Wireless Access

All, can anyone point me in the direction of finding out how to configure wip so that if a rogue AP appears on the network with the same SSID as a valid one that it send out a trap?

You need:

1.  The RFProtect License

2.  Configure Detection of AP Impersonation (below)

3.  Configure a Trap Destination in Configuration> SNMP.

The trap for this is automatically sent to the Trap Destination

Thanks I will give that a go.

Well as soon as i put in my trap received my mangament system became completely flooded from the wifi controller. Cant see  what the alerts are for , they look non descritpt.  How can i stop the controller from sending anythig BUT the roge ap with duplicat SSID alerts?

Colin,

I see that you can do the command to look at all the traps that are sent which are a lot. and then you can use:-

 (config) #snmp-server trap disable wlsxWirelessBridge
(config) #snmp-server trap disable coldStart

But if I only want the trap for a rogue ap with same SSID as a legitimate one sent which is this one? Also, do I have to do a disable for the hundred or so traps one by one?

Cheers!

Attached is a list that someone on our organization put together.  Those are the raw commands to enable/disable traps.  If you search and replace enable with disable, you will disable all the traps.  Paste that in.

You can then enable only the traps that you want.

Attachment(s)

SNMP trap commands.txt   11 KB 1 version

Thanks Colin but do you know which is the right trap for the fake AP with the same SSID one?

I think the one you want is "wlsxAPImpersonation".

Thanks!

Just to clarify - doing a 'no' on all those traps will not affectig normal reporting of wip to the dashboard will it? This will only affect what is sent to a third party network?

Thats right.  Doing a "no" on the enabled traps will only affect what the configured trap receivers see, not the dashboard on the controller.

Thanks:)

Do you think that on the trap receiver, that you have to create a mib to see these traps or do you just have to tell it the read string and it will receive the traps legibly?

Also do the traps have to removed from all controllers or just master?

All controllers, AFAIK.  I dont think the master sync's the SNMP config to the locals.

Thanks! Looks like  need the MIB and I have to add to all my controllers..

Struggling to find the MIB on the support site - can someone paste me the link please?

On the support site under:

Downloads > ArubaOS > General Availability > Current Releases > Release 6.1.x > Release 6.1.3.5

File is named standard-mibs....

It is always in the same folder as the code.

And possibly "wlsxValidSSIDViolation"

I tried doing the same.

I am configuring Solarwinds to monitor the controller for WIPS.

However when I add the OID for wlsxAPImpersonation, it says the OID is not supported. 

Any thoughts?

I downloaded the tar and expanded and it gives about 15 .my files. Is this correct? Do i have to import these one by into my management station?

Ok i added the aruba mib file and my managment systems seems to have taken it, Immediately after configuring my management station as a snmp trap agent it srarted receiving countless traps.  I disabled all traps and enabled just the two mentioned in which to alert for duplicate SSID and my management station doesnt receive the trap.. I had created a wireless hotspot on a android phone and entered a SSID with the same name as a bona fide one. I can even see this phone advertising on the aruba dashboard with the bogus SSID but the trap isnt sent.... any ideas ?

By default that configuration to detect a duplicate SSID is not on.  Do you have detection enabled in the IDS profile?

I just did what was suggested in this thread. Are toae two trap profiles incorrect? If so how do you switch on what you suggest?

The traps will only be sent if:

A third-party access point has the same wireless mac address as one of your own 

A third-party access point has the same wireless mac address AND SSID as one of your own.

Just having the same SSID will not activate the impersonation trap.

So what do you switch on to enable a trap if someone puts a ap on the network with the same ssid please?

There are two things that you need to do:

1.  Use the WIP Wizard and configure a policy that detects Valid SSID misuse in your "Default" ap group.

2.  Look for the wlsxValidSSIDViolation trap.

Alternatively, you can just enable the "Detect Valid SSID Misuse" in the IDS Unauthorized Profile in that AP Group.

Thanks,

I have added in WIP wizard and ensured that wlsxValidSSIDViolation is enabled in the trap list for the same ap group that I set upin  the default wip wizard. I switched on the android device with the same SSID and I didnt get anythimg. Would i see this in the 'show snmp trap-queue' command if it had been generated?

To add to my last post, I went back into the default wip wizard and when you select the default wizard in the letft window it doesnt say that the Ap groups I added the last time are there. I tried a few times and saw that in the summary just before you push the policy it definitaly has the ap groups I slected there but again if I go back in it shows as nothing is in there. Is this normal behaviour?

If you are using an access point, it will take time to scan the channel of the duplicate AP.  If you are using an Air Monitor, however, it will take much less time to scan, identify and report on the duplicate device.

If Airwave is the trap receiver, it has the MIB loaded already.  If Airwave is not, you will have to get the MIB from Aruba's support site.  Without the MIB, the trap will be received legibly, but the codes and OIDs may not make sense.  BTW - there is a MIB guide on the Aruba support site that describes each of these traps (even though the AP impersonation still says "Detects Station impersonation").