Legal Disclaimer: The resource assets in this website may include abbreviated and/or legacy terminology for HPE Aruba Networking products. See www.arubanetworks.com for current and complete HPE Aruba Networking product lines and names.
Rogues
Rogue Access Point Intrusion Detection System (RAPIDS) is a security service for automatically or manually detecting and classifying rogues and intruders. For a given duration the Rogues tab provides a summary of:
- Rogue APs
- Suspected rogue APs
- Interfering APs
- Neighboring APs
- The total number of manually contained APs.
The access points in HPE Aruba Networking Central are classified as follows:
|
Classification |
Description |
|---|---|
|
Rogue AP |
An unauthorized access point plugged into the wired side of the network. |
|
Suspect Rogue AP |
An unauthorized access point with a signal strength greater or equal to -75 that could have connected to the wired network. |
|
Interfering AP |
An access point seen in the RF Radio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment with a signal strength lesser than -75 but is not connected to the wired network. These access points may potentially cause RF interference, but cannot be considered as a direct security threat as these devices are not connected to the wired network. For example, an interfering AP can be an access point that belongs to a WLAN Wireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. of a neighboring office, but is not part of your WLAN network. |
|
Neighbor AP |
A neighboring AP, for which the BSSIDs Basic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. are known. After it is classified, a neighboring AP does not change its state. |
|
Manually contained |
Manual classification which enables rogue containment against the selected AP. |
The page displays the following information tabs:
- —Shows the total number of rogues that are detected in the network, classified as , or.
- —Shows the total number of devices classified as rogue APs.
- —Shows the total number of devices classified as suspected rogues APs.
- —Shows the total number of devices classified as interfering APs.
- —Shows the total number of devices classified as neighbor APs.
- Manually Contained—Shows the total number of devices classified as manually contained.
- The feature for enabling wireless containment under the IDS Intrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. Unauthorized Device profile and IDS Impersonation profile may be in violation of certain FCC Federal Communications Commission. FCC is a regulatory body that defines standards for the interstate and international communications by radio, television, wire, satellite, and cable. regulatory statutes.
- Users with admin role can see all the rogue APs and interfering devices.
- Rogue data is retained for a maximum time period of 7 days due to the large amount of data stored in the Rapids backend.
To display specific rogue information pertaining to each classification, click the respective tabs. By default, the Total information tab is selected and the Detected Access Points table displays all the detected rogue APs.
|
Fields |
Description |
|---|---|
|
|
The BSSIDs broadcast by the rogue device. |
|
|
Name of the rogue device detected in the network. |
|
|
Classification of the rogue device (monitored device) as Suspect Rogue, or Interferer. Click the drop-down arrow at the column heading to filter the rogue classification that you want to display. |
|
Classification Method |
Method of classifying the detected access point. |
|
|
The time relative to the current moment. For example, 6 minutes; an hour, at which the rogue device was last detected in the network. |
|
|
The AP name of the last device to report to have seen the monitored AP. |
|
|
The time relative to the current moment, For example, 6 minutes; an hour) at which the rogue device was f detected in the network. |
|
|
The type of encryption used by the device that detected the rogue; for example, WPA Wi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption., Open, WEP Wired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. , Unknown. Generally, this field alone does not provide enough information to determine if a device is a rogue, but it is a useful attribute. If a rogue is not running any encryption method, you have a wider security hole than with an AP that is using encryption. |
|
|
The vendor name associated to the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUI Organizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. of the rogue AP. |
|
|
The SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. broadcast by the rogue device. |
|
|
The signal strength of the AP that detected the rogue device. |
|
|
Details of the containment status. Click the drop-down arrow at the column heading to filter the status that you want to display. |
|
MAC Vendor |
Vendor of the detected access point. |
Each rogue can be detected by multiple APs which can be part of a different group at the same time. You can see the set of APs that detected a rogue in the rogue details section. Even if one of the APs stops detecting a rogue, other APs can still render the rogue itself and can be seen when filtered by different groups.
For more information, see the following topics:
