Configuring, Monitoring and Reporting WIDS

A summary of steps for configuring WIDS classification rules, monitoring WIDS events and reporting threats.

Configuring WIDS

Captured below are the typical configuration workflows for WIDS in HPE Aruba Networking Central. For step-by-step instructions, refer to the Central user documentation.

Enabling rule classification

To enable WIDS, navigate to the Configuration option under the Security tab, and enable the toggle to start monitoring for Rogue APs and create classification rules.

Configuration gear under Security

Toggle to enable WIDS rules

Follow the Central user documentation for step-by-step instructions on enabling WIDS rules.

Configuring rules

After enabling WIDS in the UI, the set of three default classification rules will take effect and a maximum of 32 custom rules can be configured. Multiple conditions can be defined in a single rule, and they are all used with an “AND” operand, which means that a rule will only be applied if all the criteria in that rule are matched.

List of default rules. Click on + to create a custom rule

Add one or more conditions to the custom rule

Follow the Central user documentation for step-by-step instructions on creating and configuring custom rules.

Rule ordering matters as rules are evaluated from top to bottom in the custom rule list. Whenever a rule match is found, that rule is executed and no further rule evaluation takes place. Ordering of the rules from lower classifications to higher classifications is important for proper operation. If a neighbor AP gets manually classified by the administrator, then no rules will be evaluated for that AP. If the classification rule selects a non-final state classification (i.e., Interfering or Suspected Rogue), then AP rogue detection algorithms will continue to be applied at the edge where further monitoring of the AP may result in the determination that the AP is in fact a rogue and have the classification updated accordingly.

Monitoring WIDS events

Rogue events

The Rogues tab provides a list of all the APs that have been detectd in the network and their corresponding classifications.

Example of a rogue classification

The Central user documentation captures more details on interpreting rogue events and device classifications.

WIDS events

The IDS tab provides a list of potential threats detected by HPE Aruba Networking access points at the infrastructure and client levels.

Example of a potential client level threat

Central consolidates multiple attacks within a single event to reduce noise. Each displayed event corresponds to a specific MAC address, where multiple events (if generated) are aggregated for each of those MAC addresses.

  • Multiple APs reporting the same event

  • Several attacks against the same MAC address

Use the Central user documentation for instructions on interpreting each of the different fields in the event view.

Generating WIDS alerts

Wireless administrators can set up alerts for different types of infrastructure and client attacks. For instructions, check out the Central user documentation.

Generating WIDS reports

HPE Aruba Networking Central provides administrators the ability to generate reports for IDS events. For details on creating reports, refer to the Central user documentation.


Last modified: July 29, 2024 (6115eca)