Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Viewing Rogues
There are several ways to view rogue devices, listed by rogue classification.
To view the list of rogue devices:
- Click the rogue count in the header statistics at the top of the AirWave WebUI.
- Go to RAPIDS > Overview, then click the RAPIDS classification link.
- Go to RAPIDS > List and select a RAPIDS classification from the drop-down menu, as shown in Figure 1.
You can sort the table columns by selecting the column head. Most columns can be filtered by clicking the funnel icon 
. The hyperlinks on this page open additional pages for RAPIDS configuration or device processing.
Predefined, Default Views for Rogue Devices
AirWave displays a default view for rogue devices on the page. Default views have predefined columns that cannot be modified.
Figure 1 Predefined, Default Views for Rogue Devices
Table 1 describes the information displayed in the default view.
Table 1: Default View for Rogue
|
Column |
Description |
|
Ack |
Displays whether or not the rogue device has been acknowledged. Devices can be acknowledged manually or you can configure RAPIDS so that manually classifying rogues will automatically acknowledges them. Additionally, devices can be acknowledged by using Modify Devices link at the top of the RAPIDS > Listpage. Rogues should be acknowledged when the AirWave user has investigated them and determined that they are not a threat (see RAPIDS Setup). |
|
RAPIDS Classification |
Displays the RAPIDS classification of the discovered device, including: valid, suspected valid, neighbor, suspected neighbor, unclassified, suspected rogue, rogue, and contained rogue. RAPIDS classifies the discovered devices based on rules that you customize on the RAPIDS > Rules page (see Defining RAPIDS Rules). |
|
Threat Level |
This field displays the numeric threat level of the device, in a range from 1 to 10. The definition of threat level is configurable, as described in Rogue Device Threat Level. The threat level is also supported with Triggers (see Using the System Pages). |
|
Name |
Displays the alpha-numeric name of the rogue device, as known. By default, AirWave assigns a name to each rogue device displaying the MAC address (It could be either the Name, LAN MAC, Radio MAC, or IP address). Clicking the linked name will redirect you to the RAPIDS > Detail page for that rogue device. Refer to Overview of the RAPIDS > Detail Page. |
|
Classifying Rule |
Displays the RAPIDS Rule that classified the rogue device (see Viewing and Configuring RAPIDS Rules). |
|
Controller Classification |
Displays the classification of the device based on the controller’s hard-coded rules. This column is hidden unless Offload WMS Database is enabled by at least one group on the Groups > Basic page. |
|
Detecting APs |
Displays the number of AP devices that have wirelessly detected the rogue device. A designation of heardimplies the device was heard over the air. |
|
First Discovering AP |
Displays when a rogue was first seen. You can sort on this field to decide whether to be concerned with the rogue. |
|
Last Discovering AP |
Displays the most recent AP to discover the rogue device. The device name in this column is taken from the device name in AirWave. Click the linked device name to be redirected to the Devices > Monitor page for that AP. |
Filtered Views for Rogue Devices
You can create a new view, or edit and copy a view, and save the view to access information you frequently use.
For more information on filtering data from your view, see Creating Filtered Views.
Table 2: Additional Columns for Custom Views
|
Column |
Description |
|
Ack |
Displays whether or not the rogue device has been acknowledged. Devices can be acknowledged manually or you can configure RAPIDS so that manually classifying rogues will automatically acknowledges them. Additionally, devices can be acknowledged by using Modify Devices link at the top of the RAPIDS > Listpage. Rogues should be acknowledged when the AirWave user has investigated them and determined that they are not a threat (see RAPIDS Setup). |
|
Ch |
Indicates the most recent RF channel on which the rogue was detected. The rogue can be detected on more than one channel if it contains more than one radio. |
|
Classifying Rule |
Displays the RAPIDS Rule that classified the rogue device (see Viewing and Configuring RAPIDS Rules). |
|
Confidence |
The confidence level of the suspected rogue. How confidence is calculated varies based on the version of AOS. When an AOScontroller sees evidence that a device might be on the wire, it will up the confidence level. If AOS is completely certain that it is on the wire, it gets classified as a rogue. |
|
Controller Classification |
Displays the classification of the device based on the controller’s hard-coded rules. This column is hidden unless Offload WMS Database is enabled by at least one group on the Groups > Basic page. |
|
Current Associations |
The number of current rogue client associations to this device. |
|
Detecting APs |
Displays the number of AP devices that have wirelessly detected the rogue device. A designation of heard implies the device was heard over the air. |
|
Encryption Authentication |
Displays authentication algorithm used by the access point. Possible contents of this field includes the following PSK, DOT1X, TDLS, SAE, SUITEB, and OWE. |
|
Encryption Cipher |
Displays the cipher used by the access point. Possible contents of this field include the following cipher types AES, GCM ,WEP and TKIP. |
|
Encryption Type |
Displays the encryption that is used by the device. Possible contents of this field include the following encryption types: Open—No encryption WEP—Wired Equivalent Privacy WPA—Wi-Fi Protected Access Generally, this field alone does not provide enough information to determine if a device is a rogue, but it is a useful attribute. If a rogue is not running any encryption method, you have a wider security hole than with an AP that is using encryption. |
|
First Discovering Time |
Displays the time the rogue was first discovered. |
|
Floor Coordinates |
Displays the x and y coordinates taken from VisualRF for rogues. |
|
IP Address |
Displays the IP address of the rogue device. The IP address data comes from fingerprint scans or ARP polling of routers and switches. |
|
LAN MAC Address |
The LAN MAC address of the rogue device. |
|
LAN Vendor |
Indicates the LAN vendor of the rogue device, when known. |
|
Last Discovering AP |
Displays the most recent AP to discover the rogue device. The device name in this column is taken from the device name in AirWave. Click the linked device name to be redirected to the Devices > Monitor page for that AP. |
|
Location |
If the rogue has been placed in VisualRF, this column will display the name of the floor plan the rogue is on as a link to the VisualRF Floor Plan View page. |
|
Max Associations |
The highest number of rogue client associations ever detected at one time. |
|
Model |
Displays the model of rogue device, if known. This is determined with a fingerprint scan, and this information may not always be available. |
|
Network Type |
Displays the type of network in which the rogue is present, for example: Ad-hoc—This type of network usually indicates that the rogue is a laptop that attempts to create a network with neighboring laptops, and is less likely to be a threat. AP—This type of network usually indicates an infrastructure network, for example. This may be more of a threat. Unknown—The network type is not known. |
|
Notes |
Indicates any notes about the rogue device that may have been added. |
|
OS |
This field displays the OS of the device, as known. OS is the result of a running an OS port scan on a device. An IP addresses is required to run an OS scan. The OS reported here is based on the results of the scan. |
|
Port |
Indicates the physical port of the switch or router where the rogue was last seen. |
|
Radio MAC Address |
Displays the MAC address for the radio device, when known. |
|
Radio Vendor |
Indicates the radio vendor of the rogue device, when known. |
|
RSSI |
Displays the signal strength in dBm. In AirWave, the signal strength is a calculation based on RSSI measurements received in the radio signal from the AP. This RSSI data is relative and varies by AP. |
|
Signal |
Displays the strongest signal strength detected for the rogue device. |
|
SSID |
Displays the most recent SSID that was heard from the rogue device. |
|
Switch/Router |
Displays the switch or router where the device’s LAN MAC address was last seen. |
|
Threat Level |
This field displays the numeric threat level of the device, in a range from 1 to 10. The definition of threat level is configurable, as described in Rogue Device Threat Level. The threat level is also supported with Triggers (see Using the System Pages). |
|
Wired |
Displays whether the rogue device has been discovered on one of your wired networks by polling routers/switches, your SNMP/HTTP scans, or HPE Aruba Networking WIP information. This column displays Yes or is blank if wired information was not detected. |
|
WMS Classification AP |
The AP that provided the information used to classify the device. AirWave marks source of update on the controllers while reclassifying rogues by the user manually from the Rogues Details page or by reclassifying rogues from RAPID rules. Click the linked device name to be redirected to the Devices > Monitor page for that AP. When you reclassify rogues in AirWave, the following command is sent to the controller: wms ap <bssid> mode <mode> source <source>
|
|
WMS Classification Date |
The date that WMS set the classification. |
