Wireless Access

Reply
MVP
Posts: 1,110
Registered: ‎10-11-2011

Client Associating On Wrong Channel

I was looking through IDS events and noticed a lot of "Client Associating On Wrong Channel" attacks.  RAPIDS classifies this event as the highest of severities so I thought I'd see if this is really something to be concerned about.  In the last 2 hours 97 events have been logged, and 460 in the last 24 hours.  My MAC has come up as an attacker for this specific event.  Any thoughts?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Moderator
Posts: 1,252
Registered: ‎10-16-2008

Re: Client Associating On Wrong Channel

[ Edited ]

For IDS events, there's currently no way to change the severity of events (that'd be a good idea for a feature request though).  The severity is hardcoded.  Typically, 'Client Associating on Wrong Channel' only appears in AMP when we see a trap come with the OID: wlsxClientAssociatingOnWrongChannel.

 

This particular OID is defined as:

"This trap indicates that an AP detected a client trying to associate to one of its BSSIDs on the wrong channel. This can be a sign that the BSSID is being spoofed in order to fool the client into thinking the AP is operating on another channel."

 

(Some more info on Aruba WIPs can be found here: http://www.arubanetworks.com/techdocs/ArubaOS_61/ROBOHELP%20UG%206.1/ArubaOS_User_Guide_-_volumes/New_WIP.htm - the portion that pertains to 'Client Associating on Wrong Channel' is under 'Detect AP Spoofing')

 

If you're seeing this trap fire pretty often, you may want to pay attention to how often your APs are switching channels.  It could be a false positive.  Do you currently have ARM enabled?


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
MVP
Posts: 1,110
Registered: ‎10-11-2011

Re: Client Associating On Wrong Channel

Thanks for the info.

 

Yes, ARM is enabled.  I wouldn't say that channels change frequently on APs.  We have client aware enabled, so most of the channel changing occurs early morning and late at night when fewer users are on.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: