03-12-2015 03:15 PM - edited 03-12-2015 03:44 PM
I'm hoping someone can shed some light on this as I've had a long standing ticket with TAC and I'm still a bit confused. So here it goes:
I've just recently turned on the WIP detection with dedicated Air Monitors. I know that some would argue that having an AP do both AP/AM function is more ideal, but it is what it is. In either case, in my controlled testing, rogue detection and containment works great as designed (I've also learned throught testing and working with TAC that manually classifying a neighbor AP as rogue can also be affected by my IPS :)...This is frowned upon and I don't intend to manually classify unless I'm certain that it's a rogue within my airspace).
What I need help with is understanding why my guest ssid/AP is being tarpitted and client deauthed when clients connect to it. Whenever I connect to my guest ssid, it doesn't matter which client, I get a Tarpit message followed by a Deauth message. Client gets disassociated with the current AP but is still able to utilize network services like http/https.
TAC thinks that there's another AP out there that is spoofing my client's connections, but I've scanned through our airspace using a Spectrum Analyzer and could not find one. My suspicion is because I'm using a separate AP as an Air Monitor and not the dual role of AP/AM, that it somehow is misclassifying my client connecting to a valid open ssid for my guest and thus generating those log messages. I may be far off, but I need to understand this before implementing the WIP feature enterprise-wide.
I'm more than happy to provide more information (non-sensitive of course) to anyone who cares :).
Thanks and I look forward to your input
03-13-2015 02:28 PM
I did my search for the suggestion that you’ve made and this is what I came up with:
“Behavior When Protect SSID Setting is Enabled
If enabled, this tells the APs/Controller to not let any 3rd party AP (or interfering AP) to broadcast the SSID that is configured in the "valid-and-protected-ssid" of the IDS unauthorized device profile. This means that an Aruba AP with SSID test (as configured above) will attempt to contain any non-valid AP that is advertising SSID test.
The AP does the containment by sending deauths to anything trying to associate to it (by spoofing the AP's bssid) and it should be sending deauths to the AP (by spoofing the wireless client mac address that was trying to associate to it).”
Since this is my Aruba AP and is not classified as interfering, I shouldn't be seeing this message correct? I guess if I disabled it, what other consideration should I be mindful about?
Thanks for the response!
03-13-2015 04:38 PM
TAC should be able to figure it out by looking at your logs after they turn on debugging. I would only be guessing based on what you mentioned. You should uncheck everything that says "protect", except for rogue AP protection, otherwise you could cause disruptions.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
03-14-2015 06:46 PM
I had a similar problem. look in your WIPS configuration, you probably have somethign along the lines of Protect WPA or Require WPA or Privacy etc etc.