Classification
6 minute read
Upon detection, APs and client devices must be accurately classified to determine whether they are valid, interfering, or rogues.
Terminology
APs and clients that are discovered during scanning of the wireless channels are classified into different groups.
AP definitions
Classification | Description |
---|---|
Authorized | An AP that is part of the enterprise providing WLAN service. |
Neighbor | A neighboring AP is when the BSSIDS are known. Once classified, a neighboring AP does not change the classification. |
Interfering | An AP that is seen in the RF environment but is not connected to the wired network. An interfering AP is not considered a direct security threat since it is not connected to the wired network. For example, an interfering AP can be an AP that belongs to a neighboring office’s WLAN but is not part of your WLAN network. |
Rogue | An unauthorized AP that is plugged into the wired side of the network. |
Suspected Rogue | A suspected rogue AP is an unauthorized AP that may be plugged into the wired side of the network. |
Contained | An AP for which DoS is enabled manually. |
Client definitions
Classification | Description |
---|---|
Authorized | Any client that successfully authenticates with a valid AP and passes encrypted traffic. |
Contained | Any clients for which DoS is enabled manually. |
Interfering | A client associated to any AP and is not valid. |
Methods
A discovered device is classified into one of the above definitions by the following methods:
-
Internal heuristics
-
Device level classification
-
Rule-based calssification
-
Manual classification
Device level classification
Device classification is a combination of cloud processing and edge processing. By default, HPE Aruba Networking access points can continuously monitor the network and discover rogue access points without intervention from Central. Central classification, when enabled, takes precedence.
Internal heuristics
The internal heuristics works by checking if the discovered AP is communicating with a wired device on the customer network. This is done by matching the MAC address of devices that are on the discovered AP’s network with that of the user’s wired network. The MAC of the device on the discovered AP’s network is known as the Match MAC.
Match methods
The match methods are:
-
Plus One - The MAC address detected correlates with the MAC address of an already detected device, with the last bit of the MAC address being one more than that of the Match MAC.
-
Minus One - The MAC address detected correlates with the MAC address of an already detected device, with the last bit of the MAC address being one less than that of the Match MAC.
-
Equal - The match was against the same MAC address.
-
OUI - The match was against the manufacturer’s OUI of the wired device.
Match types
- Eth-Wired-MAC
-
The MAC addresses of wired devices learned by an AP on the Ethernet interface.
- GW-Wired-MAC
-
The collection of Gateway MACs of all managed devices.
- AP-Wired-MAC
-
The MAC addresses of wired devices learned by monitoring traffic out of other valid and rogue APs.
- Config-Wired-MAC
- The MAC addresses that are configured by the user, typically that of well-known servers in the network.
- Manual
-
User-triggered classification.
- External-Wired-MAC
-
The MAC address matched a set of known wired devices that are maintained in an external database.
- Mobility-Manager
-
The classification was determined by the mobility manager.
- Classification-off
-
AP is classified as rogue because classification has been disabled, causing all non-authorized APs to be classified as rogue.
- Propagated-Wired-MAC
-
The MAC addresses of wired devices learned by an AP other than the AP that used the information for classifying a rogue.
- Base-BSSID-Override
-
The classification was derived from another BSSID, which belongs to the same AP that supports multiple BSSIDS on the radio interface. For HPE Aruba Networking OUIs, if the base BSSID of a beacon matches the base BSSID of a known valid BSSID then the new BSSID is not considered to be valid.
- AP-Rule
-
A user-defined AP classification rule has matched.
- System-Wired-MAC
-
The MAC addresses of wired devices learned on the managed device.
- System-Gateway-MAC
-
The Gateway MAC addresses learned on the managed device.
Rule-based classification
Rules available for classification is dependent on the environment being used and is different for AOS 8 vs AOS 10.
Mobility Conductor (AOS-8)
AP classification rule configuration is only performed on a Mobility Conductor. A rule is identified by the ASCII character string name (32 characters maximum). The AP classification rules have three possible specifications.
- SSID of the AP
-
Each rule can have up to 6 SSID parameters. If one or more SSIDS are specified in a rule, an option of whether to match any of the SSIDs or not match all the SSIDs can be specified. The default is to check for a match operation.
- SNR of the AP
-
Each rule can have only one specification of the SNR. A minimum and/or maximum can be specified in each rule, and the specification is in SNR (dB).
- Discovered-AP-Count or the number of APs that can see the AP
-
Each rule can have only one specification of the Discovered-AP-Count. Each rule can specify a minimum or maximum of the Discovered-AP-count. The minimum or maximum operation must be specified if the Discovered-AP-count is specified. The default setting is to check for the minimum discovered-AP-count.
Central (AOS-10)
WIDS rules in Central work in conjunction with the WIDS Module on the AP. While the APs are not dependent on Central to detect rogue events, Central classifications take precedence over device level classifications.
With WIDS in Central, administrators can create a detailed definition of what constitutes a rogue device, and quickly act on a rogue AP for investigation, restrictive action, or both.
AP classification rule configuration is performed on Central. There are three default rules available to help classify rogue and suspected rogue devices, with the ability to create custom rule sets based on different criteria such as detecting AP count, SSID value, time spent on the network, etc. The Rule Classification Criteria page describes all the available criteria that are configurable in Central.
Manual classification
With this method, the wireless administrator monitors the IDS events and manually re-classifies one or more devices to a particular definition such as Interfering, Suspected Rogue or Rogue.
Classification hierarchy
WIDS uses a hierarchy to classify detected devices:
-
Interfering
-
Suspected Rogue
-
Rogue
-
Neighbor (Known Interfering)
-
Manually Contained (DoS)
-
Valid
In the lifecycle of a monitored AP, the classification can only be promoted (i.e., go higher in the list) and can never be demoted (i.e., reduced to a lower value).
This same behavior also applies to the custom rules. For example, if a neighbor AP is already classified as Rogue, then any subsequent rule match will never demote the classification to Suspected Rogue.
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that.