Product and Software: This article applies to all Aruba controllers and ArubaOS versions.
A rogue or unsecure AP is an unauthorized AP that is plugged into the user's wired network.
To troubleshoot a rogue AP, follow these steps:
1) Check that the rogue AP can be seen by the Aruba AP. On the AP that is on the same Layer 2 segment as the rogue, check that the rogue can be seen by the AP.
Aruba 2.5.x:
show am ap-list <am-ip> bssid <rogue-bssid>
Aruba 3.x:
show ap monitor ap-list ip-addr <am-ip> ap-bssid <rogue-bssid>
The rogue AP should be returned by these commands. The type may show up as 'interfering'.
2) Check that the controller knows about the rogue AP.
show wms ap <rogue-bssid>
This command should return information about the rogue AP. In addition it will show the APs that can see the rogue.
3) Check that the Aruba AP has learned the gateway wired MAC. Run the following command to get the wired interface MAC of the Aruba AP.
Aruba 2.5.x:
show am status <am-ip>
Aruba 3.x:
show ap monitor debug status ip-addr <am-ip>
Using the wired interface MAC, check if the gateway MAC is present in the wired MAC table.
Aruba 2.5.x:
show am wired-mac <am-ip> <am-wired-mac>
Aruba 3.x:
show ap monitor wired-mac ip-addr <am-ip> <am-wired-mac>
4) Check the rogue AP's wired MAC table.
Nonrouter rogue AP: If the rogue AP is a regular, nonrouter AP, then the Aruba AP's gateway MAC should be present in the rogue AP's wired MAC table.
Aruba 2.5.x:
show am wired-mac <am-ip> <rogue-ap-bssid>
Aruba 3.x:
show ap monitor wired-mac ip-addr <am-ip> <rogue-ap-bssid>
If the gateway MAC is not present, then a ping session from the client of the rogue AP to some device outside the L2 segment may be initiated.
Router rogue AP: If the rogue AP is a router AP, then the rogue AP's Ethernet interface MAC should be present in the Aruba AP's wired MAC table.
Aruba 2.5.x:
show am wired-mac <am-ip> <am-wired-mac>
Aruba 3.x:
show ap monitor wired-mac ip-addr <am-ip> <am-wired-mac>
If the entry is not present, try unplugging the rogue AP and plugging it back in. When the rogue AP sends an ARP request, its Ethernet MAC will be written into the Aruba AP's wired MAC table.
5) Wired MACs are fine, so what is wrong? A problem in communication could be happening between the Aruba AP and the controller. Check that the Aruba AP is in the controller probe list.
Aruba 2.5.x:
show wms probe-list
Aruba 3.x:
show wms probe
If the Aruba AP is in the list, check that the AP is getting poll requests from the controller.
Aruba 2.5.x:
show am counters <am-ip>
Aruba 3.x:
show ap monitor debug counters ip-addr <am-ip>
The count for "Poll Request" should go up.