Wireless Access

Hello Experts,

Can you give me some information the procedure describe here :

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-are-the-valid-Aruba-MAC-OUI-and-How-do-we-add-valid-MAC-OUI/ta-p/176002

After adding some new OUI (with valid-network-oui-profile), I d'ont see any changes in IDS classification (security dashboard on WEB UI of the master controller).

By the way when I launch "show valid-network-oui-profile" command on a local controller, new OUI added on master do not appears. Is this configuration only local : should I add the OUI on all controllers ?

Should I execute a particular command to apply these new OUI in the IDS ap classification process

Best regards

That command is to only add new Aruba OUIs that were not known when the software came out so that we can easily identify Aruba Access Points and not mark them as rogue.  It should really only be needed if your software is really, really old.

We have two controller generation : AOS 6.3 and AOS 6.5 likewise  2 master controller (on same layer 2). We want APs on 6.3 master to be known by 6.5 master (to avoid deauth/tarpit).

By listing the known OUI on 6.3 give us :

show wms system

Learned OUIs for Deployed APs
------------------------------
OUI
---
6c:f3:7f
9c:1c:12
ac:a3:1e
00:1a:1e
00:0b:86
24:de:c6
d8:c7:c8
00:24:6c
18:64:72

listing the known OUI on 6.5 give me :

show wms system Learned OUIs for Deployed APs
------------------------------
OUI
---
34:fc:b9
a8:bd:27
c8:b5:ad
f0:5c:19
70:3a:0e
b0:b8:67
20:a6:cd
90:4c:81

OUI are missing on each controller that's why we want to add those missing one.

To be clear, the valid-network-oui command is only used for the same controller that has APs with OUIs that were not known when the software came out.  Only old software on controller with new APs on controller need this.  This is only for a single controller that has newer access points.

If you have a primary controller with Aruba APs that you don't want marked as rogue by a second controller, you would still need to manually mark each access point on the opposite controller as "Valid" so that those access points are not marked Rogue.  The valid-network-oui would not come into play in this instance.  I hope that makes sense.

Thank you for the response, that's now clear for the IDS configuration between controller.

In the classic case: very old controller on which we want to add new OUI

Can you describe the operation of the command (is it preventing tarpit on these AP for wich OUI are not know ?)

If you have an older controller with newer access points, it is possible that:

(1) ARM will be set incorrectly for those access points

(2) Virtual APs with a mac address other than the base BSSID could be marked as rogue

If you add the OUI of those newer access points, the two things above will not happen.

Thank you very much