Wireless Access

Reply
Occasional Contributor II

AP's spoofing each other?

In reviewing my IDS logs today I noticed that I have several entries where it's being reported that the AP's at one location are spoofing other AP's at the same location.  This is happening at a remote office (6 AP's) that we manage from a centralized 7220 that also manages several other remote offices, all in the same AP Group. The issue seems to be happening primarily at 1 physical location.  Although they're all AP-225's, they have different MAC OUI's and I notice that it's always one OUI attacking the other.  Are these false positives due to the different OUI's, and if so how can I avoid this alert?

 

 

Guru Elite

Re: AP's spoofing each other?

What version of ArubaOS is this?

 

It is quite possible that you have new AP-225s that have a new ArubaOUI, but the version of code is not aware of it:

 

Type:

show wms system

See if under Learned OUIs that allof the OUIs of your deployed Aruba APs are in there.

 

If they are not, add them by doing this:

 

config t

config t
valid-network-oui-profile
oui <oui not listed>

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: AP's spoofing each other?

We're on 6.4.4.16.

 

The OUI's of the attacking and attacked OUI's are learned:

DetailCountAttackerTarget
AP Spoofing Detected-40:E3:D6:CE:AE:7318:64:72:40:10:B3

 

 

 

Learned OUIs for Deployed APs
------------------------------
OUI
---
40:e3:d6:00:00:00
b4:5d:50:00:00:00
a8:bd:27:00:00:00
f0:5c:19:00:00:00
04:bd:88:00:00:00
44:48:c1:00:00:00
9c:1c:12:00:00:00
18:64:72:00:00:00
84:d4:7e:00:00:00
70:3a:0e:00:00:00
94:b4:0f:00:00:00

 

I'm stumped!

 

Guru Elite

Re: AP's spoofing each other?

Please open a TAC case.  It is not immediately apparent what your issue is.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor II

Re: AP's spoofing each other?

I'll get a case open because as I look even closer at the report, I see that I also have AP's spoofing themselves...

 

DetailCountAttackerTargetTimeAP/Device
AP Spoofing Detected-94:B4:0F:21:E8:6694:B4:0F:21:E8:6611/13/2017 3:10 PM EST001-CAN3-AP-C3-05
AP Spoofing Detected-04:BD:88:17:36:C604:BD:88:17:36:C611/13/2017 3:12 PM EST001-MR41-AP-P2-4-08
AP Spoofing Detected-04:BD:88:17:39:2604:BD:88:17:39:2611/17/2017 9:31 AM EST001-MRG1-AP-P2-G-01
New Contributor

Re: AP's spoofing each other?

 Hi 

 

Did you find a fix for this? 

 

Thanks.

Occasional Contributor II

Re: AP's spoofing each other?

No, but thanks for the reminder to re-visit the issue. It doesn't seem to cause a tangible problem but it's a symptom of something amiss for sure.







CONFIDENTIALITY NOTICE:
This email message and any accompanying data or files is confidential and may contain privileged information intended only for the named recipient(s). If you are not the intended recipient(s), you are hereby notified that the dissemination, distribution, and or copying of this message is strictly prohibited. If you receive this message in error, or are not the named recipient(s), please notify the sender at the email address above, delete this email from your computer, and destroy any copies in any form immediately. Receipt by anyone other than the named recipient(s) is not a waiver of any attorney-client, work product, or other applicable privilege.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: