Rapids
Overview
With Aruba Central (on-premises), you can quickly identify and act on an interfering devices that can be later considered for investigation, restrictive action, or both. Once the interfering devices are discovered, Aruba Central (on-premises) sends alerts to your network administrators about the possible threat and provides essential information needed to locate and manage the threat.
Aruba Central (on-premises) supports the following features:
Automatic detection of unauthorized wireless devices.
Wireless detection, using authorized wireless APs to report other devices within range to calculate and display rogue location on a VisualRF map.
Ability to make a decision based on the AP classifications and send that back to the Access Point.
Obtaining the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address table from switch to identify the switch port to which the rogue device is connected.
:
Users with the administrator can see all rogue AP and interfering devices.
VisualRF uses the heard signal information to calculate the physical location of the device.
Clicking 
icon enables you to customize the table and Rogues table columns or set it to the default view.
To view the details of each intrusion detection that is generated, click the arrow against each row in the table.
Viewing Rapids Page
To view the intrusion detail page in order to find information on interfering devices, complete the following steps:
1. In the app, set the filter to one of the options under , , or . For all devices, set the filter to .
2. Under , click . The page with table is displayed.
3. Click tab to view the Rogues details page.
Monitoring IDS and Rogue Events
The > > tab provides a summary of the rogue APs, suspected rogue APs, interfering APs, and the total number of wireless attacks detected for a given duration.
The following menu options in the > tab provide information on the potential threats discovered in the network:
Intrusion Detection
The page provides a summary of the total number of wireless attacks detected for a given duration.
The table displays the following information category:
—Displays the number of infrastructure attacks detected in the network.
—Displays the number of client attacks detected in the network.
|
Field |
Description |
|---|---|
|
|
The type of the intrusion or attack detected. Click the drop-down arrow at the column heading to filter the event types based on your requirement. |
|
|
Category of the intrusion or attack, infrastructure or client attack. Click the drop-down arrow at the column heading to filter the category that you want to display. |
|
|
The level of the intrusion or attack detected. Click the drop-down arrow at the column heading to filter the attack level. |
|
|
Time of the intrusion or attack. |
|
|
MAC address of the station under attack or BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. of the AP under attack. |
|
|
The MAC address of the device that detected the intrusion or attack. |
|
|
Radio bandBand refers to a specified range of frequencies of electromagnetic radiation. on which the intrusion was detected. There are two radio band signals available, 2.4 GHZ and 5 GHZ. Click the drop-down arrow at the column heading to filter the radio band where the intrusion was detected. |
|
|
Details of the attack or the intrusion. |
Configuring IDS Parameters
The type and severity of Intrusion Detections raised by an AP is configurable and affects the data that is seen in the table. For more information on how to configure IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Parameters, see Configuring IDS Parameters on APs.
Rogue Detection and Classification
Aruba Central (on-premises) employs Rogue Access Point Intrusion Detection System as a security service for detecting and classifying rogues and intruders. Central discovers unauthorized devices in your WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network using APs. It uses infrastructure APs routers and switches to locate, identify, and classify unknown APs. Security allows you to detect neighboring APs and classify them according to their threat level.
The access points in Aruba Central (on-premises) are classified as one of the following:
|
Classification |
Description |
|---|---|
|
Rogue AP |
An unauthorized access point plugged into the wired side of the network. |
|
Suspect Rogue AP |
An unauthorized access point with a signal strength greater or equal to -75 that could have connected to the wired network. |
|
Interfering AP |
An access point seen in the RFRadio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment with a signal strength lesser than -75 but is not connected to the wired network. These access points may potentially cause RF interference, but cannot be considered as a direct security threat as these devices are not connected to the wired network. For example, an interfering AP can be an access point that belongs to a neighboring office’s WLAN but is not part of your WLAN network |
|
Neighbor AP |
A neighboring AP is when the BSSIDs are known. Once classified, a neighboring AP does not change its state. |
The page displays the following information tabs:
—Shows the total number of rogues classified as , , , or that are detected in the network.
—Shows the total number of devices classified as rogue APs.
— Shows the total number of devices classified as suspected rogues APs.
—Shows the total number of devices classified as interfering APs.
—Shows the total number of devices classified as neighbor APs.
Click the respective tabs to display specific rogue information pertaining to each classification. By default, the information tab is selected and the table displays all the detected rogue APs.
|
Fields |
Description |
|---|---|
|
|
The BSSIDs broadcast by the rogue device. |
|
|
Name of the rogue device detected in the network. |
|
|
Classification of the rogue device (monitored device) as Suspect Rogue, or Interferer. Click the drop-down arrow at the column heading to filter the rogue classification that you want to display. |
|
|
The SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. broadcast by the rogue device. |
|
|
The time relative to the current moment, for example, 6 minutes; an hour, at which the rogue device was last detected in the network. |
|
|
The AP name of the last device to report to have seen the monitored AP. |
|
|
The time relative to the current moment (for example, 6 minutes; an hour) at which the rogue device was detected in the network. |
|
|
The AP name of the first AP to discover the monitored AP. |
|
|
The signal strength of the AP that detected the rogue device. |
|
|
The type of encryption used by the device that detected the rogue; for example, WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption., Open, WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. , Unknown. Generally, this field alone does not provide enough information to determine if a device is a rogue, but it is a useful attribute. If a rogue is not running any encryption method, you have a wider security hole than with an AP that is using encryption. |
|
|
Details of the containment status. Click the drop-down arrow at the column heading to filter the status that you want to display. |
|
|
The vendor name associated to the MAC OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. of the rogue AP. |
Generating Alerts for Security Events
Aruba Central (on-premises) supports configuring alerts for rogue AP detections and IDS events. To generate alerts, complete the following steps:
1. In the app, use the filter to select .
2. Under , click . The page is displayed.
3. In the page, click the icon.
The page is displayed.
4. Select tab to display the AP dashboard. Aruba Central (on-premises) supports three alert types for identifying interfering devices:
Rogue AP Detected
Infrastructure Attacks Detected
Client Attack Detected
5. Select an alert and click to enable the alert with default settings. To configure alert parameters, click on the alert tile (anywhere within the rectangular box) and do the following:
a. —Set the severity. The available options are Critical, Major, Minor, and Warning.
|
|
For a few alerts, you can configure threshold value for one or more alert severities. To set the threshold value, select the alert and in the text box, enter the value. The alert is triggered when one of the threshold values exceed the duration. |
b. —(Optional) You can restrict the scope of an alert by setting one or more of the following parameters:
—Select a group to limit the alert to a specific group.
—Select a label to limit the alert to a specific label.
—Select a site to limit the alert to a specific site.
c.
—Select the check box and enter an email address to receive notifications when an alert is generated. You can enter multiple email addresses, separate each value with a comma.
—Select the check box to receive the streaming notifications when an alert is generated.
—Select the check box and select the Webhook from the drop-down list. For more information, see Aruba Central Help Center.
—Select the checkbox to receive the syslog notifications when an alert is generated.
d. Click .
Generating Reports for Security Events
Aruba Central (on-premises) supports generating reports for rogue AP detections and IDS events. To generate reports, complete the following steps:
1. In the app, use the filter to select .
2. Under , click .
3. In the page, click . Aruba Central (on-premises) supports to display the report of all wireless intrusions. For more information on how to create Reports, see Creating a Report.
