In this presentation, we will run through some Rogue AP troubleshooting scenarios and best practices. The agenda covers Rogue AP Detection, classification techniques and containment, wired containment and wireless containment without Tarpit. Check out the webinar recording where this presentation was used: http://community.arubanetworks.com/t5/Aruba-Instant-Cloud-Wi-Fi/Technical-Webinar-Recording-Slides-ArubaOS-Rogue-AP/m-p/289230 Register for the upcoming webinars: https://community.arubanetworks.com/t5/Training-Certification-Career/EMEA-Airheads-Webinars-Jul-Dec-2017/td-p/271908

1. ARUBA INSTANT – ROGUE AP TROUBLESHOOTING
Technical Climb Webinar
10:00 GMT | 11:00 CET | 13:00 GST
Feb 28th, 2016
Presenter: Anshul Bharthan
anshul.bharthan@hpe.com

2. INTRODUCTION TO WIDS/WIPS

3. 3
Classification of APs
• The Aruba system classifies APs on a number of factors. The classification for these devices is
handled automatically, but it can be overridden by the administrator. Here are the types:
• Valid AP: An Aruba IAP which is a part of the cluster is marked as valid.
• Rogue: An AP that is detected wirelessly and on the wired network.
• Suspected rogue: An AP that has been detected wirelessly, has some indicators that lead the Instants to believe it may
be attached to the network, but to avoid false positives, it has not yet been marked as a rogue.
• Interfering: An AP that has been detected wirelessly, but has not been seen on the wired network. All APs begin with this
setting.
• Neighbor: An AP that is marked as either belonging to a neighbor by an administrator manually.

4. 4
Different Modes of Access Points :
• The three main wireless security areas to keep in mind when evaluating a WIDS system are rogue detection, rogue
containment and wireless intrusion detection needs.
• Wireless detection happens at the radio level and then gets fed upstream.
• Aruba radios can be deployed in three different modes: AP mode, Air Monitor (AM) mode and Spectrum Monitor
(SM) mode.

5. 5
Different Modes of Access Points:
• AP MODE:
• AP mode radios focus on serving clients and pushing wireless traffic but they also perform IDS detection, Rogue
detection and spectrum analysis.
• AP will perform off channel scanning every 10 seconds for slightly less than 100 milliseconds.
• The AP uses a bucketing based algorithm for channel scanning.
• When the AP boots, all channels are divided into 2 different buckets, regulatory channels and non-regulatory
channels.
• The third channel bucket, active channels, is populated as the AP scans and detects channels with wireless traffic.
• APs can perform wireless containment but they will prioritize pushing client traffic over containment. This is a very
important distinction and the reason why AMs are recommended if wireless containment is enabled.
• APs can also perform spectrum analysis on the channel where they are serving clients.

6. 6
Different Modes of Access Points:
• AM MODE:
• AM’s don’t serve clients and are dedicated to wireless security.
• AMs typically do not need to be deployed at the same density an AP would since they do not serve clients.
• AMs use a channel scanning algorithm that is similar to an AP but has an extra bucket for ‘Rare’ channels.
• Rare channels” - Channels that do not belong to any country’s regulatory domain and fall into a frequency range outside
of the regulatory domain; 2484 MHz and 4900MHz-4995MHz (J-channels), and 5000-5100Mhz.
• We only do rare channel scanning in AM mode
• The AM will spend ~500 milliseconds on active channels, ~250 ms on channels in AP’s regulatory domain, ~200
ms in any regulatory domain and ~100 ms on rare channels.
• SPECTRUM MODE:
• SMs are designed for spectrum classification scans every channel within 1 second.
• It doesn’t follow the bucketing system used by APs and AMs.
• SMs will not perform any wireless containment since the time spent containing a rogue would impact the accuracy of the
spectrum classifications.

7. ROGUE AP DETECTION

8. 8
Rogue Detection Basics
• In order to detect Rogue AP,
• IAP cluster has to find all the foreign APs via the scanning algorithm.
• The list of all foreign APs seen by the cluster is "show ap monitor ap-list".
NOTE: It is AP specific command, it only shows the current single AP data on which command is run. Please make sure
that radio is up and one SSID is configured for IAP to start scanning.
• A foreign “interfering” AP, will become a rogue, when it is diagnosed to be on the same wired network as the IAP.
• IAP does that by looking at its “show ap monitor arp-cache” and/or “show ap monitor enet-wired-Mac <IAP wired
MAC>”. This cache is built based on ARP messages seen on VLANs trunked to the IAP.
• To successfully detect/contain rogue, it is recommended to extend the VLAN, and add required vlans on the trunk to
IAP. Else IAP will not have visibility on the network, where you want rogue detection to occur.
• If only one IAP has trunked to the VLAN, then only that IAP has the capability to detect this rogue from other specified
vlans, however it also requires the rogue AP is near by this IAP for detecting BSSID.
• From cluster design, it is needed to trunk the VLAN, where rogue detection is needed, to all the IAPs in the cluster.

9. 9
Rogue Detection Basics and Types
• What does IAP do in the background to detect Rogue?
• The IAP constantly builds and updates an internal table of MAC addresses by collecting all MAC addresses on its
Ethernet interface. This table is called the Ethernet wired MAC table.
Here is the command to view this table:
“show ap monitor enet-wired-mac <Wired MAC of the IAP>”
• While the IAP is up, it also constantly monitors wireless frames outgoing from other APs. As soon as a new AP is
detected (regardless whether this AP is classified as Rogue / Valid / Interfering), the IAP internally creates a
separate table for it.
Here is the command to view this table:
“show ap monitor ap-wired-mac <BssID of the Rogue AP>”
• There are few match types, on the basis of which IAP detects the rogue,
• a) Eth-Wired-MAC
b) Eth-GW-Wired-Mac
c) System-Wired-Mac,
d) System-Gateway-Mac

10. 10
Rogue AP Detection – Sample Diagram

11. 11
Rogue Detection Type
• Here is an example, explaining Match-Type - Eth-Wired-Mac:
• Two scenarios would trigger a rogue detection based on Eth-Wired-Mac: -
a) An Instant AP/AM detects that the same device MAC is contained in both its Ethernet wired MAC table and in one of its
non valid AP wired MAC table.
b) When a nonvalid AP is acting as Layer 3 (with potentially NAT service enabled), it sends frames that have src-
mac=BSSID, but more importantly that have BSSID=Ethernet MAC of the AP +/- 1. In this case, the Aruba AP checks
whether a src mac either equals the BSSID +/-1 that can also be found in its Ethernet wired MAC table. If there is a
match, rogue detection is triggered
• Aruba AP :
IP address : 10.1.1.254 , DG-10.1.1.1
Eth MAC : 18:64:72:cd:76:96
• MAS Switch:
IP Address: VLAN 10 - 10.1.1.1 /24,
VLAN 170- 10.17.170.1/24 VLAN Mac for 10,170 - 00:0b:86:95:81:37
• Cisco AP:
IP Address : 10.17.170.254 , DG-10.17.170.1
Eth MAC : a8:9d:21:e1:aa:e4
BSSID 1) 84:b8:02:c9:56:60 -G
2) 84:b8:02:c8:8e:a0 -A

12. 12
Rogue Detection Type
• In this scenario, we will check a case from the previous slide,
When the IAP detected the foreign (interfering) AP, Here is what it looked like:

13. 13
Rogue Detection Type
• Now, as soon as a client connects (g-radio in this case), we could see that the radio was marked
as rogue, and similarly the other radio would be detected as rogue as client connected to it starts
passing traffic.

14. 14
Rogue Detection Type
• Earlier, we saw that the Match MAC is 84:b8:02:c9:56:60  BSSID of Cisco AP,
• We see that Cisco BSS Mac information is reached to the IAP as a source mac from the wired side. There is
packet dump show this in next slide. And IAP also sees the same as source MAC for the wireless traffic, hence
there was a table created for the same BSSID as well.

15. 15
Rogue Detection Type
• While IAP is detecting an AP as rogue, the Cisco BSSID can be see on the wired side of IAP,
• Also, to check if the Client data traffic is hitting the IAP, so as to get the MAC information, then we
need to see if the Data pkt/bytes are incrementing or not.

16. 16
Rogue Detection Type
• Here is another example, explaining Match-Type - Eth-GW-Wired-Mac:
• The way how IAP detects rogue in this case is by capturing the Gateway MAC (of the Rogue Client) on both wired and
wireless side.
• To check the wireless end information, I did a Over The Air packet capture using a MacBook.
• On the wired end we can either check the ARP cache or the Ethernet wired MAC table to see the gateway MAC entry.

17. 17
Rogue Detection Type

18. ROGUE CONTAINMENT

19. 19
Types of Rogue Containment
• There are 2 ways of Rogue Containment:
• Wired containment: When enabled, IAPs will generate ARP packets on the wired network to contain wireless attacks
using ARP poisoning of rogues.
• Wireless Containment: When enabled, the system will attempt to disconnect all clients that are connected or attempting
to connect to the identified Access Point.
Two containment mechanisms –.
• A) Deauthentication containment: The Access Point or client is contained by disrupting the client association on the
wireless interface.
• B) Tarpit containment: The Access Point is contained by luring clients that are attempting to associate with it to a tarpit.
The tarpit can be on the same channel or a different channel as the Access Point being contained.
• Note: For containment it is not necessary to have a dedicated AM and even an IAP in Access mode can contain
rogues (results can be delayed, so AM is recommended for containment).
For Wireless Containment using an Access Mode IAP, the preferred method is using tarpitting.
De-auth works more effectively for AMs.
Wired containment is also effective for wireless clients using ARP poisoning and works for both AMs and Access
Mode IAPs.

20. 20
Wired Containment
• Wired Containment
• When enabled, IAPs will generate ARP packets on the wired network to contain wireless attacks using ARP poisoning of
rogues.
• Here we can see that, since wired containment is enabled, IAP keeps sending fake ARP requests and response, to not
let the device (mobile in this case), connect to the Rogue AP.
• IAP generates fake BSSID (mostly starting with 02:xx), and sends ARP request/response on behalf of the device
(10.17.170.252.). We can see lots of duplicate ARP packets in the captures shown in next slide.
• ARP-A in the Windows test client will show incorrect MAC for the default gateway.

21. 21
Wired Containment – pcap

22. 22
Wired Containment Types
CLI knobs:
(Aruba)# ids
(Aruba)# wired-containment
There are 2 additional knobs present only under CLI
• Wired-containment-ap-adj-mac:
• IAP can detect SOHO rogues, but it can not start containing them using the knob, “wired-containment”. For containing
them it needs, CLI knob, “wired-containment-ap-adj-mac”.
• Wired-containment-susp-l3-rogue:
• Wired containment works fine for a bridge mode rogue AP. But for NAT router AP, IAP cannot judge the relation between
Eth MAC and wireless BSSID.
However if the gateway mac, of a wireless client, is offset by one character from a rogue APs wired mac address, using
the knob, “wired-containment-susp-l3-rogue” they can be contained.

23. 23
Wireless Containment
• Wireless Containment:
• When enabled, the system will attempt to disconnect all clients that are connected or attempting to connect to the
identified Access Point.
• There are two containment mechanisms –
• a) Deauthentication:
With deauthentication containment, the Access Point or client is contained by disrupting the client association on the
wireless interface.
The Aruba AP will send de-authentication packets to the AP and the client device.
If the client tried to reconnect, the Deauth is sent again, and it keeps doing that.
• b) Tarpitting:
With tarpit containment, the Access Point is contained by luring clients that are attempting to associate with it to a tarpit.
The tarpit can be on the same channel or a different channel as the Access Point being contained.
When the client device attempts to reconnect to the network, the Aruba AP will respond with a probe response that has
some fake data in it to induce the client device to connect to the Aruba AP rather than the rogue device.

24. 24
Wireless Containment Types
• When Deauthentication-only knob is enabled,
• We will see that Spoofed deauth frames were sent by the AP/AM to client with source as the rogue AP. Similarly, Spoofed
deauth frames were sent by the AP/AM to the rogue AP with the source as the client
CLI Commands:

25. 25
Wireless Containment Types
• Deauthentication-Only – GUI:

26. 26
Wireless Containment Types
• TARPITTING:
• Detect the rogue and contain using the tarpit. The client should be first deauthenticated and the AP/AM should
impersonate the rogue in a fake channel so that the client tries to connect back to the AP/AM.
• There are basically 2 options available under it:
a) tarpit-non-valid-sta: In this method, only non-authorized clients that attempt to associate with an AP is sent to the
tarpit.
b) tarpit-all-sta: In this method, only non-authorized clients that attempt to associate with an AP is sent to the tarpit.

27. 27
Wireless Containment Types

28. 28
Manually Override IDS Classification
• Manual IDS Classification
• There maybe instances where we would need to manually override IDS classification done by Aruba Instant.
• IDS reclassification is done using ids-reclassify command.
• To use the command, we would need to input value of phy-type and classification-type.
• 18:64:72:cd:76:96# ids-reclassify ap 84:b8:02:c9:56:60 0 2 >>>>>>>> 0 – Valid, 2 – g

29. 29
Other CLI outputs
• To check the client status connecting to the interfering/rogue Aps
• To check the signal of a particular client:

30. 30
Other CLI outputs
• Show ap monitor scan-info >>>>>>>> to check the scanning status of AP

31. DETECTION AND PROTECTION

32. 32
Detection and protection option
Infrastructure
Intrusion Detection
Description
Detect 802.11n 40MHz Intolerance Setting
When a client sets the HT capability “intolerant bit”to indicate that it is unable to participate in a 40MHz BSS, the
AP must use lower data rates with all of its clients. Network administrators often want to know if there are
devices that are advertising 40MHz intolerance, as this can impact the performance of the network.
Detect Active 802.11n Greenfield Mode
When 802.11 devices use the HT operating mode, they cannot share the same channel as 802.11a/b/g stations.
Not only can they not communicate with legacy devices, the way they use the transmission medium is
different, which would cause collisions, errors, and retransmissions.
Detect AdHoc Networks
An ad-hoc network is a collection of wireless clients that form a network amongst themselves without the use
of an AP. As far as network administrators are concerned, ad-hoc wireless networks are uncontrolled. If they
do not use encryption, they may expose sensitive data to outside eavesdroppers. If a device is connected to a
wired network and has bridging enabled, an ad-hoc network may also function like a rogue AP. Additionally,
adhoc networks can expose client devices to viruses and other security vulnerabilities. For these reasons,
many administrators choose to prohibit ad-hoc networks.
Detect AdHoc Network Using Valid SSID
If an unauthorized ad-hoc network is using the same SSID as an authorized network, a valid client may be
tricked into connecting to the wrong network. If a client connects to a malicious ad-hoc network, security
breaches or attacks can occur.
Detect AP Flood Attack
Fake AP is a tool that was originally created to thwart wardrivers by flooding beacon frames containing
hundreds of different addresses. This would appear to a wardriver as though there were hundreds of APs in
the area, thus concealing the real AP. An attacker can use this tool to flood an enterprise or public hotspots
with fake AP beacons to confuse legitimate users and to increase the amount of processing need on client
operating systems.

33. 33
Detection and protection option
Infrastructure
Intrusion Detection
Description
Detect AP Impersonation
In AP impersonation attacks, the attacker sets up an AP that assumes the BSSID and ESSID of a valid AP. AP
impersonation attacks can be done for man-in-the-middle attacks, a rogue AP attempting to bypass detection, or a
honeypot attack.
Detect AP Spoofing
An AP Spoofing attack involves an intruder sending forged frames that are made to look like they are from a
legitimate AP. It is trivial for an attacker to do this, since tools are readily available to inject wireless frames with
any MAC address that the user desires. Spoofing frames from a legitimate AP is the foundation of many wireless
attacks.
Detect Bad WEP
This is the detection of WEP initialization vectors that are known to be weak. A primary means of cracking WEP
keys is to capture 802.11 frames over an extended period of time and searching for such weak implementations
that are still used by many legacy devices.
Detect Beacon Wrong Channel
In this type of attack, an intruder spoofs a beacon packet on a channel that is different from that advertised in the
beacon frame of the AP.
Detect Client Flood
There are fake AP tools that can be used to attack wireless intrusion detection itself by generating a large number
of fake clients that fill internal tables with fake information. If successful, it overwhelms the wireless intrusion
system, resulting in a DoS.

34. 34
Detection and protection option
Infrastructure
Intrusion Detection
Description
Detect RTS Rate Anamoly
The RF medium can be reserved via Virtual Carrier Sensing using a Clear To Send (CTS) transaction. The
transmitter station sends a Ready To Send (RTS) frame to the receiver station. The receiver station responds with a
CTS frame. All other stations that receive these CTS frames will refrain from transmitting over the wireless medium
for an amount of time specified in the duration fields of these frames. Attackers can exploit the Virtual Carrier
Sensing mechanism to launch a DoS attack on the WLAN by transmitting numerous RTS and/or CTS frames. This
causes other stations in the WLAN to defer transmission to the wireless medium. The attacker can essentially
block the authorized stations in the WLAN with this attack.
Detect CTS Rate Anamoly
The RF medium can be reserved via Virtual Carrier Sensing using an RTS transaction. The transmitter station
sends a RTS frame to the receiver station. The receiver station responds with a CTS frame. All other stations that
receive these RTS frames will refrain from transmitting over the wireless medium for an amount of time specified in
the duration fields of these frames. Attackers can exploit the Virtual Carrier Sensing mechanism to launch a DoS
attack on the WLAN by transmitting numerous RTS and/or CTS frames. This causes other stations in the WLAN to
defer transmission to the wireless medium. The attacker can essentially block the authorized stations in the WLAN
with this attack.
Detect Device with a Bad MAC OUI
The first three bytes of a MAC address, known as the MAC organizationally unique identifier (OUI), is assigned by
the IEEE to known manufacturers. Often, clients using a spoofed MAC address do not use a valid OUI and instead
use a randomly generated MAC address.
Detect Invalid Address Combination
In this attack, an intruder can cause an AP to transmit deauthentication and disassociation frames to all of its
clients. Triggers that can cause this condition include the use of broadcast or multicast MAC address in the source
address field.

35. 35
Detection and protection option
Infrastructure
Intrusion Detection
Description
Detect Overflow EAPOL Key
Some wireless drivers used in access points do not correctly validate the EAPOL key fields. A malicious EAPOL
Key packet with an invalid advertised length can trigger a DoS or possible code execution. This can only be
achieved after a successful 802.11 association exchange.
Detect Overflow IE
Some wireless drivers used in access points do not correctly parse the vendor-specific IE tags. A malicious
association request sent to the AP containing an IE with an inappropriate length (too long) can cause a DoS and
potentially lead to code execution. The association request must be sent after a successful 802.11 authentication
exchange.
Detect Malformed Frame Association
Request
Some wireless drivers used in access points do not correctly parse the SSID information element tag contained in
association request frames. A malicious association request with a null SSID (that is, zero length SSID) can trigger
a DoS or potential code execution condition on the targeted device.
Detect Malformed Frame Auth
Malformed 802.11 authentication frames that do not conform to the specification can expose vulnerabilities in
some drivers that have not implemented proper error checking. This feature checks for unexpected values in an
Authentication frame.
Detect Malformed Frame-HT IE
The IEEE 802.11n HT (High Throughput) IE is used to convey information about the 802.11n network. An 802.11
management frame containing a malformed HT IE can crash some client implementations, potentially representing
an exploitable condition when transmitted by a malicious attacker.

36. 36
Detection and protection option
Infrastructure
Intrusion Detection
Description
Detect Malformed Frame Large
Duration
The virtual carrier-sense attack is implemented by modifying the 802.11 MAC layer implementation to allow random
duration values to be sent periodically. This attack can be carried out on the ACK, data, RTS, and CTS frame types
by using large duration values. This attack can prevent channel access to legitimate users.
Detect Misconfigured AP
A list of parameters can be configured to define the characteristics of a valid AP. This feature is primarily used
when non-Aruba APs are used in the network, since the Aruba controller cannot configure the third-party APs.
These parameters include WEP, WPA, OUI of valid MAC addresses, valid channels, and valid SSIDs.
Detect Windows Bridge
A Windows Bridge occurs when a client that is associated to an AP is also connected to the wired network, and
has enabled bridging between these two interfaces.
Detect Wireless Bridge
Wireless bridges are normally used to connect multiple buildings together. However, an attacker could place (or
have an authorized person place) a wireless bridge inside the network that would extend the corporate network
somewhere outside the building. Wireless bridges are somewhat different from rogue APs, in that they do not use
beacons and have no concept of association. Most networks do not use bridges –in these networks, the presence
of a bridge is a signal that a security problem exists.
Detect Broadcast Deauthentication
A deauthentication broadcast attempts to disconnect all stations in range. Rather than sending a spoofed deauth
to a specific MAC address, this attack sends the frame to a broadcast address.

37. 37
Detection and protection option
Infrastructure
Intrusion Detection
Description
Detect Broadcast Dissociation
By sending disassociation frames to the broadcast address (FF:FF:FF:FF:FF:FF), an attacker can disconnect all
stations on a network for a widespread DoS.
Detect NetStumbler
NetStumbler is a popular wardriving application used to locate 802.11 networks. When used with certain NICs,
NetStumbler generates a characteristic frame that can be detected. Version 3.3.0 of NetStumbler changed the
characteristic frame slightly.
Detect Valid SSID Misuse
If an unauthorized AP (neighbor or interfering) is using the same SSID as an authorized network, a valid client may
be tricked into connecting to the wrong network. If a client connects to a malicious network, security breaches or
attacks can occur.
Detect Wellenreiter
Wellenreiter is a passive wireless network discovery tool used to compile a list of APs along with their MAC
address, SSID, channel, and security setting in the vicinity. It passively sniffs wireless traffic, and with certain
version (versions 1.4, 1.5, and 1.6), sends active probes that target known default SSIDs.

38. 38
Detection and protection option
Client Intrusion
Detection
Description
Detect Block ACK DoS
The Block ACK mechanism that was introduced in 802.11e, and enhanced in 802.11nD3.0, has a built-in DoS
vulnerability. The Block ACK mechanism allows for a sender to use the ADDBA request frame to specify the
sequence number window that the receiver should expect. The receiver will only accept frames in this window. An
attacker can spoof the ADDBA request frame causing the receiver to reset its sequence number window and
thereby drop frames that do not fall in that range.
Detect ChopChop Attack
ChopChop is a plaintext recovery attack against WEP encrypted networks. It works by forcing the plaintext, one
byte at a time, by truncating a captured frame and then trying all 256 possible values for the last byte with a
corrected CRC. The correct guess causes the AP to retransmit the frame. When that happens, the frame is
truncated again.
Detect Disconnect Station Attack
A disconnect attack can be launched in many ways; the end result is that the client is effectively and repeatedly
disconnected from the AP.
Detect EAP Rate Anomaly
To authenticate wireless clients, WLANs may use 802.1X, which is based on a framework called Extensible
Authentication Protocol (EAP). After an EAP packet exchange, and the user is successfully authenticated, the EAP-
Success is sent from the AP to the client. If the user fails to authenticate, an EAP-Failure is sent. In this attack,
EAP-Failure or EAP-Success frames are spoofed from the access point to the client to disrupting the
authentication state on the client. This confuses the clients' state, causing it to drop the AP connection. By
continuously sending EAP Success or Failure messages, an attacker can effectively prevent the client from
authenticating with the APs in the WLAN.

39. 39
Detection and protection option
Client Intrusion
Detection
Description
Detect FATA-Jack Attack structure
FATA-Jack is an 802.11 client DoS tool that tries to disconnect targeted stations using spoofed authentication
frames that contain an invalid authentication algorithm number.
Detect Hotspotter Attack
The Hotspotter attack is an evil-twin attack which attempts to lure a client to a malicious AP. Many enterprise
employees use their laptop in Wi-Fi area hotspots at airports, cafes, malls etc. They have SSIDs of their hotspot
service providers configured on their laptops. The SSIDs used by different hotspot service providers are well
known. This enables the attackers to set up APs with hotspot SSIDs in close proximity of the enterprise premises.
When the enterprise laptop Client probes for hotspot SSIDs, these malicious APs respond and invite the client to
connect to them. When the client connects to a malicious AP, a number of security attacks can be launched on the
client. Airsnarf is a popular hacking tool used to launch these attacks.
Detect a Meiners Power Save DoS
Attack
To save on power, wireless clients will "sleep" periodically, during which they cannot transmit or receive. A client
indicates its intention to sleep by sending frames to the AP with the Power Management bit ON. The AP then
begins buffering traffic bound for that client until it indicates that it is awake. An intruder could exploit this
mechanism by sending (spoofed) frames to the AP on behalf of the client to trick the AP into believing the client is
asleep. This will cause the AP to buffer most, if not all, frames destined for the client.
Detect Omerta Attack
Omerta is an 802.11 DoS tool that sends disassociation frames to all stations on a channel in response to data
frames. The Omerta attack is characterized by disassociation frames with a reason code of 0x01. This reason code
is “unspecified”and is not used under normal circumstances.
Detect Rate Anamolies
Many DoS attacks flood an AP or multiple APs with 802.11 management frames. These can include
authenticate/associate frames, which are designed to fill up the association table of an AP. Other management
frame floods, such as probe request floods, can consume excess processing power on the AP.

40. 40
Detection and protection option
Infrastructure
Intrusion Detection
Description
Detect TKIP Replay Attack
TKIP is vulnerable to replay (via WMM/QoS) and plaintext discovery (via ChopChop). This affects all WPA-
TKIP usage. By replaying a captured TKIP data frame on other QoS queues, an attacker can manipulate the
RC4 data and checksum to derive the plaintext at a rate of one byte per minute. By targeting an ARP frame
and guessing the known payload, an attacker can extract the complete plaintext and MIC checksum. With the
extracted MIC checksum, an attacker can reverse the MIC AP to Station key and sign future messages as MIC
compliant, opening the door for more advanced attacks.
Detect Unencrypted Valid Clients
An authorized (valid) client that is passing traffic in unencrypted mode is a security risk. An intruder can sniff
unencrypted traffic (also known as packet capture) with software tools known as sniffers. These packets are
then reassembled to produce the original message.
Detect Valid Client Misassociation
This feature does not detect attacks, but rather it monitors authorized (valid) wireless clients and their
association within the network. Valid client misassociation is potentially dangerous to network security. The
four types of misassociation that we monitor are: 1) Authorized Client associated to Rogue: A valid client that
is associated to a rogue AP. 2) Authorized Client associated to External AP: An external AP, in this context, is
any AP that is not valid and not a rogue. 3) Authorized Client associated to Honeypot AP: A honeypot is an
AP that is not valid but is using an SSID that has been designated as valid/protected. 4) Authorized Client in
ad hoc connection mode: A valid client that has joined an ad hoc network.
Detect AirJack
AirJack is a suite of device drivers for 802.11(a/b/g) raw frame injection and reception. It was intended to be
used as a development tool for all 802.11 applications that need to access the raw protocol. However, one of
the tools included allowing users to force all users off an AP.
Detect ASLEAP ASLEAP is a tool created for Linux systems used to attack Cisco LEAP authentication protocol.
Detect Null Probe Response
A null probe response attack has the potential to crash or lock up the firmware of many 802.11 NICs. In this
attack, a client probe-request frame will be answered by a probe response containing a null SSID. A number
of popular NIC cards will lock up upon receiving such a probe response.

41. 41
Infrastructure Protection
Infrastructure
Protection
Description
Protecting 40MHz 802.11 High
Throughput Devices
Protection from AP(s) that support 40MHz HT involves containing the AP such that clients can not connect.
Protecting 802.11n High Throughput
Devices
Protection from AP(s) that support HT involves containing the AP such that clients can not connect.
Protecting Against AdHoc Networks
Protection from an ad-hoc Network involves containing the ad-hoc network so that clients can not connect to it.
The basic ad-hoc protection feature protects against ad-hoc networks using WPA/WPA2 security. The enhanced
ad-hoc network protection feature protects against open/WEP ad-hoc networks. Both features can be used
together for maximum protection, or enabled or disabled separately
Protection Against AP Impersonation
Protection from AP impersonation involves containing both the legitimate and impersonating AP so that clients
can not connect to either AP.
Protection Against Misconfigured APs
Protect Misconfigured AP enforces that valid APs are configured properly. An offending AP is contained by
preventing clients from associating to it.

42. 42
Infrastructure Protection
Infrastructure
Protection
Description
Protection Against Wireless Hosted
Networks
Clients using the Windows wireless hosted network feature can act as an access point to which other wireless
clients can connect, effectively becoming a Wi-Fi HotSpot. This creates a security issue for enterprises, because
unauthorized users can use a hosted network to gain access to the corporate network, and valid users that
connect to a hosted network are vulnerable to attacks or security breaches. This feature detects a wireless hosted
network, and contains the client hosting this network.
Protecting SSIDs
Protect SSID enforces that valid/protected SSIDs are used only by valid APs. An offending AP is contained by
preventing clients from associating to it.
Protection Against Rogue
Containment
By default, rogue APs are not automatically disabled. Rogue containment automatically disables a rogue AP by
preventing clients from associating to it.
Protecting Against Suspected Rogue
Containment
By default, suspected rogue APs are not automatically contained. In combination with the suspected rogue
containment confidence level, suspected rogue containment automatically disables a suspect rogue by preventing
clients from associating to it.
Protection Against Wired Rogue APs
This feature enables containment from the wired side of the network. The basic wired containment feature in the
IDS general profile isolates layer-3 APs whose wired interface MAC addresses are the same as (or one character off
from) their BSSIDs. The enhanced wired containment feature can also identify and contain an AP with a preset
wired MAC address that is completely different from the AP’s BSSID. In many non-Aruba APs, the MAC address the
AP provides to wireless clients as a ‘gateway MAC’is offset by one character from its wired MAC address. This
enhanced feature allows to check to see if a suspected Layer-3 rogue AP’s MAC address follows this common
pattern.

43. 43
Client Intrusion Protection
Client Intrusion
Protection
Description
Protecting Valid Stations Protecting a valid client involves disconnecting that client if it is associated to a non-valid AP.
Protecting Windows Bridge
Protecting from a Windows Bridge involves containing the client that is forming the bridge so that it can not
connect to the AP.

44. THANK YOU!

45. 45
EMEA Atmosphere 2017
• Date: May 8-11, 2017
• Location: Disneyland, Paris, France
• WHAT’S NEW IN 2017
• Vertical Demos: Retail, Healthcare, Hospitality, Education,
Large Public Venue
• Hands on Labs: Airheads will get the chance to work on live
lab use cases with our technical teams.
• Intelligent Spaces Room: The latest in connected digital
workplace solutions.
• Appreciation Party: … Its a secret!!
• Technical Training: Mobility Fundamentals 8.0, Instant AP +
Central, ClearPass Level 1, Meridian Fundamentals,
AirWave Fundamentals, Aruba Switching Fundamentals for
Mobility
• Exam @ Atmosphere: ACDX /MX/CX Exam
http://www.arubanetworks.com/emeaatmosphere/