Wireless Access

Hi, My first topic, sorry about possible mistakes.

 

 I read many topics about it, but im not sure about the solution.

Im seeing many rogue APs in my controller dashboard and airwave,

im certainly that its not my neighbors and authorized Aps.

Airwave is detecting and classifying correctly.  

How can i protect my users about this Rogues? Can I just check the "Protect" boxs in IDS unauthorized devices? 

If I check theses boxes, may I cause an incident on my wlan? My AP´s will stop to work and my users can be at risk to lose the conections? there´s some possibility to "deny" my our service?

 

Thanks for answers.

 

 

Hi, 

 

Enabling rogue containment won't cause any impact to the current WLAN users. 

 

To enable rogue containment, 

 

1. On the IDS General Profile, set the Wireless containment to deauth-only (when no RFP license). 

 

2. On the IDS Unauthorized Device Profile, enable Rogue Containment. 

 

This would contain rogue APs on all channels if you have AirMonitors. Else rogue containment would work only if the rogue AP and the containing Aruba AP are on the same channel. 

 

 

 

 

Hi vincent, 

this options is checked, but these rogues can transmit my ssid yet.

I did a test and i could conect on this rogue.

 

im trying to impossibilit these rogues to transmit the same SSID or part of My SSID.. and impossibilit any client to connect them. im trying to isolate my wlan from these rogues... 

 

the checkboxs "protect" ssid, suspected rogue, adhoc, windows bridge. valid sessions...  can protect me?

 

 

 

 

 

 

 

 

 

 

 

You really need to be careful when enabling these 'protection' mechanisms. If you are improperly classifying neighboring APs and then enable containment and improperly contain/deauth them, you could be subject to fairly substational fines from the FCC. 

 

If you are enabling containment, you need to be 100% sure your config is valid and is not improper. You should NOT be seing neighboring APs classified as Rogues unless they are wired in to your wired network. If they are not, and they are being classified as Rogue, you have something misconfigured. 

Hi howard. 

My only filter is the word of my SSID. 

if other AP out my solution transmit the same word of my SSID, i will classify as a rogue.

Now, im seeing in airwave 2 APS classified as a rogue because the SSID. 

How can controller detects the wired in my infra? any option in controller that i have to configure to be sure that AP is a Rogue??

 

I think, to me its not necessary that the rogue has a wired connection. 

If the station transmit my SSID and simulates a certificate, and has a freeradius or other program that ask for 802.1x, this station can check my AD user/password and access my corporate mail or many system published on DMZ. im wrong?

 

to classify an AP as a rogue, Do i have to be sure about wired connection even with coments above?

 

 

 

 

Hi Diogo, 

 

Only if the non-valid AP is connected to your wired network, you can call it a Rogue. I mean, a wired connection is necessary to call it a Rogue. 

 

An interferring AP, even when it broadcasts the same SSID of the Aruba WLAN, it cannot be a Rogue. If an interferring SSID is getting detected as Rogue, that could be because of some configuration either on the controller or Airwave.

 

If you want to contain non-valid APs broadcasting the valid Aruba WLAN SSIDs, you need to use features like protect-ssid, valid and protected ssid or rule based classification.

 

See below links for reference,

 

1. https://community.arubanetworks.com/t5/Controller-Based-WLANs/Can-we-protect-valid-ssid-from-being-broadcast-by-Mobile/ta-p/235395

 

2. https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-Does-Protect-SSID-Setting-Accomplish/ta-p/181480

 

3. http://community.arubanetworks.com/t5/Controller-Based-WLANs/How-to-configure-Aruba-controller-to-detect-a-hotspot/ta-p/267201

 

 

very tks Vincent.

I think i´m understanding now.

 

first, i have a computer for a test, broadcasting similar SSID and connected in my infra. Should I call this station as a rogue and interfering? 

i need the boxes contain rogue and protect / valid SSID to solve this situation. dont  i?

 

second, if i have other station, broadcasting any different SSID but connected in my infra, can i classify it as as rogue? 

 

third, Any Station broadcasting the similiar SSID but not connect in my infra is just called interfering and should be solve with protects SSID, ok?

 

i have one more question. 

how can aruba controller and airwave detects interfering, rogue, and suspects???

 

im seeing on airwave many cases that the controller classified as a rogue and RAPIDS as a suspected rogue.

the SSID is different and i dont know how can i check the wired connection to be sure about rogue and suspect and contain it.

 

OBS; i dont find anything about interfering, neither controler nor rapids.

im lost.

 

 

 

 

 

 

 

 

 

Airwave has it's own 'rules' (aka RAPIDS rules) in how it's classifying rogues and interferers, so it depends on who and what is doing the classification. If you have the default 'RAPIDS Rules' in place, then AirWave will define a 'rogue' as any non-monitored neighbor with signal at -75 or stronger. This in and of itself is not technically a 'rogue' but the description within AirWave notes that. That, by default, should likely be disabled in any deployment where you have multiple neighboring wifi that is not yours. 

 

A laptop broadcasting an SSID may not get picked up as a rogue if it's not briding the wired and wireless. This depends on how you configured the laptop and what tools you used. 

 

Any AP broadcasting ANY SSID (not just your ESSID but any ESSID) that is wired in to your network will be flagged as a rogue if your APs are connected and monitoring the wired.

 

 

Note as well that in the Airwave table, it will tell you if it's airwave or controller classified. 

it seems that i finish the airwave config correctly... only my station is appearing as a rogue. 

 

but not sure about controller yet... 

how can APs monitor the wired connection?

Controller is classifing my station as a interfering, even with a wired connection.. how can controller detects and classify as a rogue correctly?

i have many others suspect rogues in controller that does not appear anymore in airwave. I dont think that this classification is correct.. why suspected rogue?

 

where can i configure these options to match correctly the interfering, and suspects and rogues?

 

 

 

 

 

 

 

I would grab the user guide and go through the relevant WIDS configs. APs will monitor the wired network to correlate wired traffic seen over the iar that didn't come out of one of the managed APs. 

 

There are multiple postings within Community as well as the user guide that cover how rogue detection works.

 

if your laptop is not bridging the wired to wireless, then it won't show up as a rogue.

Hi guys, 

Hi, The target AP is classified as rogue and marked for containment. So now, for containment to work, the target AP and the containing Aruba AP should be on the same channel. If the target AP is on channel 1 and the Aruba AP is on channel 6, then Aruba AP cannot contain another AP on a different channel. You need to have the Aruba AP on the same channel as the target AP or you need to have an AirMonitor. RFP license is not required if the containment method is deauth-only.

An AP that is serving clients can scan and contain Rogue APs on different channels.  It can even contain APs on the wired network, so that it does not have to be on the same channel.  Please see there rogue AP definitive guide for in depth information here..  https://community.arubanetworks.com/aruba/attachments/aruba/ControllerBasedWLANs/47/2/PDFRogueAPGuide.pdf

Hi Srs.

thank you all for help and answers!!!

but i will give up!!!!

 

im following all options, all answers, all documents... but i dont know how to do a good control on ARUBA controller.

 

My dashboard is showing a rogue and marked to contain. All options to protect, monitor and contain are enable and im still connecting on rogue AP that im using for the tests.

 

First, this rogue was classified as interfering correctly, i reclassify as a rogue.

 

I can SEE the client connect marked to contain, i can see the rogue marked to contain but this containment doesnt work. I still connected and using internet by the rogue, even with the same / similar SSID and classified as a rogue, and contain manually.

 

My Rogue isnt connect by WIRED, im just broadcasting the same/similar SSID and classifing manually as a rogue. 

 

my last breath to make this control... any idea what i forgot? any checkbox? any option?

 

Tks Again

 

 

 

 

What model access point was this and what version of ArubaOS code?

Hi joseph.

Name:	Aruba Operating System Software.
Model:	Aruba3400
Version:	6.3.1.16

AP Aruba 135.

 

We cant update Aruba OS, our contract is out of date. 

Is this a problem?!

 

Okay,  when you have this enabled, you should type 

show ap monitor active-laser-beams ap-name <name of the AP-135>

That will tell if the AP 135 is even trying to do anything.