Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Blacklist reporting??

This thread has been viewed 0 times

  • 1.  Blacklist reporting??

    Posted Jan 24, 2013 01:59 PM

    This morning is our first day running 6.2.0.2 on our controllers (6 3600 controllers, one as master) which all report to Airwave.

     

    We've had a few users call to say that they can't connect to the wireless network.

    After finding nothing to explain the problem in Airwave, I turned to the local controllers.

     

    In each cse, the user was blacklisted for IP spoofing.

     

    That's the sort of thing I'd expect to have been reported to Airwave.  Where should I look to find it in Airwave?

    and/or Can someone suggest what settings I should adjust to get the controllers to report it?

     


    #3600


  • 2.  RE: Blacklist reporting??

    EMPLOYEE
    Posted Jan 24, 2013 06:19 PM

    First thing to try would be the IDS Events report.  Check and see if you have the pre-made IDS Events report.  If not, then create a new report and set type to IDS Events.

     

    If you want to go deeper than that, you can create a trigger.  Go to System -> Triggers, create a new trigger of Type = Device Event.  Add conditions:

              SNMP Trap Category = IDS

              Event Type = SNMP Trap

    This is a baseline for the trigger, once you've received a few alerts, you can add the 'Event Contents' portion to narrow down the alerts



  • 3.  RE: Blacklist reporting??

    Posted Jan 25, 2013 02:14 PM

    Allow me to clarify.  I'm not looking for Airwave to notify me (yet), I'm looking for the controller to tell Airwave.

     

    When I look in IDS events -> all IDS events, I'd expect to see something mentioning that the controller blacklisted 2 devices this morning for IP spoofing.  I don't see any evidence that the controller told Airwave.

     

    We do see where the controller told syslog:

    Jan 25 08:07:37 10.21.0.65 stm[1696]: <501097> <WARN> <000boiid-wc2 10.21.0.65>  Assoc request: 00:1d:d9:5e:fb:1f: Dropped AP 10.10.6.27-00:1a:1e:f1:6a:01-go-ap3 for STA DoS protection

     

    Shouldn't Airwave (as the offloaded WMS) get this info as well?

     

    --Matthew



  • 4.  RE: Blacklist reporting??

    EMPLOYEE
    Posted Jan 25, 2013 05:22 PM

    Got it.  The feature you describe is currently not in AMP yet.  It's something that should be filed into the Ideas Portal on the support site.  I completely agree that it's difficult to track, perhaps a report on new blacklisted clients may help.  If you've can expand on usage and how you'd like to see the feature, please add it when you file the feature request, as it will help when the feature gets added.



  • 5.  RE: Blacklist reporting??

    Posted Jan 29, 2013 10:42 AM

    If you don't have the means to file the idea on the ideas portal, post the details here of what you want and I will add it for you.

     

    As a service provider, this is very useful