This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Onboard WIPS

Onboard WIPS

Jeff_Roberts
New Contributor

‎12-12-2018 08:28 PM

I'm attempting to test WIPS on AP7522s and AP7632. The documentation I see assumes this will be used with Air Defense.
Isn't there an option to enable rogue detection on an access point and have it send an alert via the Event Management Policy without using Air Defense?
I've enabled radio share mode on the radios and enabled Rogue detection in the WIPS policy but I'm not seeing any WIPS events. There are several other brand access points in the area that should identify as rogue. What am I missing?
0 Kudos
4 REPLIES 4

vanelm
Contributor

‎12-12-2018 10:12 PM

Hello,

Please replicate following first for proper device marking. Some devices like your own printers/projectors/neighbors are always there. So no reason to claim them as rogue.
Than we will work on event policy in case you need to send them to e-mail/syslog

code:
device-categorization TEST
 mark-device 1 neighboring ap ssid "BAD DADDY"
 mark-device 2 sanctioned ap ssid "BEST PRINTER"

wips-policy TEST
 ap-detection
! following line is optional
 ap-detection air-termination mode auto
 use device-categorization policy TEST

rf-domain TEST
 use wips-policy TEST


code:
rfs7000-000000#sh wireless unsanctioned aps on TEST
---------------------------------------------------------------------------------------------------
  FS  : First Seen(seconds ago)
  R   : Rogue
  I   : Interferer
  T   : Termination Active
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
        MAC               VENDOR     CHNL        SSID       RSSI  VLAN FS    R I T  TOP REPORTER
---------------------------------------------------------------------------------------------------
98-01-A7-E7-04-55  Apple Inc        100   Apple Network    -44         37d   N Y N ap6532-8617B0
98-01-A7-E7-04-54  Apple Inc        6     Apple Network    -46         37d   N Y N ap6532-8617B0
24-DE-C6-5D-BA-52  Aruba Networks   5     Dell-ap          -62         37d   N Y N ap6532-2270D8
24-DE-C6-57-31-36  Aruba Networks   13    Dell-ap          -62         37d   N Y N ap6532-2270A4
24-DE-C6-5D-BA-54  Aruba Networks   5     Dell-ap          -65         37d   N Y N ap6532-2270D8
24-DE-C6-5D-BA-55  Aruba Networks   5     Dell-ap          -65         37d   N Y N ap6532-8617B0


0 Kudos

Jeff_Roberts
New Contributor

‎12-12-2018 09:38 PM

Thanks guys!
Vanelm, I mapped the policy top the rf-domain and I'm now receiving wips events.
Ronald, thank you for the explanation.
0 Kudos

Ronald_Dvorak
Honored Contributor

‎12-12-2018 08:48 PM

"There are several other brand access points in the area that should identify as rogue. "

Rogue APs are APs that are not yours BUT connected to the protected LAN (#1 in die picture).

a512bfe80c5c441fa6674f08d5a762c4_65845036-fb4d-4d73-9d10-9603f321c4c1.png



APs from outside the e.g. building are defined as neighbour APs.

Here how IdentiFi APs are able to find a rogue AP on the LAN....
https://gtacknowledge.extremenetworks.com/articles/Q_A/How-does-your-ExtremeWireless-access-point-wi...
0 Kudos

vanelm
Contributor

‎12-12-2018 08:32 PM

can you kindly share your wips policy content?
is there policy mapped to rf-domain?

Misha
0 Kudos
GTM-P2G8KFN