The AOS Security Dashboard in an AOS-8 solution (Mobility Controllers or Mobility Master) provides a client list through its Wireless Intrusion Prevention (WIP) system, showing the classification of clients and the APs they are connected to. The goal is to identify clients that belong to the company (Authorized clients) and have connected to devices that might belong to hackers (rogue or suspected rogue APs).
Client Classification:
Authorized: A client that has successfully authenticated to an authorized AP and is part of the company's network (e.g., an employee device).
Interfering: A client that is not authenticated to the company's network and is considered external or potentially malicious.
AP Classification:
Authorized: An AP that is part of the company's network and managed by the MC.
Suspected Rogue: An AP that is not authorized and is suspected of being malicious, often because it exhibits suspicious behavior (e.g., a BSSID close to an authorized AP, indicating potential spoofing).
Neighbor: An AP that is not part of the company's network but is not connected to the wired network (e.g., a nearby AP from another organization).
Interfering: An AP that is not part of the company's network and may be causing interference, but is not necessarily malicious.
The requirement is to find a client that is Authorized (belongs to the company) and connected to a Suspected Rogue AP (might belong to hackers).
Option A: MAC address: d8:50:e6:f3:6d:a4; Client Classification: Authorized; AP Classification: Suspected Rogue This client is classified as "Authorized," meaning it belongs to the company, and it is connected to a "Suspected Rogue" AP, which might belong to hackers. This matches the requirement perfectly.
Option B: MAC address: d8:50:e6:f3:6e:c5; Client Classification: Interfering; AP Classification: Neighbor This client is "Interfering" (not a company client) and connected to a "Neighbor" AP, which is not considered a hacker's device (it's just a nearby AP).
Option C: MAC address: d8:50:e6:f3:6e:60; Client Classification: Interfering; AP Classification: Interfering This client is "Interfering" (not a company client) and connected to an "Interfering" AP, which is not necessarily a hacker's device (it may just be causing interference).
Option D: MAC address: d8:50:e6:f3:70:ab; Client Classification: Interfering; AP Classification: Suspected Rogue This client is "Interfering" (not a company client), although it is connected to a "Suspected Rogue" AP. It does not meet the requirement of being a company client.
The HPE Aruba Networking AOS-8 8.11 User Guide states:
"The Security Dashboard's client list in ArubaOS shows the classification of each client and the AP it is connected to. An 'Authorized' client is one that has successfully authenticated to an authorized AP and is part of the company's network. A 'Suspected Rogue' AP is an unauthorized AP that exhibits suspicious behavior, such as a BSSID close to an authorized AP, indicating potential spoofing by a hacker. To identify security risks, look for authorized clients connected to suspected rogue APs, as this may indicate a company device has connected to a malicious AP." (Page 415, Security Dashboard Section) Additionally, the HPE Aruba Networking Security Guide notes:
"WIP classifies clients as 'Authorized' if they have authenticated to an authorized AP managed by the controller. A 'Suspected Rogue' AP is a potential threat, as it may be attempting to mimic a legitimate AP to lure clients. Identifying authorized clients connected to suspected rogue APs is critical for detecting potential attacks, such as man-in-the-middle attempts by hackers." (Page 78, WIP Classifications Section)
:
HPE Aruba Networking AOS-8 8.11 User Guide, Security Dashboard Section, Page 415.
HPE Aruba Networking Security Guide, WIP Classifications Section, Page 78.