Wireless Access

Reply
Aruba
Posts: 1,290
Registered: ‎08-29-2007

Why is my rogue not classified as rogue?

Hi,

 

I have a controller with IDS enabled to fairly high.  I have enabled rogue containment, rogue classification and protect ssid enabled and added the ssids to the valid list.

 

So I have an IAP configured with some of the valid ssids and another random ssid which I plugged directly into the controller.

 

When I do a 'show wms ap list' it is showing the IAP as only being suspected-rogue, and only 20%.

 

'protect ssid' does work and I can see the client being tar-pitted though.

 

Any suggestions?

 

Thanks

 

 

 

 

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: Why is my rogue not classified as rogue?

Are u using Controller or an IAP? or an IAP connected as normal ap the controller?

Just clearify this issue in order for me to advise you with good tips

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,290
Registered: ‎08-29-2007

Re: Why is my rogue not classified as rogue?

using controller with campus APs.

 

The instant is plugged into the controller and is my 'rogue' for testing.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: Why is my rogue not classified as rogue?

[ Edited ]

you can configure the controllers to actively disable rogue AP's though I prefer to be alerted about it and then decide if I want to do anything to the rogue AP.  If setup properly you could send a deauth/auth flood to the rogue AP as well an ARP attack on the wired side.

 

Interferring are AP's that are not configured on your controller, but your AP's see them in the wireless spectrum but doesn't see them on the wired network. Suspected Rogue may be plugged into the network and are worth investigating. Rogue are plugged into your wired network and also providing wireless access. They should deifnately be looked into.

 

Assuming you have the WIPS licenses installed, you can use the wip wizard to configure what attacks to look for and how to deal with them.

 

Reference the Wireless Intrusion Detection section of the User Guide for detailed instructions and lots of good content on this.

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,290
Registered: ‎08-29-2007

Re: Why is my rogue not classified as rogue?

yeah, I know and have done all that, but the problem is that it is only classified as suspected rogue, even though it is plugged directly into controller.

 

I can, and have manually reclassified, and the tar-pitting works fine.

 

This should happen automatically though.


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: Why is my rogue not classified as rogue?

Be sure your ARM profile configured to monitor.

(be sure that your controller - can see the segment of your rouge)

 

can u print out/screen shot your configurion of Rouge detetcion.IDS profile..please

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,290
Registered: ‎08-29-2007

Re: Why is my rogue not classified as rogue?


kdisc98 wrote:

Be sure your ARM profile configured to monitor.

(be sure that your controller - can see the segment of your rouge)

 

can u print out/screen shot your configurion of Rouge detetcion.IDS profile..please


yeah, the rogue is plugged into the controller, so can see :smileywink:

 

I think this is the profile you mean.

 

IDS-Unauthorised-device-profile.jpg


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP
Posts: 1,409
Registered: ‎05-28-2008

Re: Why is my rogue not classified as rogue?

try this:

The easiest way to configure that is to run the WIP Wizard.

 

 The Wizard will give you the options to influence how rogues are classified.  How the controller automatically classifies rogues is here:  https://arubanetworkskb.secure.force.com/pkb/articles/FAQ/Rogue-Classification-on-AOS-6-0

 

You can configure something called a "Valid SSID" which means that the controller will allow devices to connect to that SSID.  You can then block traffic from connecting to anything but Valid SSIDs.

 

The controller normally looks at client associations to contain devices, so even if you can see powerful access points from far away, if the controller cannot see the client associating to it, it will not do anything.  If it can see your users attempting to associate to it, and you have protection on, it can stop those users, however.

 

You can define a specific SSID as a Valid SSID to keep it from being blocked.

 

Again, IDS/IPS is a very involved topic and you need to (1) Read the entire chapter on IDS/IPS to fully understand it and (2) Test any scenario before putting it into production so that you do not create any performance issues.

 

more info:

http://www.arubanetworks.com/techdocs/ArubaOS_61/ArubaOS_61_UG/New_WIP.php

 

*****************2Plus Wireless Solutions****************************
Aruba Airheads - Powered By community for empower the community
************ Don't Forget to Kudos + me,If i helped you******************
Aruba
Posts: 1,290
Registered: ‎08-29-2007

Re: Why is my rogue not classified as rogue?

Just to clarify, this is a lab setup and all APs/clients are in close proximity.  We are putting together a design for use in high security government environments.  At some stage they will be sending some penetration testers around to try to crack it and see the rogue containment in action.  I need to make sure it is working as it should, and the rogue containment must happen automatically without manual classification.

 

The protect-ssid thing is working and clients cannot attach to that valid ssid coming from the rogue.  I'm happy with that.

 

The rogue ssid in the instant is set to controller-assigned dhcp and traffic will be natted.  According to that kb link which says,

 

A device will only be automatically marked as a rogue if a gateway MAC has been seen in the wireless traffic coming from the device.

 


Is this the reason why it is not automatically classified as rogue?  So what about an ordinary home wireless router where the traffic is nat'd behind the wan ip, does that mean it is not classified as rogue?

 

Thanks

 


If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACMP, ACMX #294
mclarke@arubanetworks.com
MVP
Posts: 4,301
Registered: ‎07-20-2011

Re: Why is my rogue not classified as rogue?

 

Is possible that is seeing that aruba BSSID as valid ?

Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: