You are here: Home > CLI Commands > Just_CLI_Topics > ids general-profile

ids general-profile

ids general-profile <profile-name>

adhoc-ap-inactivity-timeout

adhoc-ap-max-unseen-timeout

ap-inactivity-timeout <seconds>

ap-max-unseen-timeout

ap-nbr-msg

ap-nbr-msg-interval <ap-nbr-msg-interval>

clone <profile>

frame-types-for-rssi [all | ba | ctrl | dhigh | dlow | dnull | mgmt | pr]

ids-events [logs-and-traps | logs-only | none | traps-only]

max-monitored-devices <max-monitored-devices>

max-unassociated-stations <max-unassociated-stations>

min-pot-ap-beacon-rate <percent>

min-pot-ap-monitor-time <seconds>

mobility-manager-rtls

mon-stats-update-interval

no ...

packet-snr-threshold <packet-snr-threshold>

send-adhoc-info-to-controller

signature-quiet-time <seconds>

sta-inactivity-timeout <seconds>

sta-max-unseen-timeout <seconds>

sta-rssi-msg

sta-rssi-msg-interval <sta-rssi-msg-interval>

stats-update-interval <seconds>

unclass-ap-update

unclass-device-update-interval

unclass-sta-update

wired-containment

wired-containment-ap-adj-mac

wired-containment-susp-l3-rogue

wireless-containment [deauth-only | none | tarpit-all-sta | tarpit-non-valid-sta]

wired-containment-ap-adj-mac

wireless-containment-debug

Description

This command configures an IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. general profile.

Syntax

Parameter

Description

Range

Default

<profile-name>

Name that identifies an instance of the profile. The name must be 1-63 characters.

default

adhoc-ap-inactivity-timeout

Ad hoc (IBSS) AP inactivity timeout, in number of scans.

5-36000 seconds

5 seconds

adhoc-ap-max-unseen-timeout

Ageout time, in seconds, since ad hoc (IBSS) AP was last seen.

5-36000 seconds

5 seconds

ap-inactivity-timeout

Time, in seconds, after which an AP is aged out.

5-36000 seconds

5 seconds

ap-max-unseen-timeout

Ageout time, in seconds, since AP was last seen.

5-36000 seconds

600 seconds

ap-nbr-msg

Enables or disables AP neighbor messages.

disabled

ap-nbr-msg-interval

Interval, in seconds, at which an AP delivers AP neighbor messages to the management server.

1-36000 seconds

1 second

clone

Name of an existing IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. general profile from which parameter values are copied.

frame-types-for-rssi

all

ba

ctrl

dhigh

dlow

dnull

mgmt

pr

Select frame types to be used in AMAir Monitor. AM is a mode of operation supported on wireless APs. When an AP operates in the Air Monitor mode, it enhances the wireless networks by collecting statistics, monitoring traffic, detecting intrusions, enforcing security policies, balancing wireless traffic load, self-healing coverage gaps, and more. However, clients cannot connect to APs operating in the AM mode. RSSIReceived Signal Strength Indicator. RSSI is a mechanism by which RF energy is measured by the circuitry on a wireless NIC (0-255). The RSSI is not standard across vendors. Each vendor determines its own RSSI scale/values. calculation.

Frame types:

all—All types of frames. This frame type overrides any other frame types.

ba—Block ACK frame types.

ctrl—All control frames except ACK.

dhigh—Data frames more than 36 MbpsMegabits per second except null data frames.

dlow—Data frames less than 36 MbpsMegabits per second except null data frames.

dnull—Null data frames.

mgmt—All management frames except probe request.

pr—Probe request frames.

NOTE: Configure this parameter under the supervision of Aruba Technical Support.

ba, ctrl, dlow, dnull, mgmt, pr

ids-events

logs-and-traps

logs-only

none

traps-only]

Enables or disables IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. event generation from the AP. Event generation from the AP can be enabled for syslogs, traps, or both. This does not affect generation of IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. correlated events on the switch.

logs-and-
traps

max-monitored-devices

Maximum number of APs and stations that can be monitored. This number does not include stations that are not associated to any AP. Within this max value, the AP reserves a buffer for stations that are associated locally.

NOTE: Configure this parameter under the supervision of Aruba Technical Support.

1024-4096

1024 or 4096, depending on the AP platform.

max-unassociated-stations

Maximum number of unassociated stations.

NOTE: Configure this parameter under the supervision of Aruba Technical Support.

256-4096

512

min-pot-ap-beacon-rate

Minimum beacon rate acceptable from a potential AP, in percentage of the advertised beacon interval.

0-100%

25%

min-pot-ap-monitor-time

Minimum time, in seconds, a potential AP has to be up before it is classified as a real AP.

2-36000

2 seconds

mobility-manager-rtls

Enables or disables RTLSReal-Time Location Systems. RTLS automatically identifies and tracks the location of objects or people in real time, usually within a building or other contained area. communication with the configured mobility-manager.

enabled
disabled

disabled

mon-stats-update-interval

Time interval, in seconds, for the AP to update the switch with stats for monitored devices.

60-36000

seconds

60 seconds

no

Negates any configured parameter.

packet-snr-threshold

Sets the packet SNRSignal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise. threshold. All packets with SNRSignal-to-Noise Ratio. SNR is used for comparing the level of a desired signal with the level of background noise. below this threshold is dropped from IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. and ARMAdaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. processing.

No packets are dropped if the threshold is set to 0.

NOTE: Configure this parameter under the supervision of Aruba Technical Support.

0-90 dBDecibel. Unit of measure for sound or noise and is the difference or ratio between two signal levels.

0

send-adhoc-info-to-controller

Enables or disables sending ad hoc information to the controller from the AP.

disabled

signature-quiet-time

After a signature match is detected, the time to wait, in seconds, to resume checking.

60-36000

seconds

900 seconds

sta-inactivity-timeout

Time, in seconds, after which a station is aged out.

30-36000

seconds

60 seconds

sta-max-unseen-timeout

Ageout time, in seconds, since station was last seen. Minimum is 5.

5-36000 seconds

600 seconds

sta-rssi-msg

Enables or disables station RSSIReceived Signal Strength Indicator. RSSI is a mechanism by which RF energy is measured by the circuitry on a wireless NIC (0-255). The RSSI is not standard across vendors. Each vendor determines its own RSSI scale/values. messages.

enable

disable

disabled

sta-rssi-msg-interval

Interval, in seconds, at which the AP delivers station RSSIReceived Signal Strength Indicator. RSSI is a mechanism by which RF energy is measured by the circuitry on a wireless NIC (0-255). The RSSI is not standard across vendors. Each vendor determines its own RSSI scale/values. messages to the management server.

1-36000

1 second

 

stats-update-interval

 

Interval, in seconds, for the AP to update the controller with statistics.

 

60-36000

seconds

 

60 seconds

unclass-ap-update

Enables or disables classification updates for monitored APs. If this option is enabled, there is a decrease in the delay with which the devices are classified.

enable

disable

disabled

unclass-device-update-interval

The time interval, in seconds, for the AP to send the WMS a list of unclassified APs and clients.

30-36000

seconds

60 seconds

unclass-sta-update

Enables or disables classification updates for monitored clients. If this option is enabled, there is a decrease in the delay with which the devices are classified.

disabled

wired-containment

Enables or disables containment from the wired side.

disabled

wired-containment-ap-adj-mac

Enables or disables wired containment of MACs offset by one from APs BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly..

disabled

wired-

containment-susp-l3-rogue

The basic wired containment feature enabled using the command contains layer-3 APs whose wired interface MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses are either the same as (or one character off from) their BSSIDsBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly.. This feature can also identify and contain an AP with a preset wired MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address that is completely different from the AP’s BSSIDBasic Service Set Identifier. The BSSID identifies a particular BSS within an area. In infrastructure BSS networks, the BSSID is the MAC address of the AP. In independent BSS or ad hoc networks, the BSSID is generated randomly. if the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address that the AP provides to wireless clients as the ‘gatewayGateway is a network node that allows traffic to flow in and out of the network. MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. ’ is offset by one character from its wired MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address.

NOTE: This feature requires that the following parameter in the ids general-profile is also enabled, and that the confidence level of the suspected rogue exceeds the level configured by the and parameters in the ids unauthorized-device-profile.

disabled

wireless-containment

Selects one of the following containment types from the wireless side:

deauth-only: Containment using deauthentication only.

none: Disables wireless containment.

tarpit-all-sta: Wireless containment by tarpit of all stations.

tarpit-non-valid-sta: Wireless containment by tarpit of non-valid clients.

deauth-
only

wireless-containment-debug

Enables or disables debugging of containment from the wireless side.

NOTE: Enabling this debug option will cause containment to not function properly.

disabled

Usage Guidelines

This command configures general IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. profile attributes.

Warning Message for Containment Features

The feature for enabling wireless containment under the IDS Unauthorized Device profile and IDS Impersonation profile may be in violation of certain FCCFederal Communications Commission. FCC is a regulatory body that defines standards for the interstate and international communications by radio, television, wire, satellite, and cable. regulatory statutes. To address this, a warning message will be issued each time the command is enabled through the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions.. The warning message will appear after the command is executed.

Example

The following command enables containment in the general IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. profile:

(host) [mynode] (config) #ids general-profile floor7

(host) [mynode] (IDS General Profile "floor7") #wired-containment

(host) [mynode] (IDS General Profile "floor7") #wireless-containment tarpit-all-sta

(host) [mynode] (IDS General Profile "floor7") #wireless-containment-debug

Command History

Release

Description

ArubaOS 8.5.0.0

The default value of max-monitored-devices parameter was modified to include both 1024 and 4096.

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platform

License

Command Mode

All platforms

Requires the RFprotect license.

Config mode on Mobility Master.

/*]]>*/