RE: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers
Maybe I'm missing something as well under the hood. However the behavior I describe has been our observation in our testing and troubleshooting. Turning off "private address" for devices on our network seems to mitigate the issue for us, and I have not seen the blacklist issue recur after the feature is disabled. As for the comment about the end users privacy - the users are welcome to use the feature for other networks. Its either we (my campus) track and attribute their real mac, or their fake one. Well we've been seeing their real mac address already. And the argument about privacy/tracking someone doesn't apply in my opinion since I'm not tracking their mac addresses whereabouts off campus. (where if they generate a random mac for those networks, wouldn't matter anyway) We also collect statistics on our networks (user counts, high use rooms, high use buildings, indoor vs outdoor, etc). If every new apple device started identifying itself to our controllers as a "new device" now, our stats and reporting this year/semester would become highly skewed (without having to do a lot of extra work to "merge" what we believe were the same devices). We also did not want to simply disable ARP-spoof detection on our controllers. For the above reasons, we opted to have users disable the feature. At least for now. Perhaps we'll change our tactic once more research/testing is done and Aruba & Apple can report more specifically on what's going on under the hood. Happy first day of fall, Cody University of Colorado Colorado Springs -Original Message- From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Jonathan Waldrep Sent: Tuesday, September 22, 2020 7:24 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers On 2020-09-21 15:59, Cody Ensain wrote: > Which makes sense to me: pre-upgrade its the devices real mac > address/IP which is known by the controller... post-upgrade the > "private address" toggle is turned on by default, so IOS generates a > random mac address for any wireless network profile on the device. > Now, the phone tries sending traffic with new-mac/IP combo and of > course the controller now thinks its ARP spoofing. That doesn't make sense to me. The MAC is generated before the device associates. Once it has associated/auth'd, it will do DHCP and get a new address. From the controller's perspective, it just looks like a totally new device, not something spoofing. I could be missing something, though. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers
On 2020-09-21 15:59, Cody Ensain wrote: > Which makes sense to me: pre-upgrade its the devices real mac > address/IP which is known by the controller... post-upgrade the > "private address" toggle is turned on by default, so IOS generates a > random mac address for any wireless network profile on the device. > Now, the phone tries sending traffic with new-mac/IP combo and of > course the controller now thinks its ARP spoofing. That doesn't make sense to me. The MAC is generated before the device associates. Once it has associated/auth'd, it will do DHCP and get a new address. From the controller's perspective, it just looks like a totally new device, not something spoofing. I could be missing something, though. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community signature.asc Description: PGP signature
RE: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers
We initially tried that in testing with a client, the ARP Spoof was still flagged and caused a blacklist. With that theory it should only happen once after update also, which it was occurring several times a day. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Tim Cappalli Sent: Monday, September 21, 2020 3:02 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers EXTERNAL EMAIL Asking users to disable a feature that preserves their privacy for what is really a one time event (after iOS upgrade) on your network seems very drastic and has a longer term impact. From: Cody Ensanian<mailto:censa...@uccs.edu> Sent: Monday, September 21, 2020 15:59 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Started running into the IOS14 issue the day it released. As soon as an apple device upgraded to IOS14 they got ARP-spoof blacklisted on our Aruba controllers. Which makes sense to me: pre-upgrade its the devices real mac address/IP which is known by the controller... post-upgrade the "private address" toggle is turned on by default, so IOS generates a random mac address for any wireless network profile on the device. Now, the phone tries sending traffic with new-mac/IP combo and of course the controller now thinks its ARP spoofing. Rather than turn off ARP-spoof detection on our controllers, we are telling our users that for OUR networks, they have to disable the "private address" feature. They can leave it enabled for other networks, but not ours. During beta testing Apple said the "private address" was going to randomize daily. This has since been tested/proven to not be the case. It is randomized PER NETWORK (SSID), but will not change if you forget the network and come back. If you forget and come back, it will generate the same random mac for that network should you leave the toggle on (they must either hash it with the SSID, or the device keeps an internal table of all generated random macs and the network/SSID its meant for) Cody University of Colorado Colorado Springs From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU>> On Behalf Of Michael Hulko Sent: Monday, September 21, 2020 1:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Keep the list posted as I am sure this is having an effect on others Oddly though, we are not seeing this in our Campus 8.6x environment. Our "Arp Spoofing" issue is with our Housing 6.5x environment. As I stated earlier, we have a number of other fires going.. Since moving to 8.6x in April on the recommendation of our SE 1. 8.6x GUI issues with blacklisting... the GUI reports more than what is actually happening on the controllers 2. IAP to controller tunnel challenges with clustered environment (8.6x) ... (actually, TAC did come back after 2 weeks troubleshooting and confirmed that IAP to controller tunnels will not work when controllers are clustered) 3. AP200 series APs on the 8.6x environment started randomly rebooting with "out of memory" errors 4. 7240XM controllers in the 8.6x environment having process crashes and restarts plus warnings of CPU utilization peaking over 90% 5. 'Arp Spoofing' 6. We are also detecting AP300 series reboots, but have not made any attempt to monitor or track these instances at this time. Not to mention the myriad of user complaints that we generally field Start of another school year M From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of Nick Rauer mailto:rauer_nicho...@wheatoncollege.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> Date: Monday, September 21, 2020 at 2:12 PM To: "WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>" mailto:WIRELESS-LAN@listserv.educause.edu>> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers We just wrapped up a week's worth of troubleshooting with Aruba TAC and a group of Aruba developers to troubleshoot a similar issue. They ultimately recommended we disable blacklisting clients for "Arp Spoof". They did not correlate the issue related to the iOS update, though. I still have the case open, and will pass along the message. We are also seeing users complaining of their Windows 10 devices intermittently not connecting to an SSID after waking from sleep mode. We are still investigating th
RE: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers
Asking users to disable a feature that preserves their privacy for what is really a one time event (after iOS upgrade) on your network seems very drastic and has a longer term impact. From: Cody Ensanian<mailto:censa...@uccs.edu> Sent: Monday, September 21, 2020 15:59 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Started running into the IOS14 issue the day it released. As soon as an apple device upgraded to IOS14 they got ARP-spoof blacklisted on our Aruba controllers. Which makes sense to me: pre-upgrade its the devices real mac address/IP which is known by the controller… post-upgrade the “private address” toggle is turned on by default, so IOS generates a random mac address for any wireless network profile on the device. Now, the phone tries sending traffic with new-mac/IP combo and of course the controller now thinks its ARP spoofing. Rather than turn off ARP-spoof detection on our controllers, we are telling our users that for OUR networks, they have to disable the “private address” feature. They can leave it enabled for other networks, but not ours. During beta testing Apple said the “private address” was going to randomize daily. This has since been tested/proven to not be the case. It is randomized PER NETWORK (SSID), but will not change if you forget the network and come back. If you forget and come back, it will generate the same random mac for that network should you leave the toggle on (they must either hash it with the SSID, or the device keeps an internal table of all generated random macs and the network/SSID its meant for) Cody University of Colorado Colorado Springs From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Michael Hulko Sent: Monday, September 21, 2020 1:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Keep the list posted as I am sure this is having an effect on others…. Oddly though, we are not seeing this in our Campus 8.6x environment. Our “Arp Spoofing” issue is with our Housing 6.5x environment. As I stated earlier, we have a number of other fires going.. Since moving to 8.6x in April on the recommendation of our SE…. 1. 8.6x GUI issues with blacklisting… the GUI reports more than what is actually happening on the controllers 2. IAP to controller tunnel challenges with clustered environment (8.6x) … (actually, TAC did come back after 2 weeks troubleshooting and confirmed that IAP to controller tunnels will not work when controllers are clustered) 3. AP200 series APs on the 8.6x environment started randomly rebooting with “out of memory” errors 4. 7240XM controllers in the 8.6x environment having process crashes and restarts plus warnings of CPU utilization peaking over 90% 5. ‘Arp Spoofing’ 6. We are also detecting AP300 series reboots, but have not made any attempt to monitor or track these instances at this time. Not to mention the myriad of user complaints that we generally field Start of another school year M From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of Nick Rauer mailto:rauer_nicho...@wheatoncollege.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> Date: Monday, September 21, 2020 at 2:12 PM To: "WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>" mailto:WIRELESS-LAN@listserv.educause.edu>> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers We just wrapped up a week's worth of troubleshooting with Aruba TAC and a group of Aruba developers to troubleshoot a similar issue. They ultimately recommended we disable blacklisting clients for “Arp Spoof”. They did not correlate the issue related to the iOS update, though. I still have the case open, and will pass along the message. We are also seeing users complaining of their Windows 10 devices intermittently not connecting to an SSID after waking from sleep mode. We are still investigating that issue. We have an MM/MC dual 7220 Cluster running 8.5.0.9 / AP300,AP500 series Deployed. Thanks, Nick Rauer Manager of Networking and Telecommunications Wheaton College – Massachusetts From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko Sent: Monday, September 21, 2020 1:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Yup.. we had to disable the “Arp Spoof” settings in the IDS profiles. We have other irons in the fire so we are not able to do much to invest
RE: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers
Started running into the IOS14 issue the day it released. As soon as an apple device upgraded to IOS14 they got ARP-spoof blacklisted on our Aruba controllers. Which makes sense to me: pre-upgrade its the devices real mac address/IP which is known by the controller… post-upgrade the “private address” toggle is turned on by default, so IOS generates a random mac address for any wireless network profile on the device. Now, the phone tries sending traffic with new-mac/IP combo and of course the controller now thinks its ARP spoofing. Rather than turn off ARP-spoof detection on our controllers, we are telling our users that for OUR networks, they have to disable the “private address” feature. They can leave it enabled for other networks, but not ours. During beta testing Apple said the “private address” was going to randomize daily. This has since been tested/proven to not be the case. It is randomized PER NETWORK (SSID), but will not change if you forget the network and come back. If you forget and come back, it will generate the same random mac for that network should you leave the toggle on (they must either hash it with the SSID, or the device keeps an internal table of all generated random macs and the network/SSID its meant for) Cody University of Colorado Colorado Springs From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Michael Hulko Sent: Monday, September 21, 2020 1:38 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Keep the list posted as I am sure this is having an effect on others…. Oddly though, we are not seeing this in our Campus 8.6x environment. Our “Arp Spoofing” issue is with our Housing 6.5x environment. As I stated earlier, we have a number of other fires going.. Since moving to 8.6x in April on the recommendation of our SE…. 1. 8.6x GUI issues with blacklisting… the GUI reports more than what is actually happening on the controllers 2. IAP to controller tunnel challenges with clustered environment (8.6x) … (actually, TAC did come back after 2 weeks troubleshooting and confirmed that IAP to controller tunnels will not work when controllers are clustered) 3. AP200 series APs on the 8.6x environment started randomly rebooting with “out of memory” errors 4. 7240XM controllers in the 8.6x environment having process crashes and restarts plus warnings of CPU utilization peaking over 90% 5. ‘Arp Spoofing’ 6. We are also detecting AP300 series reboots, but have not made any attempt to monitor or track these instances at this time. Not to mention the myriad of user complaints that we generally field Start of another school year M From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of Nick Rauer mailto:rauer_nicho...@wheatoncollege.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> Date: Monday, September 21, 2020 at 2:12 PM To: "WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>" mailto:WIRELESS-LAN@listserv.educause.edu>> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers We just wrapped up a week's worth of troubleshooting with Aruba TAC and a group of Aruba developers to troubleshoot a similar issue. They ultimately recommended we disable blacklisting clients for “Arp Spoof”. They did not correlate the issue related to the iOS update, though. I still have the case open, and will pass along the message. We are also seeing users complaining of their Windows 10 devices intermittently not connecting to an SSID after waking from sleep mode. We are still investigating that issue. We have an MM/MC dual 7220 Cluster running 8.5.0.9 / AP300,AP500 series Deployed. Thanks, Nick Rauer Manager of Networking and Telecommunications Wheaton College – Massachusetts From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko Sent: Monday, September 21, 2020 1:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU<mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Yup.. we had to disable the “Arp Spoof” settings in the IDS profiles. We have other irons in the fire so we are not able to do much to investigate this issue at this time. M From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of "McClintic, Thomas" mailto:thomas.mcclin...@uth.tmc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> Date: Friday, September 18, 2020 at 11:46 AM To: "WIRELESS-LAN@listserv.educause.edu<mailto:WI
Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers
Keep the list posted as I am sure this is having an effect on others…. Oddly though, we are not seeing this in our Campus 8.6x environment. Our “Arp Spoofing” issue is with our Housing 6.5x environment. As I stated earlier, we have a number of other fires going.. Since moving to 8.6x in April on the recommendation of our SE…. 1. 8.6x GUI issues with blacklisting… the GUI reports more than what is actually happening on the controllers 2. IAP to controller tunnel challenges with clustered environment (8.6x) … (actually, TAC did come back after 2 weeks troubleshooting and confirmed that IAP to controller tunnels will not work when controllers are clustered) 3. AP200 series APs on the 8.6x environment started randomly rebooting with “out of memory” errors 4. 7240XM controllers in the 8.6x environment having process crashes and restarts plus warnings of CPU utilization peaking over 90% 5. ‘Arp Spoofing’ 6. We are also detecting AP300 series reboots, but have not made any attempt to monitor or track these instances at this time. Not to mention the myriad of user complaints that we generally field Start of another school year M From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of Nick Rauer Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Monday, September 21, 2020 at 2:12 PM To: "WIRELESS-LAN@listserv.educause.edu" Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers We just wrapped up a week's worth of troubleshooting with Aruba TAC and a group of Aruba developers to troubleshoot a similar issue. They ultimately recommended we disable blacklisting clients for “Arp Spoof”. They did not correlate the issue related to the iOS update, though. I still have the case open, and will pass along the message. We are also seeing users complaining of their Windows 10 devices intermittently not connecting to an SSID after waking from sleep mode. We are still investigating that issue. We have an MM/MC dual 7220 Cluster running 8.5.0.9 / AP300,AP500 series Deployed. Thanks, Nick Rauer Manager of Networking and Telecommunications Wheaton College – Massachusetts From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko Sent: Monday, September 21, 2020 1:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Yup.. we had to disable the “Arp Spoof” settings in the IDS profiles. We have other irons in the fire so we are not able to do much to investigate this issue at this time. M From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of "McClintic, Thomas" mailto:thomas.mcclin...@uth.tmc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> Date: Friday, September 18, 2020 at 11:46 AM To: "WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>" mailto:WIRELESS-LAN@listserv.educause.edu>> Subject: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers We have begun seeing an impact with iOS 14 on our various SSIDs with ARP Spoofing events. We had not seen an event this year until July 9th (the date beta was released). There has been a large increase since the 16th of the events. The events seem to occur randomly as we are starting to troubleshoot. They still occur even when clients disable the privacy setting for the network. Since our blacklist interval is set to 30 minutes this is causing an interruption of service when it occurs. Has anyone else seen similar events? I have opened a TAC case to assist. Thanks TJ McClintic UTHealth | The University of Texas Health Science Center at Houston Houston’s Health University Communications Technology | Network Operations 7000 Fannin | Suite M60 | Houston, TX 77030 713.486.9269 netops | 713.486.2271 office ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email
RE: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers
We just wrapped up a week's worth of troubleshooting with Aruba TAC and a group of Aruba developers to troubleshoot a similar issue. They ultimately recommended we disable blacklisting clients for “Arp Spoof”. They did not correlate the issue related to the iOS update, though. I still have the case open, and will pass along the message. We are also seeing users complaining of their Windows 10 devices intermittently not connecting to an SSID after waking from sleep mode. We are still investigating that issue. We have an MM/MC dual 7220 Cluster running 8.5.0.9 / AP300,AP500 series Deployed. Thanks, Nick Rauer Manager of Networking and Telecommunications Wheaton College – Massachusetts From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Hulko Sent: Monday, September 21, 2020 1:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Yup.. we had to disable the “Arp Spoof” settings in the IDS profiles. We have other irons in the fire so we are not able to do much to investigate this issue at this time. M From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu> > on behalf of "McClintic, Thomas" mailto:thomas.mcclin...@uth.tmc.edu> > Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu> > Date: Friday, September 18, 2020 at 11:46 AM To: "WIRELESS-LAN@listserv.educause.edu <mailto:WIRELESS-LAN@listserv.educause.edu> " mailto:WIRELESS-LAN@listserv.educause.edu> > Subject: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers We have begun seeing an impact with iOS 14 on our various SSIDs with ARP Spoofing events. We had not seen an event this year until July 9th (the date beta was released). There has been a large increase since the 16th of the events. The events seem to occur randomly as we are starting to troubleshoot. They still occur even when clients disable the privacy setting for the network. Since our blacklist interval is set to 30 minutes this is causing an interruption of service when it occurs. Has anyone else seen similar events? I have opened a TAC case to assist. Thanks TJ McClintic UTHealth | The University of Texas Health Science Center at Houston Houston’s Health University Communications Technology | Network Operations 7000 Fannin | Suite M60 | Houston, TX 77030 713.486.9269 netops | 713.486.2271 office ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
RE: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers
Yes, we have disabled it for now. No real easy way to troubleshoot since it is global. I tried to capture it occurring, but wasn’t able. Logs don’t tell you much at all. With more people upgrading; the impact increases and it’s not worth leaving on for now. Hopefully Aruba identifies the reason and can provide resolution. From: The EDUCAUSE Wireless Issues Community Group Listserv On Behalf Of Michael Hulko Sent: Monday, September 21, 2020 12:10 PM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers EXTERNAL EMAIL Yup.. we had to disable the “Arp Spoof” settings in the IDS profiles. We have other irons in the fire so we are not able to do much to investigate this issue at this time. M From: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> on behalf of "McClintic, Thomas" mailto:thomas.mcclin...@uth.tmc.edu>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv mailto:WIRELESS-LAN@listserv.educause.edu>> Date: Friday, September 18, 2020 at 11:46 AM To: "WIRELESS-LAN@listserv.educause.edu<mailto:WIRELESS-LAN@listserv.educause.edu>" mailto:WIRELESS-LAN@listserv.educause.edu>> Subject: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers We have begun seeing an impact with iOS 14 on our various SSIDs with ARP Spoofing events. We had not seen an event this year until July 9th (the date beta was released). There has been a large increase since the 16th of the events. The events seem to occur randomly as we are starting to troubleshoot. They still occur even when clients disable the privacy setting for the network. Since our blacklist interval is set to 30 minutes this is causing an interruption of service when it occurs. Has anyone else seen similar events? I have opened a TAC case to assist. Thanks TJ McClintic UTHealth | The University of Texas Health Science Center at Houston Houston’s Health University Communications Technology | Network Operations 7000 Fannin | Suite M60 | Houston, TX 77030 713.486.9269 netops | 713.486.2271 office ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=oZGyyvmT_P5eABCP2MCaFxzjq2q2Mahq_CnLoIIKT4E&s=tas7UPV-8iPM2CoKNhUPAm4xT1oGaqHZDNfrHQuyfhQ&e=> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMGaQ&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=oZGyyvmT_P5eABCP2MCaFxzjq2q2Mahq_CnLoIIKT4E&s=tas7UPV-8iPM2CoKNhUPAm4xT1oGaqHZDNfrHQuyfhQ&e=> ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers
Yup.. we had to disable the “Arp Spoof” settings in the IDS profiles. We have other irons in the fire so we are not able to do much to investigate this issue at this time. M From: The EDUCAUSE Wireless Issues Community Group Listserv on behalf of "McClintic, Thomas" Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv Date: Friday, September 18, 2020 at 11:46 AM To: "WIRELESS-LAN@listserv.educause.edu" Subject: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers We have begun seeing an impact with iOS 14 on our various SSIDs with ARP Spoofing events. We had not seen an event this year until July 9th (the date beta was released). There has been a large increase since the 16th of the events. The events seem to occur randomly as we are starting to troubleshoot. They still occur even when clients disable the privacy setting for the network. Since our blacklist interval is set to 30 minutes this is causing an interruption of service when it occurs. Has anyone else seen similar events? I have opened a TAC case to assist. Thanks TJ McClintic UTHealth | The University of Texas Health Science Center at Houston Houston’s Health University Communications Technology | Network Operations 7000 Fannin | Suite M60 | Houston, TX 77030 713.486.9269 netops | 713.486.2271 office ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
