Wireless Access

Reply
Occasional Contributor I

Protect for rogue AP

Hi, My first topic, sorry about possible mistakes.

 

 I read many topics about it, but im not sure about the solution.

Im seeing many rogue APs in my controller dashboard and airwave,

im certainly that its not my neighbors and authorized Aps.

Airwave is detecting and classifying correctly.  

How can i protect my users about this Rogues? Can I just check the "Protect" boxs in IDS unauthorized devices? 

If I check theses boxes, may I cause an incident on my wlan? My AP´s will stop to work and my users can be at risk to lose the conections? there´s some possibility to "deny" my our service?

 

Thanks for answers.

 

 

Aruba Employee

Re: Protect for rogue AP

Hi, 

 

Enabling rogue containment won't cause any impact to the current WLAN users. 

 

To enable rogue containment, 

 

1. On the IDS General Profile, set the Wireless containment to deauth-only (when no RFP license). 

 

2. On the IDS Unauthorized Device Profile, enable Rogue Containment. 

 

This would contain rogue APs on all channels if you have AirMonitors. Else rogue containment would work only if the rogue AP and the containing Aruba AP are on the same channel. 

 

 

 

 

Thanks,
Rajaguru Vincent
CWNA | CWSP | CWAP | CWDP | ACMP
Occasional Contributor I

Re: Protect for rogue AP

Hi vincent, 

this options is checked, but these rogues can transmit my ssid yet.

I did a test and i could conect on this rogue.

 

im trying to impossibilit these rogues to transmit the same SSID or part of My SSID.. and impossibilit any client to connect them. im trying to isolate my wlan from these rogues... 

 

the checkboxs "protect" ssid, suspected rogue, adhoc, windows bridge. valid sessions...  can protect me?

 

 

 

 

 

 

 

 

 

 

 

Re: Protect for rogue AP

You really need to be careful when enabling these 'protection' mechanisms. If you are improperly classifying neighboring APs and then enable containment and improperly contain/deauth them, you could be subject to fairly substational fines from the FCC. 

 

If you are enabling containment, you need to be 100% sure your config is valid and is not improper. You should NOT be seing neighboring APs classified as Rogues unless they are wired in to your wired network. If they are not, and they are being classified as Rogue, you have something misconfigured. 

Jerrod Howard
Sr. Technical Marketing Engineer
Occasional Contributor I

Re: Protect for rogue AP

Hi howard. 

My only filter is the word of my SSID. 

if other AP out my solution transmit the same word of my SSID, i will classify as a rogue.

Now, im seeing in airwave 2 APS classified as a rogue because the SSID. 

How can controller detects the wired in my infra? any option in controller that i have to configure to be sure that AP is a Rogue??

 

I think, to me its not necessary that the rogue has a wired connection. 

If the station transmit my SSID and simulates a certificate, and has a freeradius or other program that ask for 802.1x, this station can check my AD user/password and access my corporate mail or many system published on DMZ. im wrong?

 

to classify an AP as a rogue, Do i have to be sure about wired connection even with coments above?

 

 

 

 

Aruba Employee

Re: Protect for rogue AP

Hi Diogo, 

 

Only if the non-valid AP is connected to your wired network, you can call it a Rogue. I mean, a wired connection is necessary to call it a Rogue. 

 

An interferring AP, even when it broadcasts the same SSID of the Aruba WLAN, it cannot be a Rogue. If an interferring SSID is getting detected as Rogue, that could be because of some configuration either on the controller or Airwave.

 

If you want to contain non-valid APs broadcasting the valid Aruba WLAN SSIDs, you need to use features like protect-ssid, valid and protected ssid or rule based classification.

 

See below links for reference,

 

1. https://community.arubanetworks.com/t5/Controller-Based-WLANs/Can-we-protect-valid-ssid-from-being-broadcast-by-Mobile/ta-p/235395

 

2. https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-Does-Protect-SSID-Setting-Accomplish/ta-p/181480

 

3. http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-configure-Aruba-controller-to-detect-a-hotspot/ta-p/267201

 

 

Thanks,
Rajaguru Vincent
CWNA | CWSP | CWAP | CWDP | ACMP
Occasional Contributor I

Re: Protect for rogue AP

very tks Vincent.

I think i´m understanding now.

 

first, i have a computer for a test, broadcasting similar SSID and connected in my infra. Should I call this station as a rogue and interfering? 

i need the boxes contain rogue and protect / valid SSID to solve this situation. dont  i?

 

second, if i have other station, broadcasting any different SSID but connected in my infra, can i classify it as as rogue? 

 

third, Any Station broadcasting the similiar SSID but not connect in my infra is just called interfering and should be solve with protects SSID, ok?

 

i have one more question. 

how can aruba controller and airwave detects interfering, rogue, and suspects???

 

im seeing on airwave many cases that the controller classified as a rogue and RAPIDS as a suspected rogue.

the SSID is different and i dont know how can i check the wired connection to be sure about rogue and suspect and contain it.

 

OBS; i dont find anything about interfering, neither controler nor rapids.

im lost.

 

 

 

 

 

 

 

 

 

Re: Protect for rogue AP

Airwave has it's own 'rules' (aka RAPIDS rules) in how it's classifying rogues and interferers, so it depends on who and what is doing the classification. If you have the default 'RAPIDS Rules' in place, then AirWave will define a 'rogue' as any non-monitored neighbor with signal at -75 or stronger. This in and of itself is not technically a 'rogue' but the description within AirWave notes that. That, by default, should likely be disabled in any deployment where you have multiple neighboring wifi that is not yours. 

 

A laptop broadcasting an SSID may not get picked up as a rogue if it's not briding the wired and wireless. This depends on how you configured the laptop and what tools you used. 

 

Any AP broadcasting ANY SSID (not just your ESSID but any ESSID) that is wired in to your network will be flagged as a rogue if your APs are connected and monitoring the wired.

 

 

Jerrod Howard
Sr. Technical Marketing Engineer

Re: Protect for rogue AP

Note as well that in the Airwave table, it will tell you if it's airwave or controller classified. 

Jerrod Howard
Sr. Technical Marketing Engineer
Occasional Contributor I

Re: Protect for rogue AP

it seems that i finish the airwave config correctly... only my station is appearing as a rogue. 

 

but not sure about controller yet... 

how can APs monitor the wired connection?

Controller is classifing my station as a interfering, even with a wired connection.. how can controller detects and classify as a rogue correctly?

i have many others suspect rogues in controller that does not appear anymore in airwave. I dont think that this classification is correct.. why suspected rogue?

 

where can i configure these options to match correctly the interfering, and suspects and rogues?

 

 

 

 

 

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: