Rogue Detection and Classification

Aruba Central supports rogue detection and classification feature that enables your Aruba Central administrators to detect intrusion events and classify rogue devices. Rogue devices refer to the unauthorized devices in your WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. network. With Aruba Central, you can create a detailed definition of what constitutes a rogue device, and quickly act on a rogue AP for investigation, restrictive action, or both. Once rogue devices are discovered, Aruba Central sends alerts to your network administrators about the possible threat and provides essential information needed to locate and manage the threat.

Aruba Central discovers unauthorized devices in your WLAN network using APs. It uses polling routers and switches to locate, identify, and classify unknown APs.

The Rogue AP detection module referred to as RAPIDSRogue Access Point identification and Detection System. An AMP module that is designed to identify and locate wireless threats by making use of all of the information available from your existing infrastructure. in previous releases of Aruba Central supports the following features:

Automatic detection of unauthorized wireless devices.
Wireless detection, using authorized wireless APs to report other devices within range to calculate and display rogue location on a VisualRF map.
Wired network detection of rogue APs located beyond the range of authorized APs and sensors, routers, and switches. It also identifies the switch port to which a rogue device is connected.

Important Considerations

Note the following important points:

Users with the admin role of can see all rogue AP devices.
Each rogue device frequently has multiple discovery methods, all of which are listed.

Monitoring Rogue Devices

The Security tab provides a summary of the rogue APs, interfering APs, and the total number of wireless attacks detected for a given duration.

The following menu options in Security tab provide information on the potential threats discovered in the network:

WIDS Events

The Security > WIDS Events page provides the following information:

Table 1: WIDS Events
Page/Tab	Description
Rogues/Interferers	Displays the following information: Name—Name of the rogue device detected in the network. To view the rogue device details, click the link. Classification—Classification of the rogue device (Instant AP) as Suspect Rogue, Rogue, or Interfering. Last Seen—The time relative to the current moment, for example, 6 minutes; an hour, at which the rogue device was last detected in the network. Last Discovering Device—Device that last detected the rogue device in the network. To view more details, click the link. First Seen—The time relative to the current moment (for example, 6 minutes; an hour) at which the rogue device was detected in the network. First Discovering Device—Device that first detected the rogue device in the network. To view more details, click the link. SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network.—The SSID broadcast by the rogue device. Encryption—The type of encryption used by the device that detected the rogue; for example, WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption., Open. Generally, this field alone does not provide enough information to determine if a device is a rogue, but it is a useful attribute. If a rogue is not running any encryption method, you have a wider security hole than with an AP that is using encryption. BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly.—The BSSIDs broadcast by the rogue device. Signal—The signal strength of the AP that detected the rogue device.
Rogue Details	To view the details of a rogue, click the link to the rogue device in the Name column under the Rogues/Interferences tab. The Rogue Details page displays a summary of the rogue device details. If the device is seen on the wire, the Rogue Details page shows the switch port for easy isolation. The Discovery Events table on the Rogue Details page displays the following information: Name—Name of the rogue device detected in the network. Detecting Device—Name of the device that detects the rogue device in the network. To view the AP details, click the link. BSSID—The BSSID broadcast by the rogue device. SSID—The SSID broadcast by the rogue device. Time—The date and time stamp of rogue device detection. Channel—Number of radio channels detected on the rogue device. Signal—The signal strength of the detected Instant AP. SNRSignal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise.—The signal-to-noise ratio of the detected Instant AP. Encryption—The type of encryption used by the detected Instant APAP, for example, WPA, Open. Radio—Radio bandBand refers to a specified range of frequencies of electromagnetic radiation. on which the interference was detected (2.4 or 5).
Infrastructure Attacks Client Attacks	The Infrastructure Attacks and Client Attacks sections display the following information: Type—The type of the interference or attack detected. Level—The level of the interference or attack detected. Date/Time—Date and time of the interference or attack. Description—Description of the attack. Detecting Device—The MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the device that detected the interference or attack. Virtual Controller—The VC name of the IAP cluster in which the interference or attack was detected. Station MAC—MAC address of the station Radio—Radio band on which the interference was detected.

Generating Reports for Rogue Devices

To generate reports for rogue devices, complete the following steps:

In the Configure Reports section, click Create Report.
In the Report(s) page, under the Configure Reports section, perform the following steps:
1. In the Title text box, enter a report title.
2. From the Report Type drop-down list, select RAPIDS.
3. From the Period drop-down list, select a timeline for which the report is to be generated .

The following options are available in the list: Last day, Last week, Last month, and Custom range. If you selected Custom range, you need to select the Start Date and End Date from the respective calendars to specify the custom timeline of the report.

For Schedule, select the Now option or the Later option.

If you selected Later, you need to select a date and time from the calendar and time drop-down list, respectively, to set a schedule for the report.
In the Run Report drop-down list, select the frequency at which you want to run the RAPIDS report.

You can select one of the following options: One Time, Daily Interval, Weekly Interval, and Monthly Interval.
In the Email Report box, enter the email account(s) to which the report is to be sent.
Click Create.

Send Feedback