Wireless Access

hi and happy new year.

I use the WIP Wizard to configure the wip (ids and ips) , but when done found that the users can’t associate with an open WLAN ( guest wlan) , and didn’t know way .

Any suggestion, any idea, any usefull document.

Thank you.

rchahboune,

 

Change the configuration back to the default.  We do not have enough information to understand why it is not working.

 

yes,

i do that ( i disable the IPS and the IDS ), and when done the  the association to the OPEN SSID become possible.

 

Well,

 

That is your answer.  The problem is your settings.  IDS settings can block traffic from legitimate SSIDs, as well.

 

i configure a new WIP profile

do the following

 

IDS Configuration

high level

IPS configuration

High level

 when done , the asscotiation with the open (captive portal WLAN) become impossible , custumer can't connect to it, and when i disable the WIP (ids and ips off), the association with the open WLAN become possible and normal.

my question is what is the WIPS parameter that prevent the assocation with the open WLAN.

regards

---

@rchahboune wrote:

i configure a new WIP profile

do the following

 

IDS Configuration

high level

IPS configuration

High level

 when done , the asscotiation with the open (captive portal WLAN) become impossible , custumer can't connect to it, and when i disable the WIP (ids and ips off), the association with the open WLAN become possible and normal.

my question is what is the WIPS parameter that prevent the assocation with the open WLAN.

regards

---

We need the exact WIP configration to understand what could be blocking the clients--there are MANY checkboxes that could be stopping clients from connecting.

 

Honestly, IDS/IPS  is typically not applied to an open SSID, because there are many attacks that could be done to users that do not have encryption enabled.  If the customer is serious about  protecting against attacks, they should first enable strong encryption.

hi cjoseph,

for the configuration i followed the WIPS wizard , and i configure the the ids and ips rule at the high level.

I use the IDS/IPS for some APGROUP that contain a VAP with strong encryption (WPA2 Entrerise) and  open SSID (Guest SSID with captive portal authentication).

when done the open ssid has become inaccessible.

 

 

Please uncheck the following under IDS Unauthorized Device profile under the advance tab.

- Privacy
- Require WPA

---

wajih.anees@bell.ca wrote:
Please uncheck the following under IDS Unauthorized Device profile under the advance tab.

- Privacy
- Require WPA

---

thank you for the replay  i have uncheck Require WPA but not Privacy , i will do iit soon.

have you checked your logs, they might provide information on why clients are kicked off when WIPs is on, then you can disable those.

---

@boneyard wrote:

have you checked your logs, they might provide information on why clients are kicked off when WIPs is on, then you can disable those.

---

good idea i will try to.

What is the customer policy with respect to WIPS that you are trying to achieve?

 

Is there something specific in the 'high' profile that the customer wants enabled?

 

An over vealous configuration of WIPS policy can have a detrimental effect, even to your own legitimate ssids, as cjoseph mentioned.

 

I would suggest starting with the 'low' profile and tuning up the features that you require.

 

Nevertheless, I believe that the 'privacy' setting in the unauthorised-device-profile is what is causing your issues, though the logs will confirm that.

 

---

@Michael_Clarke wrote:

What is the customer policy with respect to WIPS that you are trying to achieve?

 

Is there something specific in the 'high' profile that the customer wants enabled?

 

An over vealous configuration of WIPS policy can have a detrimental effect, even to your own legitimate ssids, as cjoseph mentioned.

 

I would suggest starting with the 'low' profile and tuning up the features that you require.

 

Nevertheless, I believe that the 'privacy' setting in the unauthorised-device-profile is what is causing your issues, though the logs will confirm that.

 

---

i agree with you , the IDS/IPS have to be configured step by step according to the needs, but i deploy that for a custumer who is not familiar with Aruba ,that's why I chose the highest level.