Filter
Top Products
Licensing
The ability to perform rare scanning is available only with the RFprotect license. However, the AP can scan ‘reg-
domain’ or ‘all-reg-domain’ channels without the RFprotect license.
Working with Tarpit Shielding
The Tarpit Shielding feature is a type of wireless containment. Detected devices that are classified as rogues are
contained by forcing client association to a fake channel or BSSID. This method of tarpitting is more efficient than
rogue containment via repeated de-authorization requests. Tarpit Sheilding works by spoofing frames from an AP to
confuse
a client about its association. The
confused
client assumes it is associated to the AP on a different (fake)
channel than the channel that the AP is actually operating on, and will attempt to communicate with the AP in the
fake channel.
Tarpit Shielding works in conjunction with the
deauth
wireless containment mechanism. The deauth mechanism
triggers the client to generate probe request and subsequent association request frames. The AP then responds with
probe response and association response frames. Once the monitoring AP sees these frames, it will spoof the probe-
response and association response frames, and manipulates the content of the frames to confuse the client.
A station is determined to be in the Tarpit when we
see
it sending data frames in the fake channel. With some
clients, the station remains in tarpit state until the user manually disables and re-enables the wireless interface.
Configuring Tarpit Shielding
Tarpit shielding is configured on an AP using one of two methods:
Disable all clients—In this method, any client that attempts to associate with an AP marked for containment is
sent spoofed frames.
Disable non-valid clients—In this method, only non-authorized clients that attempt to associate with an AP is sent
to the tarpit.
The choices for disabling Tarpit Shielding on an AP are:
l Deauth-wireless-containment
l Deauth-wireless-containment with tarpit-shielding (excluding-valid-clients)
l Deauth-wireless-containment with tarpit-shielding
EnablingTarpit Shielding
Use the ids-general-profile command to configure Tarpit Shielding (for detailed information on commands refer to
the
Command Line Reference Guide
).
ids general-profile default
wireless-containment [deauth-only | none | tarpit-all-sta | tarpit-non-valid-sta]
Use the following show commands to view updated Tarpit Shielding status and the spoofed frames generated for an
AP:
show ap monitor stats …
show ap monitor containment-info
Understanding Tarpit Shielding LicensingCLICommands
In the ids general-profile default wireless-containment command, the ‘tarpit-non-valid-sta’ and ‘tarpit-all-sta’
options are available only with a RFprotect license. The ‘deauth-only’ and ‘none’ options are available with the Base
OS license.
DellPowerConnectW-SeriesArubaOS6.2 | User Guide WirelessIntrusion Prevention | 392