I'm hoping someone can shed some light on this as I've had a long standing ticket with TAC and I'm still a bit confused. So here it goes:
I've just recently turned on the WIP detection with dedicated Air Monitors. I know that some would argue that having an AP do both AP/AM function is more ideal, but it is what it is. In either case, in my controlled testing, rogue detection and containment works great as designed (I've also learned throught testing and working with TAC that manually classifying a neighbor AP as rogue can also be affected by my IPS :)...This is frowned upon and I don't intend to manually classify unless I'm certain that it's a rogue within my airspace).
What I need help with is understanding why my guest ssid/AP is being tarpitted and client deauthed when clients connect to it. Whenever I connect to my guest ssid, it doesn't matter which client, I get a Tarpit message followed by a Deauth message. Client gets disassociated with the current AP but is still able to utilize network services like http/https.
TAC thinks that there's another AP out there that is spoofing my client's connections, but I've scanned through our airspace using a Spectrum Analyzer and could not find one. My suspicion is because I'm using a separate AP as an Air Monitor and not the dual role of AP/AM, that it somehow is misclassifying my client connecting to a valid open ssid for my guest and thus generating those log messages. I may be far off, but I need to understand this before implementing the WIP feature enterprise-wide.
I'm more than happy to provide more information (non-sensitive of course) to anyone who cares :).
Thanks and I look forward to your input
Make sure you don't have Protect-SSID enabled.
I did my search for the suggestion that you’ve made and this is what I came up with:
“Behavior When Protect SSID Setting is EnabledIf enabled, this tells the APs/Controller to not let any 3rd party AP (or interfering AP) to broadcast the SSID that is configured in the "valid-and-protected-ssid" of the IDS unauthorized device profile. This means that an Aruba AP with SSID test (as configured above) will attempt to contain any non-valid AP that is advertising SSID test.The AP does the containment by sending deauths to anything trying to associate to it (by spoofing the AP's bssid) and it should be sending deauths to the AP (by spoofing the wireless client mac address that was trying to associate to it).”
Since this is my Aruba AP and is not classified as interfering, I shouldn't be seeing this message correct? I guess if I disabled it, what other consideration should I be mindful about?
Thanks for the response!
TAC should be able to figure it out by looking at your logs after they turn on debugging. I would only be guessing based on what you mentioned. You should uncheck everything that says "protect", except for rogue AP protection, otherwise you could cause disruptions.
I had a similar problem. look in your WIPS configuration, you probably have somethign along the lines of Protect WPA or Require WPA or Privacy etc etc.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.