Configuring, Monitoring and Reporting WIDS
3 minute read
Configuring WIDS
Captured below are the typical configuration workflows for WIDS in HPE Aruba Networking Central. For step-by-step instructions, refer to the Central user documentation.
Enabling rule classification
To enable WIDS, navigate to the Configuration option under the Security tab, and enable the toggle to start monitoring for Rogue APs and create classification rules.
Follow the Central user documentation for step-by-step instructions on enabling WIDS rules.
Configuring rules
After enabling WIDS in the UI, the set of three default classification rules will take effect and a maximum of 32 custom rules can be configured. Multiple conditions can be defined in a single rule, and they are all used with an “AND” operand, which means that a rule will only be applied if all the criteria in that rule are matched.
Follow the Central user documentation for step-by-step instructions on creating and configuring custom rules.
Rule ordering matters as rules are evaluated from top to bottom in the custom rule list. Whenever a rule match is found, that rule is executed and no further rule evaluation takes place. Ordering of the rules from lower classifications to higher classifications is important for proper operation. If a neighbor AP gets manually classified by the administrator, then no rules will be evaluated for that AP. If the classification rule selects a non-final state classification (i.e., Interfering or Suspected Rogue), then AP rogue detection algorithms will continue to be applied at the edge where further monitoring of the AP may result in the determination that the AP is in fact a rogue and have the classification updated accordingly.
Monitoring WIDS events
Rogue events
The Rogues tab provides a list of all the APs that have been detectd in the network and their corresponding classifications.
The Central user documentation captures more details on interpreting rogue events and device classifications.
WIDS events
The IDS tab provides a list of potential threats detected by HPE Aruba Networking access points at the infrastructure and client levels.
Central consolidates multiple attacks within a single event to reduce noise. Each displayed event corresponds to a specific MAC address, where multiple events (if generated) are aggregated for each of those MAC addresses.
-
Multiple APs reporting the same event
-
Several attacks against the same MAC address
Use the Central user documentation for instructions on interpreting each of the different fields in the event view.
Generating WIDS alerts
Wireless administrators can set up alerts for different types of infrastructure and client attacks. For instructions, check out the Central user documentation.
Generating WIDS reports
HPE Aruba Networking Central provides administrators the ability to generate reports for IDS events. For details on creating reports, refer to the Central user documentation.
Feedback
Was this page helpful?
Glad to hear it!
Sorry to hear that.