Wireless Access

Reply
Frequent Contributor II

Rogue AP Containment

Any configuration examples out there on how to configure rogue AP containment?  We have a pen tester in with an AP that's configured to use the same SSID's as the production network.  Users are attaching to his device so he can steal their creds.  

We have RF Protect licenses installed on the controllers and I was under the assumption that the canned values with RF Protect should deny or contain this traffic.  Doesn't look like this is happening. 

We're using 7210 controllers and new AP-335's for AP's, as well as 3 AP-335's for Air Monitors across the floor.  Any configuration help would be most appreciated. 

 

Guru Elite

Re: Rogue AP Containment

You would have to enable "protection" for any IDS/IPS activity.  "Detection" is only reporting.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

MVP

Re: Rogue AP Containment

There are regulatory issues with defaulting containment to on. In fact there may be problems turning it on at all in some locations or jurisdictions.

Containing your hired pentester is probably fine, but if the same settings "contain" a neighboring business' SSID for some reason, you could be in hot water.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it

Re: Rogue AP Containment

Please realize that if your pen tester can make your clients connect to his/her malicious AP in your environment, the same can happen outside your environment in a place where you don't have the APs that can do WIPS/WIDS.

 

So I would ask the pen tester for advise how to fix this on the client side. One of the possibilities is that your clients do not properly validate the server certificate (link to explaining video), and that can only be fixed on the client side.

 

So to configure RFProtect to detect or protect your SSID being spoofed is something you should do anyway, it is not fixing the real problem.

--
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).
Frequent Contributor II

Re: Rogue AP Containment

Thanks everyone. Based on your feedback I now have some direction to test and explore. 

Frequent Contributor II

Re: Rogue AP Containment

Bumping this topic.

Spent an hour and a half on the phone with TAC this morning on this, which went absolutely nowhere.  Long story short...I have a test lab 7005 controller with 1 x AP-115 and 1 x AP-115 Air Monitor.  The AP is broadcasting an SSID called "Fake".  To test AP Impersonation or Hotspotting I found an old Linksys a/b/g router that I configured to also broadcast the same "Fake" SSID.  I created an AP Group for the Air Monitor so I can apply an IDS Impersonation profile to it (I want the AM's to do this work and not our AP's).  I turned on every detect and protect option available:

Capture.JPG

Shouldn't the AM DoS the Linksys or quarantine it somehow in order to make it unavailable to a potential client?  This is not happening, and TAC is saying that's it's not a security risk if someone brings in an AP and broadcasts your production SSID to sniff the air and get user creds as clients attempt to connect.  Am I missing something here??  How should IDS behave in these situtations and how can I verify that it's doing what it should be doing (other than being unable to connect to the Linksys)?  Are there other parts of IDS that I need to turn on, or just the IDS Impersonation portion?

Guru Elite

Re: Rogue AP Containment

Please see the article here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/Can-we-protect-valid-ssid-from-being-broadcast-by-Mobile/ta-p/235395

 

You need to specify what SSID(s) you want protected in the unauthorized device profile.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor II

Re: Rogue AP Containment

This worked PERFECTLY.  Thank you Colin!  

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: