Hi,
I hope i understood your issue.
I gather some info for u:
Make sure u have l3 connectiviy on all vlans (that your ap unit can see all vlans or the controller itself)
controller will also collect macs on any VLAN that is trunked to (System-Wired-MAC).
Make sure your arm profile is enabled with monitor (u may also consider using airmonitors for the test)
http://community.arubanetworks.com/aruba/attachments/aruba/wireless-intrusion-prevention/147/1/tb_air_monitors.pdf
use the WIP WIZARD
(From NightShade1 Post)
Do you have IPS IDS License? lets start there, if you dont then you cannot do anything about rogues APS
If you do then you got the power to mitigate APS
You should not mitigate an AP just cause you see it, you should be sure this is an AP inside your building, you should not mitigate neighbors APS, or your neighbors that are using their own aps wont be happy that they cant connect to their own network, just because you decided to tarpit their ap that does not beong to you.
L3 rogue detection will help you to detect rogue APS inside your bulding which are the ones that you want to mitigate as its a foreign ap inside your buliding.
(From cjoseph post):
You would only be able to disable a rogue consistently with a dedicated Air monitor.
Only an Air monitor spends enough time on the channel of a rogue to contain it sufficiently. An AP can do it if you have enough density, but an AP's priority is to serve clients.
(From Plane post):
There will always be multiple IDS profiles. The WIP wizard will update one of them and aply that to the specified AP group based on what you have selected. Please verify that you are looking at the same profile that was updated by the wizard. If you still see differences, please contact Aruba Support. That shoudln't be happening.
Protect SSID will keep any client from associating to an AP that is using your protected SSID and is not part of the Valid AP lists.
Protect valid stations will contain any station that is considered Valid from connecting with anything but your network. A client is classified as valid if it authenticates with encryption to the Aruba network or has been manually defined. My guess is that you had some residual classifications in the WMS database when you attempted your test.
It also looks like you were running your tests on an Open network. I would recommend running the test on an encrypted network. It doesn't make a lot of sense to run these advanced protection mechanisms on an open network since that will have much larger security holes.
I would recommend running 'wms clean-db' followed by the 'reload' command on lab controllers when running this test. Please use this command with caution as it will completely erase the WMS database. This command is not recommended on a production network.
Update me if it's gave u some idea on how to continue answer your question.
rgrds.
Me.