ExtremeWireless (WiNG)

Expand all | Collapse all

Onboard WIPS

  • 1.  Onboard WIPS

    Posted 12-12-2018 20:28
    I'm attempting to test WIPS on AP7522s and AP7632. The documentation I see assumes this will be used with Air Defense.
    Isn't there an option to enable rogue detection on an access point and have it send an alert via the Event Management Policy without using Air Defense?
    I've enabled radio share mode on the radios and enabled Rogue detection in the WIPS policy but I'm not seeing any WIPS events. There are several other brand access points in the area that should identify as rogue. What am I missing?


  • 2.  RE: Onboard WIPS

    Posted 12-12-2018 20:32
    can you kindly share your wips policy content?
    is there policy mapped to rf-domain?

    Misha


  • 3.  RE: Onboard WIPS

    Posted 12-12-2018 20:48
    "There are several other brand access points in the area that should identify as rogue. "

    Rogue APs are APs that are not yours BUT connected to the protected LAN (#1 in die picture).



    APs from outside the e.g. building are defined as neighbour APs.

    Here how IdentiFi APs are able to find a rogue AP on the LAN....
    https://gtacknowledge.extremenetworks.com/articles/Q_A/How-does-your-ExtremeWireless-access-point-with-RADAR-detect-a-rogue-access-point


  • 4.  RE: Onboard WIPS

    Posted 12-12-2018 21:38
    Thanks guys!
    Vanelm, I mapped the policy top the rf-domain and I'm now receiving wips events.
    Ronald, thank you for the explanation.


  • 5.  RE: Onboard WIPS

    Posted 12-12-2018 22:12
    Hello,

    Please replicate following first for proper device marking. Some devices like your own printers/projectors/neighbors are always there. So no reason to claim them as rogue.
    Than we will work on event policy in case you need to send them to e-mail/syslog

    code:
    device-categorization TEST
    mark-device 1 neighboring ap ssid "BAD DADDY"
    mark-device 2 sanctioned ap ssid "BEST PRINTER"

    wips-policy TEST
    ap-detection
    ! following line is optional
    ap-detection air-termination mode auto
    use device-categorization policy TEST

    rf-domain TEST
    use wips-policy TEST


    code:
    rfs7000-000000#sh wireless unsanctioned aps on TEST
    ---------------------------------------------------------------------------------------------------
    FS : First Seen(seconds ago)
    R : Rogue
    I : Interferer
    T : Termination Active
    ---------------------------------------------------------------------------------------------------
    ---------------------------------------------------------------------------------------------------
    MAC VENDOR CHNL SSID RSSI VLAN FS R I T TOP REPORTER
    ---------------------------------------------------------------------------------------------------
    98-01-A7-E7-04-55 Apple Inc 100 Apple Network -44 37d N Y N ap6532-8617B0
    98-01-A7-E7-04-54 Apple Inc 6 Apple Network -46 37d N Y N ap6532-8617B0
    24-DE-C6-5D-BA-52 Aruba Networks 5 Dell-ap -62 37d N Y N ap6532-2270D8
    24-DE-C6-57-31-36 Aruba Networks 13 Dell-ap -62 37d N Y N ap6532-2270A4
    24-DE-C6-5D-BA-54 Aruba Networks 5 Dell-ap -65 37d N Y N ap6532-2270D8
    24-DE-C6-5D-BA-55 Aruba Networks 5 Dell-ap -65 37d N Y N ap6532-8617B0