Wireless Access

Hi Everyone,

 

I have a query on rouge AP Match type and i am doing testing on it. From the user guide i do not see any clear explanation about when the AP will be classified as Rouge AP based on the match type.

 

Can anyone tell me when and which Match type method will be considered with different scenarios for the AP to be classified as rouge AP?

 

Thanks in advance

Hi,

I hope i understood your issue.

I gather some info for u:

Make sure u have l3 connectiviy on all vlans (that your ap unit can see all vlans or the controller itself)

controller will also collect macs on any VLAN that is trunked to (System-Wired-MAC). 

 

Make sure your arm profile is enabled with monitor (u may also consider using airmonitors for the test)

http://community.arubanetworks.com/aruba/attachments/aruba/wireless-intrusion-prevention/147/1/tb_air_monitors.pdf

 

use the WIP  WIZARD

 

(From NightShade1 Post)

 

Do you have IPS IDS License? lets start there, if you dont then you cannot do anything about rogues APS

 

If you do then you got the power to mitigate APS

 

You should not mitigate an AP just cause you see it, you should be sure this is an AP inside your building, you should not mitigate neighbors APS, or your neighbors that are using their own aps wont be happy that they cant connect to their own network, just because you decided to tarpit their ap that does not beong to you.

 

L3 rogue detection will help you to detect rogue APS inside your bulding which are the ones that you want to mitigate as its a foreign ap inside your buliding.

 

 

(From cjoseph post):

 

 

Only an Air monitor spends enough time on the channel of a rogue to contain it sufficiently. An AP can do it if you have enough density, but an AP's priority is to serve clients.

 

(From Plane post):

 

 

 

 

Update me if it's gave u some idea on how to continue answer your question.

 

rgrds.

 

Me.

And here is the simple way: (From an old post of mine that got answerd by cjoseph the king!)

The easiest way to configure that is to run the WIP Wizard.

 

 The Wizard will give you the options to influence how rogues are classified.  How the controller automatically classifies rogues is here:  https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/Rogue-Classification-on-AOS-6-0

 

You can configure something called a "Valid SSID" which means that the controller will allow devices to connect to that SSID.  You can then block traffic from connecting to anything but Valid SSIDs.

 

The controller normally looks at client associations to contain devices, so even if you can see powerful access points from far away, if the controller cannot see the client associating to it, it will not do anything.  If it can see your users attempting to associate to it, and you have protection on, it can stop those users, however.

 

You can define a specific SSID as a Valid SSID to keep it from being blocked.

 

Again, IDS/IPS is a very involved topic and you need to (1) Read the entire chapter on IDS/IPS to fully understand it and (2) Test any scenario before putting it into production so that you do not create any performance issues.

I guess user-guide covers pretty much all the match-methods to detect rogue ap.

Please specify any rogueAP match type which you need help or need more clarity that you looking for so that I could see if I can  answer.

 

Thanks.

Hi Everyone..

Thank you all for your answer.. But I still have query regarding the match type... Let me put my question very simple..

We see that during rouge AP detection match type is showing as Ap-Wired-Mac...in which scenario we will get this match type....if I am correct this match type is used if any APs is used to identify the rouge AP.. If that is the case then it should be a ARuba AP or any third party AP?

Question may look silly but I need to get clarify on this basic part.

Thanks in advance...