Network Management

last person joined: 6 hours ago 

Keep an informative eye on your network with IMC and Airwave network management solutions.
Expand all | Collapse all

Evil Twin Detection and Validation

Jump to Best Answer
  • 1.  Evil Twin Detection and Validation

    Posted Apr 24, 2018 07:53 PM

    I am trying to see where I can alert from the controller (through Airwave) if there is an SSID that is active with Key words.  For instance, I would like to be able to have to alerts, one with an exact match (evil twin AP attack) and one alert with a keywork match (name on my company, etc.).

     

    I do have RF protect licenses and I have been reading a few older threads on the topic and they talk about IDS settings, but I am not finding them on the controller or within Airwave.  We are running 6.5.4.6 code.  Any help would be appreciated.    



  • 2.  RE: Evil Twin Detection and Validation
    Best Answer

    Posted Apr 25, 2018 11:03 AM

    AirWave doesn't have such an alert.  It'd be a good request to make into the innovation portal.  innovate.arubanetworks.com



  • 3.  RE: Evil Twin Detection and Validation

    Posted May 02, 2018 11:39 AM

    Is there a special access needed to get to that link to add an innovation?  I can't seem to register as I am not a partner...

     

    Thanks! 



  • 4.  RE: Evil Twin Detection and Validation

    Posted May 02, 2018 11:41 AM

    Apparently so.  Needs to be an employee or partner.  You can file the request through your sales rep.



  • 5.  RE: Evil Twin Detection and Validation

    Posted May 02, 2018 11:43 AM
    Seems like we should have an airheads section to submit for feature requests...

    Just my thoughts though...


  • 6.  RE: Evil Twin Detection and Validation

    Posted May 02, 2018 11:46 AM

    Agreed, I've fwded that feedback to the community manager.



  • 7.  RE: Evil Twin Detection and Validation

    Posted Nov 02, 2018 12:09 PM

    We reciently purchased Aruba.  Because we have Cisco we have a situreation where both system have to see each other until Cisco has been removed.  Which is going very slow.   The Aruba see the Cisco as rogues... .that is good.  We are trying to do rogue detection for Evit Twin and mark the Cisco SSID as friendly.  We do not want to tie the Cisco system into the Aruba system.   So far Aruba has not been able to solve this problem.  Little disappointed.  Any idea.  We have read all the documentation and reading blogs.  Thank You !



  • 8.  RE: Evil Twin Detection and Validation

    Posted Nov 02, 2018 12:16 PM

    For the next time, please start a new thread since the previous issue in this thread was marked resolved.

     

    For Aruba/Cisco environment, do you also have AirWave?  If so, AirWave's RAPIDS feature allows you to rule out the Cisco SSID range.  Under RAPIDS -> Rules -> create rules to mark the Cisco SSID items, make sure the rule happens before the catch all rules.  Rule processing for RAPIDS is top -> down.



  • 9.  RE: Evil Twin Detection and Validation

    Posted Nov 02, 2018 12:34 PM

    Hi Rob,  Thanks for the quick reply.  I am on the cyber team.  I just had an Wi-Fi Cyber by a outside security contractor complete. The Aruba recieved some findings.  Pretty certain they can be resolved.  The Aurba installion contractor has control of the system but our network team can make changes if approved. THe vender is unwilling to assist because they say that Rogue/Evit Twin detection is out of scope for the project.  Sigh.   Our network team did get on the phone with aruba and they created a custom rule that would look for  evil twin and ignor the cisco APs. They mentioned that the Arub would always try to disable all the Cisco APs.  After about a week, they could never get Aruba to handle Evil twin without disruption the Cisco system.  It is very important we sort or a sould to have evil twin alerting and defense working.   I know that there must be a solution.  So really need help or find someone that has had this situation that we can talk to.  Thank much !



  • 10.  RE: Evil Twin Detection and Validation

    Posted Nov 05, 2018 11:03 AM

    @johnt22

    I've pinged TAC, they'll try to reach out.