are learned:

DetailCountAttackerTarget
AP Spoofing Detected-40:E3:D6:CE:AE:7318:64:72:40:10:B3

 

 

 

Learned OUIs for Deployed APs
------------------------------
OUI
---
40:e3:d6:00:00:00
b4:5d:50:00:00:00
a8:bd:27:00:00:00
f0:5c:19:00:00:00
04:bd:88:00:00:00
44:48:c1:00:00:00
9c:1c:12:00:00:00
18:64:72:00:00:00
84:d4:7e:00:00:00
70:3a:0e:00:00:00
94:b4:0f:00:00:00

 

I'm stumped!

 

Guru Elite

Re: AP's spoofing each other?

Please open a TAC case.  It is not immediately apparent what your issue is.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

Re: AP's spoofing each other?

I'll get a case open because as I look even closer at the report, I see that I also have AP's spoofing themselves...

 

DetailCountAttackerTargetTimeAP/Device
AP Spoofing Detected-94:B4:0F:21:E8:6694:B4:0F:21:E8:6611/13/2017 3:10 PM EST001-CAN3-AP-C3-05
AP Spoofing Detected-04:BD:88:17:36:C604:BD:88:17:36:C611/13/2017 3:12 PM EST001-MR41-AP-P2-4-08
AP Spoofing Detected-04:BD:88:17:39:2604:BD:88:17:39:2611/17/2017 9:31 AM EST001-MRG1-AP-P2-G-01
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: