Detect AP impersonation just sends a message. Protect will send out an IDS/IPS deauth to protect the network. I would not enable all of it until you test in the lab. In some circumstances, it is also illegal to deny service, so I would consult an attorney before turning on anything with "protect".
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides:
https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card------------------------------
Original Message:
Sent: Oct 12, 2023 09:26 AM
From: pabene
Subject: Signature Match: Disassoc Broadcast
Ok, looks like I can disable it via the CLI?
One other question - I see I have "Detect AP Impersonation" enabled, should I also have "Protect from AP Impersonation" enabled? Or just disable "Detect AP Impersonation"?
------------------------------
Peter
Original Message:
Sent: Oct 12, 2023 09:22 AM
From: cjoseph
Subject: Signature Match: Disassoc Broadcast
It should be in the IDS portion: https://www.arubanetworks.com/techdocs/ArubaOS_8.10.0_Web_Help/Content/arubaos-solutions/wireless-intrus-prev/unde-infr-intr-dete.htm?Highlight=disassociation%20broadcast#new_wip_1365762209_1029498
It is default and is optional. Please let me know where you see that Aruba recommends it, so that we can correct it.
Back in the day, the only "encryption" was WEP and IDS/IPS relied on signatures to understand if they were being attacked. This signature is a holdover from that period of time and should not be used, in my opinion, because it fills up logs and most of the detection is false positives.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Oct 12, 2023 09:17 AM
From: pabene
Subject: Signature Match: Disassoc Broadcast
How do I disable that detection? I thought Aruba recommended enabling it.
------------------------------
Peter
Original Message:
Sent: Oct 12, 2023 09:09 AM
From: cjoseph
Subject: Signature Match: Disassoc Broadcast
I would disable the detection. At one point in the past it would be the precursor to an attack, but many clients when they simply disassociate have the same signature. In the majority of circumstances it is a false positive.
------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
Original Message:
Sent: Oct 12, 2023 09:07 AM
From: pabene
Subject: Signature Match: Disassoc Broadcast
What course of action can/should be taken when seeing these types of events: Signature Match: Disassoc Broadcast
------------------------------
Peter
------------------------------