507| Wireless Intrusion Prevention AOS-W 6.5.3.x| User Guide
ap-max-unseen-timeout
sta-max-unseen-timeout
The inactivity timeout is the number of times the device was not “seen” when the channel was scanned. The
unseen timeout is the time, in seconds, since the device was last “seen.”
The show ap monitor scan-info/channel commands provide details of the channel types, dwell times, and
the channel visit sequence.
(host) # show ap monitor scan-info ap-name rb-121
Licensing
The ability to perform rare scanning is available only with the RFprotect license. However, the AP can scan ‘reg-
domain’ or ‘all-reg-domain’ channels without the RFprotect license.
Tarpit Shielding Overview
The Tarpit Shielding feature is a type of wireless containment. Detected devices that are classified as rogues are
contained by forcing client association to a fake channel or BSSID. This method of tarpitting is more efficient
than rogue containment via repeated de-authorization requests. Tarpit Sheilding works by spoofing frames
from an AP to confuse a client about its association. The confused client assumes it is associated to the AP on a
different (fake) channel than the channel that the AP is actually operating on, and will attempt to communicate
with the AP in the fake channel.
Tarpit Shielding works in conjunction with the deauth wireless containment mechanism. The deauth
mechanism triggers the client to generate probe request and subsequent association request frames. The AP
then responds with probe response and association response frames. Once the monitoring AP sees these
frames, it will spoof the probe-response and association response frames, and manipulates the content of the
frames to confuse the client.
A station is determined to be in the Tarpit when we see it sending data frames in the fake channel. With some
clients, the station remains in tarpit state until the user manually disables and re-enables the wireless interface.
Configuring Tarpit Shielding
Tarpit shielding is configured on an AP using one of two methods:
n Disable all clients : In this method, any client that attempts to associate with an AP marked for
containment is sent spoofed frames.
n Disable non-valid clients : In this method, only non-authorized clients that attempt to associate with an
AP are sent to the tarpit.
The choices for disabling Tarpit Shielding on an AP are:
n Deauth-wireless-containment
n Deauth-wireless-containment with tarpit-shielding (excluding-valid-clients)
n Deauth-wireless-containment with tarpit-shielding
Enabling Tarpit Shielding
Use the ids-general-profile command to configure Tarpit Shielding (for detailed information on commands
refer to the AOS-W Command Line Reference Guide).
ids general-profile default
wireless-containment [deauth-only | none | tarpit-all-sta | tarpit-non-valid-sta]
To Next Page
Loading...