Wireless Access

Any configuration examples out there on how to configure rogue AP containment?  We have a pen tester in with an AP that's configured to use the same SSID's as the production network.  Users are attaching to his device so he can steal their creds.  

We have RF Protect licenses installed on the controllers and I was under the assumption that the canned values with RF Protect should deny or contain this traffic.  Doesn't look like this is happening. 

We're using 7210 controllers and new AP-335's for AP's, as well as 3 AP-335's for Air Monitors across the floor.  Any configuration help would be most appreciated. 

You would have to enable "protection" for any IDS/IPS activity.  "Detection" is only reporting.

There are regulatory issues with defaulting containment to on. In fact there may be problems turning it on at all in some locations or jurisdictions.

Containing your hired pentester is probably fine, but if the same settings "contain" a neighboring business' SSID for some reason, you could be in hot water.

Please realize that if your pen tester can make your clients connect to his/her malicious AP in your environment, the same can happen outside your environment in a place where you don't have the APs that can do WIPS/WIDS.

So I would ask the pen tester for advise how to fix this on the client side. One of the possibilities is that your clients do not properly validate the server certificate (link to explaining video), and that can only be fixed on the client side.

So to configure RFProtect to detect or protect your SSID being spoofed is something you should do anyway, it is not fixing the real problem.

Thanks everyone. Based on your feedback I now have some direction to test and explore. 

Bumping this topic.

Spent an hour and a half on the phone with TAC this morning on this, which went absolutely nowhere.  Long story short...I have a test lab 7005 controller with 1 x AP-115 and 1 x AP-115 Air Monitor.  The AP is broadcasting an SSID called "Fake".  To test AP Impersonation or Hotspotting I found an old Linksys a/b/g router that I configured to also broadcast the same "Fake" SSID.  I created an AP Group for the Air Monitor so I can apply an IDS Impersonation profile to it (I want the AM's to do this work and not our AP's).  I turned on every detect and protect option available:

Shouldn't the AM DoS the Linksys or quarantine it somehow in order to make it unavailable to a potential client?  This is not happening, and TAC is saying that's it's not a security risk if someone brings in an AP and broadcasts your production SSID to sniff the air and get user creds as clients attempt to connect.  Am I missing something here??  How should IDS behave in these situtations and how can I verify that it's doing what it should be doing (other than being unable to connect to the Linksys)?  Are there other parts of IDS that I need to turn on, or just the IDS Impersonation portion?

Please see the article here:  http://community.arubanetworks.com/t5/Controller-Based-WLANs/Can-we-protect-valid-ssid-from-being-broadcast-by-Mobile/ta-p/235395

You need to specify what SSID(s) you want protected in the unauthorized device profile.

This worked PERFECTLY.  Thank you Colin!