04-25-2012 07:22 PM
Airwave becomes an integral part of my operations and support work. I basically try to use it to discover every devices including firewall. I use Airwave to add my netscreen firewall under the category of Router/Switches.
However, I received some events from Airwave indicating TKIP replay attack.
Attacker is my clients mac address and target is my Firewall MAC.
Some instances show that my Firewall is the attacker and target is my client.
I am puzzled as I do not use WPA2 TKIP. I am using 7.3.5 for my Airwave and controller is 188.8.131.52.
Anybody can shed some lights>?
04-19-2013 01:30 PM - edited 04-19-2013 01:31 PM
The IDS traps are sourced from the switch or controller, AirWave merely translates for display. The IDS event messages contain data alluding to which MAC appears to be the attacker and which MAC is the target. Opening a support case with TAC may be the best way to investigate this behavior further.
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
09-26-2013 06:42 AM
FYI, I received this from Aruba engineering:
"TKIP replay attack detection is susceptible to false alarms. This is because we have to "guess" which frames are rekey messages by their size (since they are encrypted). If we see a rate of at least 1 rekey message every 2 minutes for 10 mins, we raise the alarm. We could raise a false alarm if there happen to be enough real data frames seen with this exact size at this rate."
So, I have disabled this detection since it is causing us to be inundated with false positives. Aruba has a bug opened for engineering to investigate.
Ryan Holland, ACDX #1 ACMX #1
The Ohio State University