Wireless Access

Hi,

I can see a suspected rogue AP & a interfering AP dashboard security visual. How can I mitigate both of them. How can I locate and defend my network from them.

Thanks

Someone of aruba i guess will answer you but ill give my 2 cents....

Okay i don tthink you should mitigate those APS

Interferring APs could be a neighbor AP, and a suspected rogue AP it something that it could be  a neighbor AP... the thing is that he clasiffy it as a suspected rogue AP through heuristic...

Anyways what you can be sure you can mitigate are ROGUE APS those APS the WC is sure they are inside your network....

Have you configured L3 rogue detection?

I haven't configured L3 rogue detection. They are not ARUBA AP's, it broadcast not our SSID.

Thanks

Yeah i know it does not broadcast your SSID

Do you have IPS IDS License? lets start there, if you dont then you cannot do anything about rogues APS

If you do then you got the power to mitigate APS

You should not mitigate an AP just cause you see it, you should be sure this is an AP inside your building, you should not mitigate neighbors APS, or your neighbors that are using their own aps wont be happy that they cant connect to their own network, just because you decided to tarpit their ap that does not beong to you.

L3 rogue detection will help you to detect rogue APS inside your bulding which are the ones that you want to mitigate as its a foreign ap inside your buliding.

Great, Thank you, How we do this L3 rougue detection.

Okay before continue with the explanaition

Do you have Air monitors in your network? because if you dont have you can detect rogues APS but you wont be able to do nothing to them...

you wont be able to mitigate anyone if you dont have Air monitors.

And i dont mean just one i mean air monitor covering your Wireless LAN

For the IPS/IDS to work at it full capacibility you need

IPS /IDS license

Air monitors

Do you have both?

Thanks, I have license, Air Monitors activates by ARM setting Mode aware in case of interference, Is this enough?

You mean Arm mode aware...

Let me explain you what it does...

The Arm mode aware convert a normal AP where there is too much coverage.... not where it see too much interference...

You need full coverage with Air monitor over your deployment.... otherwise  you would want to tarpid an ap and you wont be able...

That said

First you can do L3 Rogue detection throught he controller o through the APS

Ill explain you how you do it through the controller with an example

Let say in your company you have vlan 5,6,7.8

vlan 5= servers

Vlan 6=Sales

Vlan 7=IT

vlan 8 = accounting

You will need to trunk the vlans you want to monitor

Now which vlans you would liek  to monitor? how do you decide that?  well normally  the vlans in which normal people has access for example in my example you would monitor vlan 6 vlan 7 and vlan 8 in which normal people can plug in a linksys for example.

you wont monitor vlan 5 becasue well those ports would be hard access to normal people

Now you know which vlans you want to turnk well then you trunk them to the controller

After that you will have to create those vlans on the controller and trunk them back to the switch

After that you need to turn on the L3 rogue detection on the controller with this command

Aruba#(Config) wms general learn-system-wired-macs enable

Then to verify its on

Aruba#show wms general

Then you will have to wait for a coulpe of minuts and if you got APS  connected which are not valid he will detect them as rogue ap becasues he will be able to see the mac through the wired(as you are mointoring the vlans) and trhough the air through the BSSID

now let say you plugged in a lynksys to test...

you should see that lynks on the dashboard

you can also check it on the CLI

With

Aruba# show wms wired-mac system-wired-mac

Now in the IPS /IDS  configuration  you have to put to contain automatically rogue APS 

Then he wil automatically contain that linksys you will notice you wont be able to connect to it

When you configuring the IPS/IDS profile

Did you already configured it?

Well if you did you as personal opinion(aruba guys can advise you better there than me) but as a personal option i turn off the  automatically contain a suspect rogue AP as like i said it could be a neighbor..

You should be sure what you are configuring in your IDS IPS profile or weird things will happen... like you wont be able to connect to your guest network  or like i said your neighbors wont be able to connect to their OWN aps.... which is no good...

Helo,

I just want to clarify what you meant:

"You will need to trunk the vlans you want to monitor" Our controller is connected to the core switch, I think the access and distribution switches are trunked altogether to the core swtich so does that satisfy this requirement?

"Now you know which vlans you want to turnk well then you trunk them to the controller

After that you will have to create those vlans on the controller and trunk them back to the switch" = does this only mean trunk set the switchport the controller is connected to be a trunk port, and set the controller port to be a trunk port as well and allow the different vlans? 

If somebody could clarify this it would be greatly appreciated. Thanks.

Okay let clarify you

You want to monitor Vlans in which end user got access, you might not monitor the server vlan for example... because thats inside the datacenter...

Let say you got these vlans

Vlan 10 Servers

vlan  20 Equipments(Switches administration)

vlan 30 Sales

vlan 40 accounting

vlan 50 Mangers

You will want to monitor the vlans in which  sales, accounting and manager

Why?

Because end users got access to these vlans in the ports they got on their working station, or for example ports you got in a conference room, or stuff like that

You will not monitor the Vlan server because you got those vlans just on the datacenter, so there is almost no chance you get a rogue ap in the datacenter, which just IT personal got access.

Now you know what i mean?

Or what part you dont undestand?

Hmmm...I guess it is because what if there are 8 switches, each having their own VLAN, 4 of the 8 switches are trunked to distribution switch A, the other 4 switches are trunked to distribution switch B. And then switches A and B are trunked to a router. What if the controller is trunked to the router? Then any broadcast from the different VLANs cannot go through the router to the controller, even if we set the controller to be a part/ member of the 8 vlans to begin with. Is this correct? I think in this scenario, you must use the trunk to the AP or AM option. 

What you call a router is a L3 Layer Switch Core?

For example in the scenario i have deploy on different clients

I got the wireless controller most of the times plugged to the Core Switch in which in there it got all the interface vlans of all the network...

So its really easy to me just trunk the vlans i want to the core switch because all the vlans has to reach the switch core to be routed...

That is possible...if it is then yeah I can trunk to it. But if not, then I guess I will have to use the trunk to AP method. It's just that I am not a networking expert and all this stuff is a little bit advanced than my current level. Thanks.

Dont worry man we all got our expertise.... :)

Im not like a super expert on this but i got good idea i guess.

To test if your L3 rogue detection is working you can always plug a dlink or a linksys to a port with a vlan that is being monitored...

You should see in like 5 mins or 10 i dont know that ap as rogue AP

Issue the command

Aruba# show wms wired-mac system-wired-mac

You will see in there how the AP was discovered as rogue AP

Cheers

And good luck!  with this