Wireless Access

Reply
Occasional Contributor I
Posts: 5
Registered: ‎03-15-2016

Evil Twin, controller, Airwave, and SIEM logging

Hello, I am a recovering Cisco wireless user abuser. I am new to my organization and new to Aruba/Airwave. I seem to have an issue and I have found some suggested documents to read but I thought I'd throw this out now. I set up an evil twin to test the controller and Airwave rules. The controller sees my evil twin SSID - this is the SSID I use to connect to it. However, I set it up to broadcast out any/all other SSID's it sees being broadcast; I'll call them "fake SSID" - there are around 15 different ones. Niether the controller nor Airwave can detect those fake SSIDs. Also, non of the rogues I set up are getting logged into our SIEM - QRadar.

 

Would anyone have some suggestions, thoughts, ideas, or be able to point me in the direction to help us detect the Evil Twin and get this logged into our SIEM?

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Evil Twin, controller, Airwave, and SIEM logging

If you have the RF Protect license in your controller, you would be configuring impersonation parameters:  http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Web_Help_Index.htm#ArubaFrameStyles/New_WIP/Intrusion_Detection.htm?Highlight=impersonation



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎03-15-2016

Re: Evil Twin, controller, Airwave, and SIEM logging

We do have the protect license so I will check out your link and see how things are configured. I should say, our network team handles all the controller settings - I am IT Security.

 

Thanks for your input.

Occasional Contributor I
Posts: 5
Registered: ‎03-15-2016

Re: Evil Twin, controller, Airwave, and SIEM logging

As a follow-up: We called Airwave help and we were told that Airwave rogue alerts cannot be sent to our SIEM. They said they would send the request to their product development team.

 

I find that hard to believe that I would be the first one to try and do this. Does anyone have thoughts about this? Are you getting RAPID Rogue rules created sent to a SIEM?

MVP
Posts: 1,310
Registered: ‎11-07-2008

Re: Evil Twin, controller, Airwave, and SIEM logging

Rogue alerts can be sent from the controller though correct? Or are you just looking for AirWave to send up alerts it generates within RAPIDS? Can AirWave gen a syslog and then QRadar prase and capture that specific syslog event?

Jerrod Howard
Sr. Techical Marketing Engineer
Occasional Contributor I
Posts: 5
Registered: ‎03-15-2016

Re: Evil Twin, controller, Airwave, and SIEM logging

Hi Jerrod,

 

Yes we are getting some alerts from the controller. Right now they are only authentication errors. As for RAPIDS we get emails when a rogue is detected.

 

The ideal situation is for us to 

1. Create rules within RAPIDS (No issues here - all works well)

2. Receive emails from those rules (No issues)

3. Have the alerts sent to our SIEM (QRadar is our tool).

 

If that cannot be achieved, then the next best thing is to get rogue alerts from the controller to go to QRadar.

 

What makes it difficult is our separation of duties - slow process since I don't have full access to Airwave nor the master controller.

 

 

Guru Elite
Posts: 21,031
Registered: ‎03-29-2007

Re: Evil Twin, controller, Airwave, and SIEM logging

If you are receiving emails as the result of a Trigger in Airwave, there is an option within the trigger to also send a trap to an NMS..  Is that what you are looking for?  



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: