Wireless Access

We have containment enabled and managed through Airwave. Rogue detection on AWMS works, the containment settings are successfully pushed back to the controller. The issue is that containment only works when the rogue AP is on the same channel as a nearby AP.

 

Since we hace 'client-aware' enabled, it's expected that the AP won't go off channel to contain a rogue. This is why we also have dedicated air monitors, configured to be rogue aware. These air monitors, however, do not appear to be doing anything to contain the rogur.

 

I have a case open with Aruba, but I wanted to see if anybody in the community had any suggestions.

Do you have have Rogue AP Enforcement Enabled in the IDS profile?

I have 'Rogue Containment' enabled in the IDS unauthorized device profile. I don't seen any option for 'Rogue Enforcement".

You also need Wireless Containment under IDS General Profile

Wireless containment is set to 'tarpit all stations', wired containment is also enabled.

Please look at the knowledgebase article here:  https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-605 to determine if the classifications are really being pushed.

 

I believe that the classifications are actually being pushed as shown by the output of:

 

(MC6000-WH-LISCR-S0) #show wms ap A0:F3:C1:78:63:1E

AP Info
-------
BSSID SSID Channel Type RAP_Type Status Ageout HT-Type HT-Sec-Chan
----- ---- ------- ---- -------- ------ ------ ------- -----------
a0:f3:c1:78:63:1e TP-LINK_78631E 6 generic-ap manually-contain up 0 HT-40mhz 10

 

The classification 'manually contain' is set when the Airwave sends the classification. When we disable management of rogues through Airwavem this classification changes to automatic, but our results are the same (i.e. the rogue isn't contained).

 

The other thing is that containment works fine when the rogue is on the same channel as a nearby AP. This is consistent with client-aware configuration, in that the AP is containing rogues on it's same channel, but won't go of channel when clients are connected.

 

So it's clear that rogue detection, classification, containment, and client-aware work fine. The issue is that the air monitors, which are configured to be rogue aware, and to scan multiple bands and all regulatory domains aren't doing anything to contain the rogue. The rogue is only contained when I put an Aruba AP on the same channel as the rogue.

What type of access points are these and what version of ArubaOS?

They are AP135 access points and the version is 6.1.2.7.

Please try upgrading yo 6.1.3.7 and try again. It seems like you have your bases covered but your code is old...

OK. I'll give that a shot. It's overdue for an upgrade anyway. Probably won't be for a couple of weeks.

I managed to upgrade this weekend. It looks like the containment is working now. I can see the air monitors participating in the tarpitting and my clients can't connect.

 

Thanks

Hi,

 

does the wireless containment go faster with air monitors? Because one of our customers is testing the APs with wireless containment, but they think it it is slow.

So would it go faster if there are APs in monitor mode?

 

Thanks in advance!

 

Air monitors will detect and respond to incidents faster, correct.  Please see the document here:  http://www.arubanetworks.com/pdf/technology/tb_air_monitors.pdf

 

The upgrade fixed the issue