Wireless Access

Reply
Contributor II
Posts: 54
Registered: ‎08-29-2010

rogue & interfering AP's

Hi,

 

I can see a suspected rogue AP & a interfering AP dashboard security visual. How can I mitigate both of them. How can I locate and defend my network from them.

 

 

Thanks

 

MVP
Posts: 2,951
Registered: ‎10-25-2011

Re: rogue & interfering AP's

[ Edited ]

Someone of aruba i guess will answer you but ill give my 2 cents....

 

Okay i don tthink you should mitigate those APS

Interferring APs could be a neighbor AP, and a suspected rogue AP it something that it could be  a neighbor AP... the thing is that he clasiffy it as a suspected rogue AP through heuristic...

 

Anyways what you can be sure you can mitigate are ROGUE APS those APS the WC is sure they are inside your network....

 

Have you configured L3 rogue detection?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 54
Registered: ‎08-29-2010

Re: rogue & interfering AP's

I haven't configured L3 rogue detection. They are not ARUBA AP's, it broadcast not our SSID.

Thanks

MVP
Posts: 2,951
Registered: ‎10-25-2011

Re: rogue & interfering AP's

[ Edited ]

Yeah i know it does not broadcast your SSID

 

Do you have IPS IDS License? lets start there, if you dont then you cannot do anything about rogues APS

 

If you do then you got the power to mitigate APS

 

You should not mitigate an AP just cause you see it, you should be sure this is an AP inside your building, you should not mitigate neighbors APS, or your neighbors that are using their own aps wont be happy that they cant connect to their own network, just because you decided to tarpit their ap that does not beong to you.

 

L3 rogue detection will help you to detect rogue APS inside your bulding which are the ones that you want to mitigate as its a foreign ap inside your buliding.

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 54
Registered: ‎08-29-2010

Re: rogue & interfering AP's

Great, Thank you, How we do this L3 rougue detection.

MVP
Posts: 2,951
Registered: ‎10-25-2011

Re: rogue & interfering AP's

Okay before continue with the explanaition


Do you have Air monitors in your network? because if you dont have you can detect rogues APS but you wont be able to do nothing to them...

you wont be able to mitigate anyone if you dont have Air monitors.

And i dont mean just one i mean air monitor covering your Wireless LAN

 

 

 

For the IPS/IDS to work at it full capacibility you need

IPS /IDS license

Air monitors

 

Do you have both?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 54
Registered: ‎08-29-2010

Re: rogue & interfering AP's

Thanks, I have license, Air Monitors activates by ARM setting Mode aware in case of interference, Is this enough?

MVP
Posts: 2,951
Registered: ‎10-25-2011

Re: rogue & interfering AP's

You mean Arm mode aware...

Let me explain you what it does...

The Arm mode aware convert a normal AP where there is too much coverage.... not where it see too much interference...

 

You need full coverage with Air monitor over your deployment.... otherwise  you would want to tarpid an ap and you wont be able...

 

That said

 

First you can do L3 Rogue detection throught he controller o through the APS

Ill explain you how you do it through the controller with an example

Let say in your company you have vlan 5,6,7.8

vlan 5= servers

Vlan 6=Sales

Vlan 7=IT

vlan 8 = accounting

 

You will need to trunk the vlans you want to monitor

Now which vlans you would liek  to monitor? how do you decide that?  well normally  the vlans in which normal people has access for example in my example you would monitor vlan 6 vlan 7 and vlan 8 in which normal people can plug in a linksys for example.

you wont monitor vlan 5 becasue well those ports would be hard access to normal people

Now you know which vlans you want to turnk well then you trunk them to the controller

After that you will have to create those vlans on the controller and trunk them back to the switch

After that you need to turn on the L3 rogue detection on the controller with this command

 

Aruba#(Config) wms general learn-system-wired-macs enable

 

Then to verify its on

 

Aruba#show wms general

 

Then you will have to wait for a coulpe of minuts and if you got APS  connected which are not valid he will detect them as rogue ap becasues he will be able to see the mac through the wired(as you are mointoring the vlans) and trhough the air through the BSSID

 

now let say you plugged in a lynksys to test...

you should see that lynks on the dashboard

you can also check it on the CLI

With

 

Aruba# show wms wired-mac system-wired-mac

 

Now in the IPS /IDS  configuration  you have to put to contain automatically rogue APS 

Then he wil automatically contain that linksys you will notice you wont be able to connect to it

 

When you configuring the IPS/IDS profile

Did you already configured it?

Well if you did you as personal opinion(aruba guys can advise you better there than me) but as a personal option i turn off the  automatically contain a suspect rogue AP as like i said it could be a neighbor..

 

You should be sure what you are configuring in your IDS IPS profile or weird things will happen... like you wont be able to connect to your guest network  or like i said your neighbors wont be able to connect to their OWN aps.... which is no good...

 

 

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Contributor II
Posts: 72
Registered: ‎05-22-2011

Re: rogue & interfering AP's

Helo,

 

I just want to clarify what you meant:

 

"You will need to trunk the vlans you want to monitor" Our controller is connected to the core switch, I think the access and distribution switches are trunked altogether to the core swtich so does that satisfy this requirement?

 

"Now you know which vlans you want to turnk well then you trunk them to the controller

After that you will have to create those vlans on the controller and trunk them back to the switch" = does this only mean trunk set the switchport the controller is connected to be a trunk port, and set the controller port to be a trunk port as well and allow the different vlans? 

 

If somebody could clarify this it would be greatly appreciated. Thanks.

MVP
Posts: 2,951
Registered: ‎10-25-2011

Re: rogue & interfering AP's

Okay let clarify you

 

You want to monitor Vlans in which end user got access, you might not monitor the server vlan for example... because thats inside the datacenter...

 

Let say you got these vlans

 

Vlan 10 Servers

vlan  20 Equipments(Switches administration)

vlan 30 Sales

vlan 40 accounting

vlan 50 Mangers

 

You will want to monitor the vlans in which  sales, accounting and manager

Why?

Because end users got access to these vlans in the ports they got on their working station, or for example ports you got in a conference room, or stuff like that

 

You will not monitor the Vlan server because you got those vlans just on the datacenter, so there is almost no chance you get a rogue ap in the datacenter, which just IT personal got access.

 

 

Now you know what i mean?

Or what part you dont undestand?

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Search Airheads
Showing results for 
Search instead for 
Did you mean: