I was looking through IDS events and noticed a lot of "Client Associating On Wrong Channel" attacks. RAPIDS classifies this event as the highest of severities so I thought I'd see if this is really something to be concerned about. In the last 2 hours 97 events have been logged, and 460 in the last 24 hours. My MAC has come up as an attacker for this specific event. Any thoughts?
For IDS events, there's currently no way to change the severity of events (that'd be a good idea for a feature request though). The severity is hardcoded. Typically, 'Client Associating on Wrong Channel' only appears in AMP when we see a trap come with the OID: wlsxClientAssociatingOnWrongChannel.
This particular OID is defined as:
"This trap indicates that an AP detected a client trying to associate to one of its BSSIDs on the wrong channel. This can be a sign that the BSSID is being spoofed in order to fool the client into thinking the AP is operating on another channel."
(Some more info on Aruba WIPs can be found here: http://www.arubanetworks.com/techdocs/ArubaOS_61/ROBOHELP%20UG%206.1/ArubaOS_User_Guide_-_volumes/New_WIP.htm - the portion that pertains to 'Client Associating on Wrong Channel' is under 'Detect AP Spoofing')
If you're seeing this trap fire pretty often, you may want to pay attention to how often your APs are switching channels. It could be a false positive. Do you currently have ARM enabled?
Thanks for the info.
Yes, ARM is enabled. I wouldn't say that channels change frequently on APs. We have client aware enabled, so most of the channel changing occurs early morning and late at night when fewer users are on.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.