Wireless Access

Reply
MVP
Posts: 2,992
Registered: ‎10-25-2011

[Tutorial] How to detect Rogue APS with L3 Rogue Detection configuration with Controller April-MHC

[ Edited ]

Hello Everyone

To configure a L3 Rogue ap detection you need to know a few things before.

 

1-You can detect this with APS but the aps need to be in the same vlans,  controller approach is just much better.

2-This just apply for a particular site, i mean if you want to rogue detect a remote site which you dont have a controller you can do it with an AP(but this is not covered in this tutorial

3-You will need to add the IPS/IDS license for Enforcement.

Enforcement can take different shapes, including containing rogue APs by performing denial-of-service (DoS) attacks wirelessly, ARP cache poisoning on the wire, shielding valid clients from connecting to rogue APs, and blacklisting cients so that they are
unable to attach to the WLAN

 

 

Lets begin!

 

To this to work what you need to do is:

1-Trunk all the vlans you want to monitor to the Controller and on the controller trunk them back to the switch

 

Now how do you know which VLANS you should trunk?


Well thats an easy question to answer...  All the vlans that the end users has access to connect rogue APS.   I mean you wont trunk vlans like Server vlans,  or things like that which a end user on your company you know has no access.

 

So

 

Trunk all those vlans in which they got access. 


Note: Remember, you need to create all these vlans on the controller even if you are not using it in them.   LEt say you need to inspect vlan 10,11,12,13,14,15.  Then this means you need to:

1-create those vlans on the controller

2-trunk them to the switch

3-Trunk them from the switch to the controller back.

Note:Normally i plug the controller to the clients Switch Core so i got access to all the vlans without doing too much in their network.

 


Good.  Now after you did this you need to go to the CLI

POST 6.1.3.2

(Office_Controller) (config) #ids wms-general-profile
(Office_Controller) (IDS WMS General Profile) #learn-system-wired-macs

 

The command for PRE 6.1.3.2 you do it on the config i mean:

(Office_Controller) (config) #wms general learn-system-wired-macs enable

 

To check its on you issue the command

#show wms general

 

You will see something like this

General Attributes
------------------
Key                           Value
---                           -----
poll-interval                 60000
poll-retries                  3
ap-ageout-interval            30
adhoc-ap-ageout-interval      5
sta-ageout-interval           30
learn-ap                      disable
persistent-neighbor           enable
persistent-valid-sta          disable
propagate-wired-macs          enable
learn-system-wired-macs       enable
stat-update                   enable

 You will see learn-system-wired-mac  enable

 

Now you need to wait for a while and you should start looking those rogues APS appering on your dashboard on security tab

roguedetection.PNG

 

 

Now remenber in the IPS /IDS  configuration  you have to put to contain automatically rogue APS 

 

As a personal configuration i always put rogue ap containment on but i uncheck the suspected rogue ap containment...  The Rogue APS is something that the controller is 100% sure its on your network! but a suspected rogue AP it could be a neighbor AP?

This is done on the AP group-->IDS-->IDS Unathorized Device

rogue containment.PNG

 

If you dont want to contain anything and you just want to know if you got Rogue APS, just uncheck rogue containment and also suspected rogue ap containment...

 

Note: As general rule here please DONT USE DEFAULT PROFILE to configure IDS/IPS Profiles in general, create new ones please.  Sometimes you can do a misconfig and you can return to default withot any config easily and then look where you were mistaken.  When i was starting to configure this, it was a great help for me, and i still doing it, i never toch default config for this.  I always create a new one.

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
MVP
Posts: 2,992
Registered: ‎10-25-2011

Re: [Tutorial] How to detect Rogue APS with L3 Rogue Detection configuration with Controller April-M

I forgot to mention that  Starting in 6.1.3.2  to activate the learn-system-wired-macs you do it on the ids profile

But PRE 6.1.3.2 you do it on the config i mean:

(Office_Controller) (config) #wms general learn-system-wired-macs enable

 

I added it to the tutorial

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: