Wireless Access

Aruba 3200 controllers running 6.4.1.0.  I want to block an SSID that an employee is broadcasting and using while in the office.  All I have is the SSID.  I also have Airwave.

Do you have the RFP/WIDS licensed on your controller?

Yes

http://www.arubanetworks.com/techdocs/ArubaOS%206_3_1_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/New_WIP/Tarpit_Shielding_Adminis.htm

 

So I will configure an ids general-profile default

what command to block just SSID "test"

 

wireless-containment tarpit-non-valid-sta ?

 

There may be other SSID's that I want to allow that are not configured on the controller.

You use the WIP wizard

 

Confidence?

From guide:

 

Suspected Rogue Confidence Level

A suspected rogue AP is an AP that is potentially a threat to the WLAN infrastructure. A suspected rogue AP has a confidence level associated with it. An AP can be marked as a suspected rogue if it is determined to be a potentially threat on the wired network, or if it matches a user defined classification rule.

The suspected-rogue classification mechanism are:

• Each mechanism that causes a suspected-rogue classification is assigned a confidence level increment of 20%.

• AP classification rules have a configured confidence level.

• When a mechanism matches a previously unmatched mechanism, the confidence level increment associated with that mechanism is added to the current confidence level (the confident level starts at zero).

• The confidence level is capped at 100%.

• If your controller reboots, your suspected-rogue APs are not checked against any new rules that were configured after the reboot. Without this restriction, all the mechanisms that classified your APs as suspected-rogue may trigger again causing the confidence level to surpass their cap of 100%. You can explicitly mark an AP as “interfering” to trigger all new rules to match against it.

I set to 100

 

now will this actually disable the SSID from broadcasting or just disable anyone to connect to it?

From connect to it

You can't prevent something from broadcasting an SSID unless you go physically find it and power it down. But you can use deauths and tarpitting to keep clients from being able to connect to it, and use wired ARP poisoning (if it's wired to the network) to kill any of it's wired traffic.

I just want to disable clients from connecting to it.  I enabled a Rogue Classification Rule and it doesnt seem to be working.. I can still connect to that SSID.

 

 

 

 

 

 

 

Did you applied the new IDS rule under the IDS config in the AP Group ?

I followed the WIP wizard and applied to the AP group, yes

Do I have to add it elsewhere after the WIP wizard?

You shouldn't have to, do you rogue ap aware under the arm settings ?

not sure I understand..

 

Do I have to customize the Policy or leave standard settings?

This is under the RF management > ARM profiles rogue ap aware

Do you have air monitors on your network? APs serving clients cannot tarpit rogues and rogue clients.

no air monitors

Do you have RFProtect licenses?

You will either need to convert some existing access points into air monitors or add additional APs for air monitors. Keep in mind that the AM needs to be in range of the rogue device in order to attack. A 4 AP to 1 AM ratio is recommended.

Can an active AP serving client now be provisioned into an Air Monitor? If so, can it do both functions?  Serve clients as well as monitor mode?

It should be able to do both, but of course it will take more time for an AP to actually scan another channel while serving clients compare to an Air Monitor that is just scanning the air

It will not be able to continuously attack the rogue devices if it is also serving clients.

Can I turn a single AP into AM-Mode or does it apply to an entire AP Group.

Best practice would be to provision it into an air monitor AP group but you can set it using the AP specific profile.

I went through the WIP wizard and created a new policy for this.  I provisioned a single AP into an Air Monitor. In the WIP wizard I apply the default policy to all my AP groups.  However, it seems to down wireless for all my SSIDs in all my AP groups. 

Happens when I change the containment method to deauth only