You are here: Home > CLI Commands > Just_CLI_Topics > ids unauthorized-device-profile

ids unauthorized-device-profile

ids unauthorized-device-profile <profile-name>

adhoc-using-valid-ssid-quiet-time <adhoc-using-valid-ssid-quiet-time>

allow-well-known-mac [hsrp|iana|local-mac|vmware|vmware1|vmware2|vmware3]

cfg-valid-11a-channel <channel>

cfg-valid-11g-channel <channel>

classification

clone <source>

detect-adhoc-network

detect-adhoc-using-valid-ssid

detect-bad-wep

detect-ht-greenfield

detect-invalid-mac-oui

detect-misconfigured-ap

detect-sta-assoc-to-rogue

detect-unencrypted-valid-client

detect-valid-client-misassociation

detect-valid-ssid-misuse

detect-windows-bridge

detect-wireless-bridge

detect-wireless-hosted-network

mac-oui-quiet-time <mac-oui-quiet-time>

no

oui-classification

overlay-classification

privacy

prop-wm-classification

protect-adhoc-enhanced

protect-adhoc-network

protect-adhoc-using-valid-ssid

protect-high-throughput

protect-ht-40mhz

protect-misconfigured-ap

protect-ssid

protect-valid-sta x

protect-windows-bridge

protect-wireless-hosted-network

require-wpa

rogue-containment

suspect-rogue-conf-level <suspect-rogue-conf-level>

suspect-rogue-containment

unencrypted-valid-client-quiet-time

valid-and-protected-ssid <valid-and-protected-ssid>

valid-oui <valid-oui>

valid-wired-mac <valid-wired-mac>

wireless-bridge-quiet-time <wireless-bridge-quiet-time>

wireless-hosted-network-quiet-time <wireless-hosted-network-quiet-time>

Description

This command configures detection of unauthorized devices, as well as rogue AP detection and containment.

Syntax

Parameter

Description

Range

Default

<profile-name>

Name that identifies an instance of the profile.

1-63 characters

“default”

adhoc-using-valid-ssid-

quiet-time

Time to wait, in seconds, after detecting an ad hoc networkAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point. using a valid SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network., after which the check can be resumed.

60-360000 seconds

900 seconds

allow-well-known-mac

Allows devices with known MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses to classify rogues APs.

Depending on your network, configure one or more of the following options for classifying rogue APs:

hsrp: Routers configured for HSRP, a Cisco-proprietary redundancy protocol, with the HSRP MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. 00:00:0c.

iana: Routers using the IANA MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. 00:00:5e.

local-mac: Devices with locally administered MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses starting with 02.

vmware: Devices with any of the following VMWare OUIs: 00:0c:29, 00:05:69, or 00:50:56

vmware1: Devices with VMWare OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. 00:0c:29.

vmware2: Devices with VMWare OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. 00:05:69.

vmware3: Devices with VMWare OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. 00:50:56.

If you modify an existing configuration, the new configuration overrides the original configuration. For example, if you configure allow-well-known-mac hsrp and then configure allow-well-known-mac iana, the original configuration is lost. To add more options to the original configuration, include all of the required options, for example: allow-well-known-mac hsrp iana.

Use caution when configuring this command. If the neighboring network uses similar routers, those APs might be classified as rogues. If containment is enabled, clients attempting to associate to an AP classified as a rogue are disconnected through a denial of service attack.

To clear the well known MACs in the system, use the following commands:

clear wms wired-mac:This clears all of the learned wired MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. information on Mobility Master.

reload: This reboots Mobility Master.

cfg-valid-11a-channel <channel>

List of valid 802.11a802.11a provides specifications for wireless systems. Networks using 802.11a operate at radio frequencies in the 5 GHz band. The specification uses a modulation scheme known as orthogonal frequency-division multiplexing (OFDM) that is especially well suited to use in office settings. The maximum data transfer rate is 54 Mbps. channels that third-party APs are allowed to use.

34-165

cfg-valid-11g-channel <channel>

List of valid 802.11b802.11b is a WLAN standard often called Wi-Fi and is backward compatible with 802.11. Instead of the Phase-Shift Keying (PSK) modulation method used in 802.11 standards, 802.11b uses Complementary Code Keying (CCK) that allows higher data speeds and makes it less susceptible to multipath-propagation interference. 802.11b operates in the 2.4 GHz band and the maximum data transfer rate is 11 Mbps./g channels that third-party APs are allowed to use.

1-14

classification

Enables or disables rogue AP classification. A rogue AP is one that is unauthorized and plugged into the wired side of the network. Any other AP seen in the RFRadio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. environment that is not part of the valid enterprise network is considered to be interfering — it has the potential to cause RFRadio Frequency. RF refers to the electromagnetic wave frequencies within a range of 3 kHz to 300 GHz, including the frequencies used for communications or Radar signals. interference but it is not connected to the wired network and thus does not represent a direct threat.

enabled

clone <source>

Name of an existing IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. rate thresholds profile from which parameter values are copied.

detect-adhoc-network

Enables or disables detection of ad hoc networksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point..

disabled

detect-adhoc-using-valid-
ssid

Enables or disables detection of ad hoc networksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point. using valid or protected SSIDsService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

enabled

detect-bad-wep

Enables or disables detection of WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. initialization vectors that are known to be weak or repeating. A primary means of cracking WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. keys is to capture 802.11802.11 is an evolving family of specifications for wireless LANs developed by a working group of the Institute of Electrical and Electronics Engineers (IEEE). 802.11 standards use the Ethernet protocol and Carrier Sense Multiple Access with collision avoidance (CSMA/CA) for path sharing. frames over an extended period of time and search for implementations that are still used by many legacy devices.

disabled

detect-ht-greenfield

Enables or disables detection of high-throughput devices advertising greenfield preamble capability.

disabled

detect-invalid-mac-oui

Enables or disables checking of the first three bytes of a MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, known as the organizationally unique identifier (OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI.), assigned by the IEEEInstitute of Electrical and Electronics Engineers. to known manufacturers. Often clients using a spoofed MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address do not use a valid OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. and instead use a randomly generated MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address. Enabling MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. checking causes an alarm to be triggered if an unrecognized MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address is in use.

disabled

detect-misconfigured-ap

Enables or disables detection of misconfigured APs. An AP is classified as misconfigured if it is classified as valid and does not meet any of the following configurable parameters:

valid channels

encryption type

list of valid AP MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIs

valid SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. list

disabled

detect-sta-assoc-to-rogue

Enables or disables detection of station association to rogue AP.

enabled

detect-unencrypted-valid-
client

Enables or disables detection of unencrypted valid clients.

enabled

detect-valid-client- misassociation

Enables or disables detection of misassociation between a valid client and an unsafe AP. This setting can detect the following misassociation types:

MisassociationToRogueAP

MisassociationToExternalAP

MisassociationToHoneypotAP

MisassociationToAdhocAP

MisassociationToHostedAP

enabled

detect-valid-ssid-misuse

Enables or disables detection of Interfering or Neighbor APs using valid or protected SSIDsService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

disabled

detect-windows-bridge

Enables or disables detection of Windows station bridging.

enabled

detect-wireless-bridge

Enables or disables detection of wireless bridging.

disabled

detect-wireless-hosted-

network

If enabled, this feature can detect the presence of a wireless hosted network.

When a wireless hosted network is detected this feature sends a “Wireless Hosted Network” warning level security log message and the wlsxWirelessHostedNetworkDetected SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap.

If there are clients associated to the hosted network, this feature will send a “Client Associated To Hosted Network” warning level security log message and the wlsxClientAssociatedToHostedNetworkDetected SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap.

enabled

mac-oui-quiet-time

Time, in seconds, that must elapse after an invalid MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. alarm has been triggered before another identical alarm may be triggered.

60-360000 seconds

900 seconds

no

Negates any configured parameter.

oui-classification

Enables or disables OUIOrganizationally Unique Identifier. Synonymous with company ID or vendor ID, an OUI is a 24-bit, globally unique assigned number, referenced by various standards. The first half of a MAC address is OUI. based rogue AP classification.

enabled

overlay-classification

Enables or disables overlay rogue AP classification.

enabled

privacy

Enables or disables encryption as a valid AP configuration.

disabled

prop-wm-classification

Enables or disables rogue AP classification through propagated wired MACs.

enabled

protect-adhoc-enhanced

Enable or disable advanced protection from open or WEPWired Equivalent Privacy. WEP is a security protocol that is specified in 802.11b and is designed to provide a WLAN with a level of security and privacy comparable to what is usually expected of a wired LAN. ad hoc networksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point.. When enhanced ad hoc containment is carried out, a new repeatable event, syslog and SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  trap will be generated for each containment event.

disabled

protect-adhoc-network

Enable or disable protection from ad hoc networksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point. using WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. or WPA2Wi-Fi Protected Access 2. WPA2 is a certification program maintained by IEEE that oversees standards for security over wireless networks. WPA2 supports IEEE 802.1X/EAP authentication or PSK technology, but includes advanced encryption mechanism using CCMP that is referred to as AES. security. When ad hoc networksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point. are detected, they are disabled using a DoSDenial of Service. DoS is any type of attack where the attackers send excessive messages to flood traffic and thereby preventing the legitimate users from accessing the service. attack.

disabled

protect-adhoc-using-

valid-ssid

Enable or disable protection from ad hoc networksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point. using valid or protected SSIDsService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

disabled

protect-high-throughput

Enable or disable protection of high-throughput (802.11n802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz.) devices.

disabled

protect-ht-40mhz

Enable or disable protection of high-throughput (802.11n802.11n is a wireless networking standard to improve network throughput over the two previous standards, 802.11a and 802.11g. With 802.11n, there will be a significant increase in the maximum raw data rate from 54 Mbps to 600 Mbps with the use of four spatial streams at a channel width of 40 MHz.) devices operating in 40 MHzMegahertz mode.

disabled

protect-misconfigured-ap

Enable or disable protection of misconfigured APs.

disabled

protect-ssid

Enable or disable use of SSIDService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. by valid APs only.

disabled

protect-valid-sta

When enabled, does not allow valid stations to connect to a non-valid AP.

disabled

protect-windows-bridge

Enable or disable protection of a windows station bridging

disabled

protect-wireless-hosted-

network

When you enable the wireless hosted network protection feature, Mobility Master enforces containment on a wireless hosted network by launching a denial of service attack to disrupt associations between a Windows 7 software-enabled Access Point (softAP) and a client, and disrupt associations between the client that is hosting the softAP and any access point to which the host connects.

When a wireless hosted network triggers this feature, wireless hosted network protection sends the Wireless Hosted Network Containment and
Host of Wireless Network Containment warning level security log messages, and the wlsxWirelessHostedNetworkContainment and wlsxHostOfWirelessNetworkContainment SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  traps.

NOTE: The existing generic containment SNMPSimple Network Management Protocol. SNMP is a TCP/IP standard protocol for managing devices on IP networks. Devices that typically support SNMP include routers, switches, servers, workstations, printers, modem racks, and more. It is used mostly in network management systems to monitor network-attached devices for conditions that warrant administrative attention.  traps and log messages will also be sent when Wireless Hosted Network Containment or Host of Wireless Network Containment is enforced.

disabled

require-wpa

When enabled, any valid AP that is not using WPAWi-Fi Protected Access. WPA is an interoperable wireless security specification subset of the IEEE 802.11 standard. This standard provides authentication capabilities and uses TKIP for data encryption. encryption is flagged as misconfigured.

disabled

rogue-containment

Rogue APs can be detected (see classification) but are not automatically disabled. This option automatically shuts down rogue APs. When this option is enabled, clients attempting to associate to an AP classified as a rogue are disconnected through a denial of service attack.

disabled

suspect-rogue-conf-level

<suspect-rogue-conf-level>

Confidence level of suspected Rogue AP to trigger containment.

When an AP is classified as a suspected rogue AP, it is assigned a 50% confidence level. If multiple APs trigger the same events that classify the AP as a suspected rogue, the confidence level increases by 5% up to 95%.

In combination with suspected rogue containment, this option configures the threshold by which containment should occur. Suspected rogue containment occurs only when the configured confidence level is met.

50-100%

60%

suspect-rogue-containment

Suspected rogue APs are treated as interfering APs, thereby Mobility Master attempts to reclassify them as rogue APs. Suspected rogue APs are not automatically contained. In combination with the configured confidence level (see suspect-rogue-conf-level), this option contains the suspected rogue APs.

false

unencrypted-valid-client-quiet-time

<unencrypted-valid-client-quiet-time>

Time to wait, in seconds, after detecting an unencrypted valid client after which the check can be resumed.

60-360000 seconds

900 seconds

valid-and-protected-ssid <ssid>

List of valid and protected SSIDsService Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network..

valid-oui <valid-oui>

List of valid MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. OUIs.

valid-wired-mac

<valid-wired-mac>

List of MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses of wired devices in the network, typically gatewaysGateway is a network node that allows traffic to flow in and out of the network. or servers.

wireless-bridge-quiet-time

<wireless-bridge-quiet-time>

Time, in seconds, that must elapse after a wireless bridge alarm has been triggered before another identical alarm may be triggered.

60-360000 seconds

900 seconds

wireless-hosted-network-quiet-time

<wireless-hosted-network-quiet-time>


The wireless hosted network detection feature sends a log message and trap when a wireless hosted network is detected. The quiet time defined by this parameter sets the amount of time, in seconds, that must elapse after a wireless hosted network log message or trap has been triggered before an identical log message or trap can be sent again.

60-360000 seconds

900 seconds

Usage Guidelines

Unauthorized device detection includes the ability to detect and disable rogue APs and other devices that can potentially disrupt network operations.

Example

The following command copies the settings from the ids-unauthorized-device-disabled profile and then enables detection and protection from ad hoc networksAn ad hoc network is a network composed of individual devices communicating with each other directly. Many ad hoc networks are Local Area Networks (LANs) where computers or other devices are enabled to send data directly to one another rather than going through a centralized access point.:

(host) [mynode] (config) #ids unauthorized-device-profile floor7

(host) [mynode] (IDS Unauthorized Device Profile "floor7") #unauth1

(host) [mynode] (IDS Unauthorized Device Profile "floor7") #clone ids-unauthorized-device-disable

(host) [mynode] (IDS Unauthorized Device Profile "floor7") #detect-adhoc-network

(host) [mynode] (IDS Unauthorized Device Profile "floor7") #protect-adhoc-network

Related Commands

Command

Description

show ids unauthorized-device-profile

Displays an IDSIntrusion Detection System. IDS monitors a network or systems for malicious activity or policy violations and reports its findings to the management system deployed in the network. unauthorized device profile.

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platform

License

Command Mode

All platforms

Requires the RFprotect license.

Config mode on Mobility Master.

/*]]>*/