Problem:Environment:
Airwave Managing/Monitoring IAP's.
Issue:
Airwave classifying a device as Rogue, where as the very same device is classified as Interfering device on IAP as shown below:
Monitored AP Table
------------------
bssid essid chan ap-type phy-type dos dt/mt ut/it encr nstas avg-snr curr-snr avg-rssi curr-rssi wmacs ibss
----- ----- ---- ------- -------- --- ----- ----- ---- ----- ------- -------- -------- --------- ----- ----
E0:10:7F:AC:A5:D8 Popeye's Louisiana 11 interfering 80211b/g-HT-20 disable 4714/71 59/2 wpa2-psk-aes 1 15 13 80 82 0 no
where as the same device in Airwave shows as rogue, please see below:
Diagnostics:
In this scenario, Airwave has a rule configured, if IAP marks that device as Rogue, Airwave should also classify it as Rogue.
Rogue polling data, received by Airwave from an IAP are saved in the Airwave DB, in the table: "rogue_ap_discovery_event", If we look into that table, we can see the discovery events for this particular rogue. (basically the classification of this rogue received form IAP)
we need to look at the column "wms_polled_classification" from the table "rogue_discovery_event" to see the classification received from IAP for this device.
from Airwave CLI, we could do this:
# dbc "select * from rogue_ap_discovery_event where radio_mac = 'E0:10:7F:AC:A5:D8';"
id | channel | last_discovering_ap_id | discovering_client_mac | rssi | ssid | type | wep | port | network_type | discovering_ap_radio_index | apparent_ip | radio_mac | signal | snr | rogue_ap_id | discovery_time | ap_folder_id | wms_polled_classification | wpa | confidence | search_radio_mac | discovering_controller_role
----------+---------+------------------------+------------------------+------+---------------------+------+-----+------+--------------+----------------------------+-------------+-------------------+--------+-----+-------------+----------------+--------------+---------------------------+-----+------------+------------------+-----------------------------
42466331 | 6 | 62 | | 42 | Popeye's Louisiana | 1 | | | 3 | 2 | | E0:10:7F:AC:A5:D8 | -53 | 42 | 95380 | 1429555296 | 23 | 70 | | | |
42475680 | 6 | 104 | | 9 | Popeye's Louisiana | 1 | | | 3 | 2 | | E0:10:7F:AC:A5:D8 | -88 | 9 | 95380 | 1429563174 | 19 | 40 | | | |
42538442 | 6 | 54 | | 5 | Popeye's Louisiana | 1 | | | 3 | 2 | | E0:10:7F:AC:A5:D8 | -92 | 5 | 95380 | 1429613637 | 19 | 40 | | | |
42545148 | 6 | 62 | | 31 | Popeye's Louisiana | 1 | | | 3 | 1 | | E0:10:7F:AC:A5:D8 | -58 | 31 | 95380 | 1429618788 | 23 | 40 | | | |
42545149 | 6 | 119 | | 5 | Popeye's Louisiana | 1 | | | 3 | 1 | | E0:10:7F:AC:A5:D8 | -87 | 5 | 95380 | 1429618788 | 23 | 40 | | | |
42546037 | 6 | 54 | | 6 | Popeye's Louisiana | 1 | | | 3 | 2 | | E0:10:7F:AC:A5:D8 | -91 | 6 | 95380 | 1429619092 | 19 | 40 | | | |
42464187 | 6 | 117 | | 10 | Popeye's Louisiana | 1 | | | 3 | 1 | | E0:10:7F:AC:A5:D8 | -78 | 10 | 95380 | 1429553426 | 21 | 40 | | | |
(7 rows)
(END)
Airwave has a predefined script, which will convert the values of the column from wms_polled_classification to rogue, suspected_rogue, Neighbor etc, to populate on the GUI, below is that script:
my $PRETTY_RAPT_VALID = "'10'";
my $PRETTY_RAPT_SUSPECT_VALID = "'20'";
my $PRETTY_RAPT_NEIGHBOR = "'30'";
my $PRETTY_RAPT_SUSPECT_NEIGHBOR = "'40'";
my $PRETTY_RAPT_UNKNOWN = "'50'";
my $PRETTY_RAPT_SUSPECT_ROGUE = "'60'";
my $PRETTY_RAPT_ROGUE = "'70'";
my $PRETTY_RAPT_CONTAINED = "'80'";
If we see the sql query output, we could see that IAP sent the device's "wms_polled_classification" as 70, which is a rogue, as per the Airwave script. Although IAP sent that value only once, and rest all the discovery event it sent was "40" which is a Suspected_Neighbor, equal to interference.
Airwave will use the highest threat value and will stick to it, as per design. Airwave will not demote the classification, it will only promote it.
Since this rogue device was sent as Rogue once to Airwave, Airwave matched the Rogue rule to "classify all the IAP classified rogue's to rogue on Airwave". Therefore classified this device as Rogue on Airwave.
SolutionIt is the behavior of Airwave, where it will not demote a rogue, it will only promote it if needed.