Classification

Definitions and methods of classification used to protect the network.

Upon detection, APs and client devices must be accurately classified to determine whether they are valid, interfering, or rogues.

Terminology

APs and clients that are discovered during scanning of the wireless channels are classified into different groups.

AP definitions

Classification Description
Authorized An AP that is part of the enterprise providing WLAN service.
Neighbor A neighboring AP is when the BSSIDS are known. Once classified, a neighboring AP does not change the classification.
Interfering An AP that is seen in the RF environment but is not connected to the wired network. An interfering AP is not considered a direct security threat since it is not connected to the wired network. For example, an interfering AP can be an AP that belongs to a neighboring office’s WLAN but is not part of your WLAN network.
Rogue An unauthorized AP that is plugged into the wired side of the network.
Suspected Rogue A suspected rogue AP is an unauthorized AP that may be plugged into the wired side of the network.
Contained An AP for which  DoS is enabled manually.

Client definitions

Classification Description
Authorized Any client that successfully authenticates with a valid AP and passes encrypted traffic.
Contained Any clients for which DoS is enabled manually.
Interfering A client associated to any AP and is not valid.

Methods

A discovered device is classified into one of the above definitions by the following methods:

  • Internal heuristics

  • Device level classification

  • Rule-based calssification

  • Manual classification

Device level classification

Device classification is a combination of cloud processing and edge processing. By default, HPE Aruba Networking access points can continuously monitor the network and discover rogue access points without intervention from Central. Central classification, when enabled, takes precedence.

Internal heuristics

The internal heuristics works by checking if the discovered AP is communicating with a wired device on the customer network. This is done by matching the  MAC address of devices that are on the discovered AP’s network with that of the user’s wired network. The MAC of the device on the discovered AP’s network is known as the Match MAC.

Match methods

The match methods are:

  • Plus One - The MAC address detected correlates with the MAC address of an already detected device, with the last bit of the MAC address being one more than that of the Match MAC.

  • Minus One - The MAC address detected correlates with the MAC address of an already detected device, with the last bit of the MAC address being one less than that of the Match MAC.

  • Equal - The match was against the same MAC address.

  • OUI - The match was against the manufacturer’s OUI of the wired device.

Match types

Eth-Wired-MAC

The MAC addresses of wired devices learned by an AP on the Ethernet interface.

GW-Wired-MAC

The collection of Gateway MACs of all managed devices.

AP-Wired-MAC

The MAC addresses of wired devices learned by monitoring traffic out of other valid and rogue APs.

Config-Wired-MAC
The MAC addresses that are configured by the user, typically that of well-known servers in the network.
Manual

User-triggered classification.

External-Wired-MAC

The MAC address matched a set of known wired devices that are maintained in an external database.

Mobility-Manager

The classification was determined by the mobility manager.

Classification-off

AP is classified as rogue because classification has been disabled, causing all non-authorized APs to be classified as rogue.

Propagated-Wired-MAC

The MAC addresses of wired devices learned by an AP other than the AP that used the information for classifying a rogue.

Base-BSSID-Override

The classification was derived from another BSSID, which belongs to the same AP that supports multiple BSSIDS on the radio interface. For HPE Aruba Networking OUIs, if the base BSSID of a beacon matches the base BSSID of a known valid BSSID then the new BSSID is not considered to be valid.

AP-Rule

A user-defined AP classification rule has matched.

System-Wired-MAC

The MAC addresses of wired devices learned on the managed device.

System-Gateway-MAC

The Gateway MAC addresses learned on the managed device.

Rule-based classification

Rules available for classification is dependent on the environment being used and is different for AOS 8 vs AOS 10.

Mobility Conductor (AOS-8)

AP classification rule configuration is only performed on a Mobility Conductor. A rule is identified by the ASCII character string name (32 characters maximum). The AP classification rules have three possible specifications.

SSID of the AP

Each rule can have up to 6 SSID parameters. If one or more SSIDS are specified in a rule, an option of whether to match any of the SSIDs or not match all the SSIDs can be specified. The default is to check for a match operation.

SNR of the AP

Each rule can have only one specification of the SNR. A minimum and/or maximum can be specified in each rule, and the specification is in SNR (dB).

Discovered-AP-Count or the number of APs that can see the AP

Each rule can have only one specification of the Discovered-AP-Count. Each rule can specify a minimum or maximum of the Discovered-AP-count. The minimum or maximum operation must be specified if the Discovered-AP-count is specified. The default setting is to check for the minimum discovered-AP-count.

Central (AOS-10)

WIDS rules in Central work in conjunction with the WIDS Module on the AP. While the APs are not dependent on Central to detect rogue events, Central classifications take precedence over device level classifications.

With WIDS in Central, administrators can create a detailed definition of what constitutes a rogue device, and quickly act on a rogue AP for investigation, restrictive action, or both.

AP classification rule configuration is performed on Central. There are three default rules available to help classify rogue and suspected rogue devices, with the ability to create custom rule sets based on different criteria such as detecting AP count, SSID value, time spent on the network, etc. The Rule Classification Criteria page describes all the available criteria that are configurable in Central.

Manual classification

With this method, the wireless administrator monitors the IDS events and manually re-classifies one or more devices to a particular definition such as Interfering, Suspected Rogue or Rogue.

Classification hierarchy

WIDS uses a hierarchy to classify detected devices:

  1. Interfering

  2. Suspected Rogue

  3. Rogue

  4. Neighbor (Known Interfering)

  5. Manually Contained (DoS)

  6. Valid

In the lifecycle of a monitored AP, the classification can only be promoted (i.e., go higher in the list) and can never be demoted (i.e., reduced to a lower value).

This same behavior also applies to the custom rules. For example, if a neighbor AP is already classified as Rogue, then any subsequent rule match will never demote the classification to Suspected Rogue.

WIDS classifications for detected infrastructure devices.


Last modified: July 29, 2024 (6115eca)