Wireless Access

last person joined: 15 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Rogue AP interpretation change with upgrade?

This thread has been viewed 0 times

  • 1.  Rogue AP interpretation change with upgrade?

    Posted Aug 05, 2013 05:21 PM

    Back in 7.4 or 7.5, we tested connecting a rougue AP in to our lab switch and Airwave correctly identified the rogue and sent our NMS and syslog an alert -- all good.

     

    Today I've plugged in the rogue for a show-and-tell with our PCI assessor and Airwave had elected to declare the AP a "suspected neighbor"

     

    Did something change in the underlying logic, or were a week of tests missing some crucial bit of testing?

     

    Lab switch had point-of-sale and client and wireless VLANs trunked to iAP, connect a "rogue" (linksys) to point-of-sale port and connect power. the iAP almost immediately shows the rogue in the IDS page:

    iAP draws the right conclusion

     

    After a few minutes, I notice that I haven't received the e-mail from Airwave, nor from the NMS or Syslog.

    I check Airwave and it thinks we have a neighbor:

    187-Airwave-disagrees-part-1

    187-Airwave-disagrees-part-2

     

    What's missing? Or how do I trace Airwave's logic to see where I need to tune it?

     

    My rules:

    Airwave-rogue-rules



  • 2.  RE: Rogue AP interpretation change with upgrade?

    EMPLOYEE
    Posted Aug 05, 2013 09:14 PM
    Did you make any changes to the RAPIDS rules? Which AirWave rule is the classifying rule? Remember that AirWave classification has more options than the controller classification.


  • 3.  RE: Rogue AP interpretation change with upgrade?

    Posted Aug 06, 2013 12:10 PM

    Made no changes.

     

    In the screenshot, it shows "detected wirelessly" as the classification rule.

     

    I forgot to add that Airwave is also pliing the switch to which both AP and rogue are connected and should have seen the MAC/ARP entry as well as the iAP -- so I'm expecting "Detected Wirelessly and on LAN" to hit.

     

    Note that it hit a few months ago when we last tested. The only change has been upgrades to Airwave.



  • 4.  RE: Rogue AP interpretation change with upgrade?

    EMPLOYEE
    Posted Aug 06, 2013 12:21 PM

    The configuration looks good to me.  The next step would be to open a support case.  Support will need to do a capture from AirWave of the data gathered from polling the switches (what's the current switch polling period?).



  • 5.  RE: Rogue AP interpretation change with upgrade?

    Posted Aug 06, 2013 01:26 PM

    4 hours (whatever the default was)

     

    The rogue has been plugged in for 20 hours so far.

    I'm assuming that new information about a device will cause RAPIDS to re-classify an object.



  • 6.  RE: Rogue AP interpretation change with upgrade?

    EMPLOYEE
    Posted Aug 06, 2013 01:33 PM

    The quick test of that is to move a rule up, save, and then move a rule back to where it was, save.  It's a wonky way to force AirWave to review classification, but it works.



  • 7.  RE: Rogue AP interpretation change with upgrade?

    Posted Aug 06, 2013 02:32 PM

    No change, unless the reclassification is still running (anyplace to check progress?) so I assume its time to call TAC?



  • 8.  RE: Rogue AP interpretation change with upgrade?

    EMPLOYEE
    Posted Aug 06, 2013 03:39 PM

    Yeah, looks like it's time to bring in TAC.