Wireless Access

Hello, I am a recovering Cisco wireless user abuser. I am new to my organization and new to Aruba/Airwave. I seem to have an issue and I have found some suggested documents to read but I thought I'd throw this out now. I set up an evil twin to test the controller and Airwave rules. The controller sees my evil twin SSID - this is the SSID I use to connect to it. However, I set it up to broadcast out any/all other SSID's it sees being broadcast; I'll call them "fake SSID" - there are around 15 different ones. Niether the controller nor Airwave can detect those fake SSIDs. Also, non of the rogues I set up are getting logged into our SIEM - QRadar.

Would anyone have some suggestions, thoughts, ideas, or be able to point me in the direction to help us detect the Evil Twin and get this logged into our SIEM?

If you have the RF Protect license in your controller, you would be configuring impersonation parameters:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/New_WIP/Intrusion_Detection.htm?Highlight=impersonation

We do have the protect license so I will check out your link and see how things are configured. I should say, our network team handles all the controller settings - I am IT Security.

Thanks for your input.

As a follow-up: We called Airwave help and we were told that Airwave rogue alerts cannot be sent to our SIEM. They said they would send the request to their product development team.

I find that hard to believe that I would be the first one to try and do this. Does anyone have thoughts about this? Are you getting RAPID Rogue rules created sent to a SIEM?

Rogue alerts can be sent from the controller though correct? Or are you just looking for AirWave to send up alerts it generates within RAPIDS? Can AirWave gen a syslog and then QRadar prase and capture that specific syslog event?

Hi Jerrod,

Yes we are getting some alerts from the controller. Right now they are only authentication errors. As for RAPIDS we get emails when a rogue is detected.

The ideal situation is for us to 

1. Create rules within RAPIDS (No issues here - all works well)

2. Receive emails from those rules (No issues)

3. Have the alerts sent to our SIEM (QRadar is our tool).

If that cannot be achieved, then the next best thing is to get rogue alerts from the controller to go to QRadar.

What makes it difficult is our separation of duties - slow process since I don't have full access to Airwave nor the master controller.

If you are receiving emails as the result of a Trigger in Airwave, there is an option within the trigger to also send a trap to an NMS..  Is that what you are looking for?