Wireless Access

Reply
MVP
Posts: 724
Registered: ‎12-01-2010

Rogue AP interpretation change with upgrade?

Back in 7.4 or 7.5, we tested connecting a rougue AP in to our lab switch and Airwave correctly identified the rogue and sent our NMS and syslog an alert -- all good.

 

Today I've plugged in the rogue for a show-and-tell with our PCI assessor and Airwave had elected to declare the AP a "suspected neighbor"

 

Did something change in the underlying logic, or were a week of tests missing some crucial bit of testing?

 

Lab switch had point-of-sale and client and wireless VLANs trunked to iAP, connect a "rogue" (linksys) to point-of-sale port and connect power. the iAP almost immediately shows the rogue in the IDS page:

iAP draws the right conclusion

 

After a few minutes, I notice that I haven't received the e-mail from Airwave, nor from the NMS or Syslog.

I check Airwave and it thinks we have a neighbor:

187-Airwave-disagrees-part-1

187-Airwave-disagrees-part-2

 

What's missing? Or how do I trace Airwave's logic to see where I need to tune it?

 

My rules:

Airwave-rogue-rules

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Moderator
Posts: 1,270
Registered: ‎10-16-2008

Re: Rogue AP interpretation change with upgrade?

Did you make any changes to the RAPIDS rules? Which AirWave rule is the classifying rule? Remember that AirWave classification has more options than the controller classification.

Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
MVP
Posts: 724
Registered: ‎12-01-2010

Re: Rogue AP interpretation change with upgrade?

Made no changes.

 

In the screenshot, it shows "detected wirelessly" as the classification rule.

 

I forgot to add that Airwave is also pliing the switch to which both AP and rogue are connected and should have seen the MAC/ARP entry as well as the iAP -- so I'm expecting "Detected Wirelessly and on LAN" to hit.

 

Note that it hit a few months ago when we last tested. The only change has been upgrades to Airwave.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Moderator
Posts: 1,270
Registered: ‎10-16-2008

Re: Rogue AP interpretation change with upgrade?

The configuration looks good to me.  The next step would be to open a support case.  Support will need to do a capture from AirWave of the data gathered from polling the switches (what's the current switch polling period?).


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
MVP
Posts: 724
Registered: ‎12-01-2010

Re: Rogue AP interpretation change with upgrade?

4 hours (whatever the default was)

 

The rogue has been plugged in for 20 hours so far.

I'm assuming that new information about a device will cause RAPIDS to re-classify an object.

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Moderator
Posts: 1,270
Registered: ‎10-16-2008

Re: Rogue AP interpretation change with upgrade?

The quick test of that is to move a rule up, save, and then move a rule back to where it was, save.  It's a wonky way to force AirWave to review classification, but it works.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
MVP
Posts: 724
Registered: ‎12-01-2010

Re: Rogue AP interpretation change with upgrade?

No change, unless the reclassification is still running (anyplace to check progress?) so I assume its time to call TAC?

--Matthew

if I've helped, please give kudos
if I've provided a solution, please mark the solution so others can find it
Moderator
Posts: 1,270
Registered: ‎10-16-2008

Re: Rogue AP interpretation change with upgrade?

Yeah, looks like it's time to bring in TAC.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Search Airheads
Showing results for 
Search instead for 
Did you mean: