Wireless Access

Reply
Contributor II
Posts: 72
Registered: ‎05-22-2011

Rogue Containment

Hello Aruba Gurus,

 

I am trying to manually contain an 802.11g device. I tried using a deauth containment but I don't see any deauth packets sent. I even checked with the controller by doing a show ids general-profile..... and there are no containments. When a device is manually contained, is it contained based on the wireless containment set under the general IDS profile? Also, if we are using a dedicated air monitor, how long will it deauth the client and how often? I also tried a tarpit approach but it did not work. We are using an aruba 6000 with OS 6.1 and with an AP 61. Not sure if the AP 61 can't do containment. We also have 105 types of AP but I have not tried that yet. Any thoughts? Thanks.

 

Guru Elite
Posts: 21,027
Registered: ‎03-29-2007

Re: Rogue Containment


baboyero wrote:

Hello Aruba Gurus,

 

I am trying to manually contain an 802.11g device. I tried using a deauth containment but I don't see any deauth packets sent. I even checked with the controller by doing a show ids general-profile..... and there are no containments. When a device is manually contained, is it contained based on the wireless containment set under the general IDS profile? Also, if we are using a dedicated air monitor, how long will it deauth the client and how often? I also tried a tarpit approach but it did not work. We are using an aruba 6000 with OS 6.1 and with an AP 61. Not sure if the AP 61 can't do containment. We also have 105 types of AP but I have not tried that yet. Any thoughts? Thanks.

 


Are you using automatic or manual containment?  Please check to see if the bssid of the ROGUE ap is classified as a rogue:

 

show wms ap list | include <rogue ap bssid>

 

Next, see if any APs can see that rogue:

 

 show wms ap <rogue ap bssid>

 

 

 show wms rogue-ap <rogue ap bssid>

 

1. show ap monitor ap-list ap-name <ap name that sees the rogue ap after running master controller command>

- look to see the current classification of the rogue ap and see if dos is enabled. 

2. show ap monitor client-list ap-name <ap name that sees the rogue ap>

- look for the clients MAC that is connecting to the rogue.

3. show ap monitor containment-info ap-name <aruba ap name>

- TONS of info. This one shows if the Aruba AP is tarpitting, DOS’n

4. show ap arm scan-times ap-name <ap name that sees the rogue ap>

- look for WIF Scan Times to see how long the AP stays on the channel where rogue ap is at

5. show ap monitor active-laser-beams ap-name <ap name that sees the rogue ap>

- look for any ap names dosing

- look at inactive time

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor
Posts: 1
Registered: ‎03-16-2013

Re: Rogue Containment

Right now we are just trying to manually contain devices. If I understand it correctly, any device can be contained. It does not have to match any rule, as long as you select this specific device and select manually contain it the device should be contained. However, even if there is a wireless containment (I tried both tarpit and deauth) none of these worked.

Contributor II
Posts: 72
Registered: ‎05-22-2011

Re: Rogue Containment


cjoseph wrote:

baboyero wrote:

Hello Aruba Gurus,

 

I am trying to manually contain an 802.11g device. I tried using a deauth containment but I don't see any deauth packets sent. I even checked with the controller by doing a show ids general-profile..... and there are no containments. When a device is manually contained, is it contained based on the wireless containment set under the general IDS profile? Also, if we are using a dedicated air monitor, how long will it deauth the client and how often? I also tried a tarpit approach but it did not work. We are using an aruba 6000 with OS 6.1 and with an AP 61. Not sure if the AP 61 can't do containment. We also have 105 types of AP but I have not tried that yet. Any thoughts? Thanks.

 


Are you using automatic or manual containment?  Please check to see if the bssid of the ROGUE ap is classified as a rogue:

 

show wms ap list | include <rogue ap bssid>

 

Next, see if any APs can see that rogue:

 

 show wms ap <rogue ap bssid>

 

 

 show wms rogue-ap <rogue ap bssid>

 

1. show ap monitor ap-list ap-name <ap name that sees the rogue ap after running master controller command>

- look to see the current classification of the rogue ap and see if dos is enabled. 

2. show ap monitor client-list ap-name <ap name that sees the rogue ap>

- look for the clients MAC that is connecting to the rogue.

3. show ap monitor containment-info ap-name <aruba ap name>

- TONS of info. This one shows if the Aruba AP is tarpitting, DOS’n

4. show ap arm scan-times ap-name <ap name that sees the rogue ap>

- look for WIF Scan Times to see how long the AP stays on the channel where rogue ap is at

5. show ap monitor active-laser-beams ap-name <ap name that sees the rogue ap>

- look for any ap names dosing

- look at inactive time

 


Hello,

 

Right now we are just trying to manually contain devices. If I understand it correctly, any device can be contained. It does not have to match any rule, as long as you select this specific device and select manually contain it the device should be contained. However, even if there is a wireless containment (I tried both tarpit and deauth) none of these worked.

Guru Elite
Posts: 21,027
Registered: ‎03-29-2007

Re: Rogue Containment

Try to contain the access point that the device is connecting to.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: