We operate 2 x Aruba7220 (master & local) controllers running AOS 18.104.22.168 and deployed AP105/135/205 APs in various spaces. Lately, an increasing number of clients are being constantly kicked off our reliable and secure Production-SSID to a slow and open Guest-SSID. A closer inspection of the logs show a <WARN> of Disconnect Station Attack: An AP detected a disconnect attack of client. Additional Info: Avg-Deauth-Disassoc-PktRate(pps):1.4; Interval(sec):10. We use IDS default profile with IDS DoS default setting including enabled Detect Disconnect Station Attack. How best can we correct this situation?
You probably need to get at the root of your issue. The Disconnect station attack can be subject to false positives. We need to look at the RF to see what environments your clients are in and how your network is configured.
Where do I go to look for this log?
If you don't have the RF protect license, you won't see the message. http://www.arubanetworks.com/products/security/wireless-intrusion-protection/
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.