Aruba Central Online Help

Rogues

Rogues is supported in this release as a selectively available feature. Contact your Aruba Account Manager to enable it in your Aruba Central account.

Aruba Central supports the rogue detection and classification feature that enables administrators to detect intrusion events and classify rogue devices. Rogue devices refer to the unauthorized devices in your WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network. With RAPIDS, you can create a detailed definition of what constitutes a rogue device, and then act on a rogue AP for investigation, restrictive action, or both. Once rogue devices are discovered, Aruba Central sends alerts to the network administrators about the possible threat and provides essential information needed to locate and manage the threat.

The Rogues feature is a limited availability feature in Aruba Central. If you wish to enable the feature, contact your Aruba Representative. If the feature is not enabled for the Aruba Central account, the Rogues tab is disabled.

Aruba Central supports the following features:

Viewing the Rogues Page

To view the Rogues detail page in order to find information on monitored APs, complete the following steps:

  1. In the Network Operations app, set the filter to one of the options under Groups, Labels, or Sites.
    For all devices, set the filter to Global.
  2. Under Manage, click Security. The RAPIDS > IDS tab is selected by default.
  3. Click the Rogues tab to view the page.

APs in Aruba Central are classified as one of the following:

 

Table 1: APs Classification in Aruba Central

Classification

Description

Rogue AP

An unauthorized AP plugged into the wired side of the network.

Suspect Rogue AP

An unauthorized AP with a signal strength greater or equal to -75 dBmDecibel-Milliwatts. dBm is a logarithmic measurement (integer) that is typically used in place of mW to represent receive-power level. AMP normalizes all signals to dBm, so that it is easy to evaluate performance between various vendors. that might have connected to the wired network.

Interfering AP

An AP detected in the RFRadio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment with a signal strength lesser than -75 dBm but not connected to the wired network. These access points may potentially cause RF interference, but cannot be considered as a direct security threat as these devices are not connected to the wired network. For example, an interfering AP can be an access point that belongs to a neighboring office’s WLAN but is not part of your WLAN network.

Neighbor AP

A neighboring AP, the BSSIDsBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. of which are known. Once classified, a neighboring AP does not change this state.

Intrusion Detection System Events Configuration

Aruba Central supports rogue detection and classification based on the default classifications pre-defined on the device. However, the type and severity of intrusion detections raised by the AP is configurable and affects the data that is seen in Security page. For more information on configuring IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. for APs, see the Configuring IDS Parameters on APs.

Monitoring Rogues

The Rogues tab provides a summary of the rogue APs, suspected rogue APs, interfering APs, neighboring APs, and the total number of wireless attacks detected for a given duration.

Rogues

The Security> RAPIDS > Rogues page displays the following tabs:

  • Total—Shows the total number of rogues classified as Rogue , Suspected Rogue, or Interfering, that are detected in the network.
  • Rogues—Shows the total number of devices classified as rogue APs.
  • Suspected Rogues—Shows the total number of devices classified as suspected rogues APs.
  • Interfering—Shows the total number of devices classified as interfering APs.
  • Neighbors—Shows the total number of devices classified as neighbor APs.

Click the respective tabs to display specific rogue information pertaining to each classification. By default, the Total information tab is selected and the Detected Access Points table displays all the detected rogue APs.

Table 2: Rogues Pane

Fields

Description

BSSID

The BSSIDs broadcast by the rogue device.

Name

Name of the rogue device detected in the network.

Classification

Classification of the rogue device (monitored device) as Suspect Rogue, or Interferer. Click the drop-down arrow at the column heading to filter the rogue classification that you want to display.

Last Seen

The time relative to the current moment, for example, 6 minutes or an hour, at which the rogue device was last detected in the network.

Last Seen By

The AP name of the last device that reported the monitored AP.

First Seen

The time relative to the current moment (for example, 6 minutes or an hour) at which the rogue device was first detected in the network.

Encryption

The type of encryption used by the device that detected the rogue device; for example, WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption., Open, WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. , Unknown. Generally, this field alone does not provide enough information to determine if a device is a rogue, but it is a useful attribute. If a rogue device is not running any encryption method, that implies you have a wider security hole than with an AP that is using encryption.

Mac Vendor

The vendor name associated to the MAC OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. of the rogue device.

SSID

Signal

The signal strength of the AP that detected the rogue device.

Containment Status

Details of the containment status. Click the drop-down arrow at the column heading to filter the status that you want to display.

Note the following important points:

  • Users with the admin role can see all rogue APs and interfering devices.
  • VisualRF uses the heard signal information to calculate the physical location of the device.
  • Clicking icon enables you to customize the Detected Access Points table columns or set it to the default view.
  • To view the details of each event that is generated, click the arrow against each row in the table.

    Figure 1  Detected APs

  • Rogues devices are displayed for a selected time period based on the time selected in Time Range Filter. Rapids displays data for a maximum time period of 1 week only.

Generating Alerts for Security Events

Aruba Central supports configuring alerts for rogue AP detections. To generate alerts, complete the following steps:

  1. In the Network Operations app, use the filter to select Global.
  2. Under Analyze, click Alerts & Events. The Alerts & Events page is displayed.
  3. In the Alerts & Events page, click the Config icon.

    The Alert Severities & Notifications is displayed.

  4. Select Access Point to display the AP dashboard. Aruba Central supports three alert types for identifying interfering devices:
    • Rogue AP Detected
    • Infrastructure Attacks Detected
    • Client Attack Detected
  5. Select an alert and click + to enable the alert with default settings. To configure alert parameters, click on the alert tile (anywhere within the rectangular box) and do the following:
    1. Severity—Set the severity. The available options are Critical, Major, Minor, and Warning.

      For a few alerts, you can configure threshold value for one or more alert severities. To set the threshold value, select the alert and in the exceeds text box, enter the value. The alert is triggered when one of the threshold values exceed the duration.

    2. Device Filter Options—(Optional) You can restrict the scope of an alert by setting one or more of the following parameters:
      • Group—Select a group to limit the alert to a specific group.
      • Label—Select a label to limit the alert to a specific label.
      • Sites—Select a site to limit the alert to a specific site.
    3. Notification Options
      • Email—Select the Email check box and enter an email address to receive notifications when an alert is generated. You can enter multiple email addresses, separate each value with a comma.
      • Streaming—Select the Streaming check box to receive the streaming notifications when an alert is generated.
      • Webhook—Select the Webhook check box and select the Webhook from the drop-down list. For more information, see Webhooks.
      • Syslog—Select the Syslog check box to receive the syslog notifications when an alert is generated.
    4. Click Save.

    For more information on how to configure alerts, see Configuring Alerts.

Generating Reports for Security Events

Aruba Central supports generating reports for rogue AP detections. To generate reports, complete the following steps:

  1. In the Network Operations app, use the filter to select Global.
  2. Under Analyze, click Reports.
  3. In the Reports page, click Create. Aruba Central supports Security Compliance to display the report of all wireless intrusions. For more information on how to create Reports, see Creating a Report.

For creating a RAPIDS report, you need not select the Groups or Labels option. Also, you need not select the Device Groups name or Labels name from the Device Groups or Labels drop-down lists, respectively.