@baboyero wrote:
Hello Aruba Gurus,
I am trying to manually contain an 802.11g device. I tried using a deauth containment but I don't see any deauth packets sent. I even checked with the controller by doing a show ids general-profile..... and there are no containments. When a device is manually contained, is it contained based on the wireless containment set under the general IDS profile? Also, if we are using a dedicated air monitor, how long will it deauth the client and how often? I also tried a tarpit approach but it did not work. We are using an aruba 6000 with OS 6.1 and with an AP 61. Not sure if the AP 61 can't do containment. We also have 105 types of AP but I have not tried that yet. Any thoughts? Thanks.
Are you using automatic or manual containment? Please check to see if the bssid of the ROGUE ap is classified as a rogue:
show wms ap list | include <rogue ap bssid>
Next, see if any APs can see that rogue:
show wms ap <rogue ap bssid>
show wms rogue-ap <rogue ap bssid>
1. show ap monitor ap-list ap-name <ap name that sees the rogue ap after running master controller command>
- look to see the current classification of the rogue ap and see if dos is enabled.
2. show ap monitor client-list ap-name <ap name that sees the rogue ap>
- look for the clients MAC that is connecting to the rogue.
3. show ap monitor containment-info ap-name <aruba ap name>
- TONS of info. This one shows if the Aruba AP is tarpitting, DOS’n
4. show ap arm scan-times ap-name <ap name that sees the rogue ap>
- look for WIF Scan Times to see how long the AP stays on the channel where rogue ap is at
5. show ap monitor active-laser-beams ap-name <ap name that sees the rogue ap>
- look for any ap names dosing
- look at inactive time