Network Management

Reply
Contributor I

Evil Twin Detection and Validation

I am trying to see where I can alert from the controller (through Airwave) if there is an SSID that is active with Key words.  For instance, I would like to be able to have to alerts, one with an exact match (evil twin AP attack) and one alert with a keywork match (name on my company, etc.).

 

I do have RF protect licenses and I have been reading a few older threads on the topic and they talk about IDS settings, but I am not finding them on the controller or within Airwave.  We are running 6.5.4.6 code.  Any help would be appreciated.    

Moderator

Re: Evil Twin Detection and Validation

AirWave doesn't have such an alert.  It'd be a good request to make into the innovation portal.  innovate.arubanetworks.com


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Contributor I

Re: Evil Twin Detection and Validation

Is there a special access needed to get to that link to add an innovation?  I can't seem to register as I am not a partner...

 

Thanks! 

Moderator

Re: Evil Twin Detection and Validation

Apparently so.  Needs to be an employee or partner.  You can file the request through your sales rep.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Contributor I

Re: Evil Twin Detection and Validation

Seems like we should have an airheads section to submit for feature requests...

Just my thoughts though...
Moderator

Re: Evil Twin Detection and Validation

Agreed, I've fwded that feedback to the community manager.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
New Contributor

Re: Evil Twin Detection and Validation

We reciently purchased Aruba.  Because we have Cisco we have a situreation where both system have to see each other until Cisco has been removed.  Which is going very slow.   The Aruba see the Cisco as rogues... .that is good.  We are trying to do rogue detection for Evit Twin and mark the Cisco SSID as friendly.  We do not want to tie the Cisco system into the Aruba system.   So far Aruba has not been able to solve this problem.  Little disappointed.  Any idea.  We have read all the documentation and reading blogs.  Thank You !

Moderator

Re: Evil Twin Detection and Validation

For the next time, please start a new thread since the previous issue in this thread was marked resolved.

 

For Aruba/Cisco environment, do you also have AirWave?  If so, AirWave's RAPIDS feature allows you to rule out the Cisco SSID range.  Under RAPIDS -> Rules -> create rules to mark the Cisco SSID items, make sure the rule happens before the catch all rules.  Rule processing for RAPIDS is top -> down.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
New Contributor

Re: Evil Twin Detection and Validation

Hi Rob,  Thanks for the quick reply.  I am on the cyber team.  I just had an Wi-Fi Cyber by a outside security contractor complete. The Aruba recieved some findings.  Pretty certain they can be resolved.  The Aurba installion contractor has control of the system but our network team can make changes if approved. THe vender is unwilling to assist because they say that Rogue/Evit Twin detection is out of scope for the project.  Sigh.   Our network team did get on the phone with aruba and they created a custom rule that would look for  evil twin and ignor the cisco APs. They mentioned that the Arub would always try to disable all the Cisco APs.  After about a week, they could never get Aruba to handle Evil twin without disruption the Cisco system.  It is very important we sort or a sould to have evil twin alerting and defense working.   I know that there must be a solution.  So really need help or find someone that has had this situation that we can talk to.  Thank much !

Moderator

Re: Evil Twin Detection and Validation

@johnt22

I've pinged TAC, they'll try to reach out.


Rob Gin
Senior QA Engineer - Network Services
Aruba Networks, a Hewlett Packard Enterprise Company
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: