Wireless Access

Reply
MVP
Posts: 707
Registered: ‎12-01-2010

Blacklist reporting??

This morning is our first day running 6.2.0.2 on our controllers (6 3600 controllers, one as master) which all report to Airwave.

 

We've had a few users call to say that they can't connect to the wireless network.

After finding nothing to explain the problem in Airwave, I turned to the local controllers.

 

In each cse, the user was blacklisted for IP spoofing.

 

That's the sort of thing I'd expect to have been reported to Airwave.  Where should I look to find it in Airwave?

and/or Can someone suggest what settings I should adjust to get the controllers to report it?

 

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Moderator
Posts: 1,252
Registered: ‎10-16-2008

Re: Blacklist reporting??

First thing to try would be the IDS Events report.  Check and see if you have the pre-made IDS Events report.  If not, then create a new report and set type to IDS Events.

 

If you want to go deeper than that, you can create a trigger.  Go to System -> Triggers, create a new trigger of Type = Device Event.  Add conditions:

          SNMP Trap Category = IDS

          Event Type = SNMP Trap

This is a baseline for the trigger, once you've received a few alerts, you can add the 'Event Contents' portion to narrow down the alerts


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
MVP
Posts: 707
Registered: ‎12-01-2010

Re: Blacklist reporting??

Allow me to clarify.  I'm not looking for Airwave to notify me (yet), I'm looking for the controller to tell Airwave.

 

When I look in IDS events -> all IDS events, I'd expect to see something mentioning that the controller blacklisted 2 devices this morning for IP spoofing.  I don't see any evidence that the controller told Airwave.

 

We do see where the controller told syslog:

Jan 25 08:07:37 10.21.0.65 stm[1696]: <501097> <WARN> <000boiid-wc2 10.21.0.65>  Assoc request: 00:1d:d9:5e:fb:1f: Dropped AP 10.10.6.27-00:1a:1e:f1:6a:01-go-ap3 for STA DoS protection

 

Shouldn't Airwave (as the offloaded WMS) get this info as well?

 

--Matthew

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Moderator
Posts: 1,252
Registered: ‎10-16-2008

Re: Blacklist reporting??

Got it.  The feature you describe is currently not in AMP yet.  It's something that should be filed into the Ideas Portal on the support site.  I completely agree that it's difficult to track, perhaps a report on new blacklisted clients may help.  If you've can expand on usage and how you'd like to see the feature, please add it when you file the feature request, as it will help when the feature gets added.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
MVP
Posts: 1,418
Registered: ‎10-25-2011

Re: Blacklist reporting??

If you don't have the means to file the idea on the ideas portal, post the details here of what you want and I will add it for you.

 

As a service provider, this is very useful

Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Search Airheads
Showing results for 
Search instead for 
Did you mean: