Wireless Access

Reply
Occasional Contributor II

Query on Match type regarding the Rouge APs

Hi Everyone,

 

I have a query on rouge AP Match type and i am doing testing on it. From the user guide i do not see any clear explanation about when the AP will be classified as Rouge AP based on the match type.

 

Can anyone tell me when and which Match type method will be considered with different scenarios for the AP to be classified as rouge AP?

 

Thanks in advance

Re: Query on Match type regarding the Rouge APs

Hi,

I hope i understood your issue.

I gather some info for u:


Make sure u have l3 connectiviy on all vlans (that your ap unit can see all vlans or the controller itself)

controller will also collect macs on any VLAN that is trunked to (System-Wired-MAC)

 

Make sure your arm profile is enabled with monitor (u may also consider using airmonitors for the test)

http://community.arubanetworks.com/aruba/attachments/aruba/wireless-intrusion-prevention/147/1/tb_air_monitors.pdf

 

use the WIP  WIZARD

Capture.PNG

 

(From NightShade1 Post)

 

Do you have IPS IDS License? lets start there, if you dont then you cannot do anything about rogues APS

 

If you do then you got the power to mitigate APS

 

You should not mitigate an AP just cause you see it, you should be sure this is an AP inside your building, you should not mitigate neighbors APS, or your neighbors that are using their own aps wont be happy that they cant connect to their own network, just because you decided to tarpit their ap that does not beong to you.

 

L3 rogue detection will help you to detect rogue APS inside your bulding which are the ones that you want to mitigate as its a foreign ap inside your buliding.

 

 


(From cjoseph post):

 

You would only be able to disable a rogue consistently with a dedicated Air monitor.

 

Only an Air monitor spends enough time on the channel of a rogue to contain it sufficiently. An AP can do it if you have enough density, but an AP's priority is to serve clients.

 

(From Plane post):

 

There will always be multiple IDS profiles.  The WIP wizard will update one of them and aply that to the specified AP group based on what you have selected.  Please verify that you are looking at the same profile that was updated by the wizard.  If you still see differences, please contact Aruba Support.  That shoudln't be happening. 

 

Protect SSID will keep any client from associating to an AP that is using your protected SSID and is not part of the Valid AP lists.

 

Protect valid stations will contain any station that is considered Valid from connecting with anything but your network.  A client is classified as valid if it authenticates with encryption to the Aruba network or has been manually defined.  My guess is that you had some residual classifications in the WMS database when you attempted your test.

 

It also looks like you were running your tests on an Open network.  I would recommend running the test on an encrypted network.  It doesn't make a lot of sense to run these advanced protection mechanisms on an open network since that will have much larger security holes.

 

I would recommend running 'wms clean-db' followed by the 'reload' command on lab controllers when running this test. Please use this command with caution as it will completely erase the WMS database.  This command is not recommended on a production network.

 

 

 

Update me if it's gave u some idea on how to continue answer your question.

 

rgrds.

 

Me.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************

Re: Query on Match type regarding the Rouge APs

And here is the simple way: (From an old post of mine that got answerd by cjoseph the king!)

The easiest way to configure that is to run the WIP Wizard.

 

 The Wizard will give you the options to influence how rogues are classified.  How the controller automatically classifies rogues is here:  https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/Rogue-Classification-on-AOS-6-0

 

You can configure something called a "Valid SSID" which means that the controller will allow devices to connect to that SSID.  You can then block traffic from connecting to anything but Valid SSIDs.

 

The controller normally looks at client associations to contain devices, so even if you can see powerful access points from far away, if the controller cannot see the client associating to it, it will not do anything.  If it can see your users attempting to associate to it, and you have protection on, it can stop those users, however.

 

You can define a specific SSID as a Valid SSID to keep it from being blocked.

 

Again, IDS/IPS is a very involved topic and you need to (1) Read the entire chapter on IDS/IPS to fully understand it and (2) Test any scenario before putting it into production so that you do not create any performance issues.

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************

Re: Query on Match type regarding the Rouge APs

I guess user-guide covers pretty much all the match-methods to detect rogue ap.

Please specify any rogueAP match type which you need help or need more clarity that you looking for so that I could see if I can  answer.

 

Thanks.

Occasional Contributor II

Re: Query on Match type regarding the Rouge APs

Hi Everyone..

Thank you all for your answer.. But I still have query regarding the match type... Let me put my question very simple..

We see that during rouge AP detection match type is showing as Ap-Wired-Mac...in which scenario we will get this match type....if I am correct this match type is used if any APs is used to identify the rouge AP.. If that is the case then it should be a ARuba AP or any third party AP?

Question may look silly but I need to get clarify on this basic part.

Thanks in advance...
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: