We initially tried that in testing with a client, the ARP Spoof was still flagged and caused a blacklist. With that theory it should only happen once after update also, which it was occurring several times a day.
From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]> On Behalf Of Tim Cappalli Sent: Monday, September 21, 2020 3:02 PM To: [email protected] Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers **** EXTERNAL EMAIL **** Asking users to disable a feature that preserves their privacy for what is really a one time event (after iOS upgrade) on your network seems very drastic and has a longer term impact. From: Cody Ensanian<mailto:[email protected]> Sent: Monday, September 21, 2020 15:59 To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Started running into the IOS14 issue the day it released. As soon as an apple device upgraded to IOS14 they got ARP-spoof blacklisted on our Aruba controllers. Which makes sense to me: pre-upgrade its the devices real mac address/IP which is known by the controller... post-upgrade the "private address" toggle is turned on by default, so IOS generates a random mac address for any wireless network profile on the device. Now, the phone tries sending traffic with new-mac/IP combo and of course the controller now thinks its ARP spoofing. Rather than turn off ARP-spoof detection on our controllers, we are telling our users that for OUR networks, they have to disable the "private address" feature. They can leave it enabled for other networks, but not ours. During beta testing Apple said the "private address" was going to randomize daily. This has since been tested/proven to not be the case. It is randomized PER NETWORK (SSID), but will not change if you forget the network and come back. If you forget and come back, it will generate the same random mac for that network should you leave the toggle on (they must either hash it with the SSID, or the device keeps an internal table of all generated random macs and the network/SSID its meant for) Cody University of Colorado Colorado Springs From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> On Behalf Of Michael Hulko Sent: Monday, September 21, 2020 1:38 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Keep the list posted as I am sure this is having an effect on others.... Oddly though, we are not seeing this in our Campus 8.6x environment. Our "Arp Spoofing" issue is with our Housing 6.5x environment. As I stated earlier, we have a number of other fires going.. Since moving to 8.6x in April on the recommendation of our SE.... 1. 8.6x GUI issues with blacklisting... the GUI reports more than what is actually happening on the controllers 2. IAP to controller tunnel challenges with clustered environment (8.6x) ... (actually, TAC did come back after 2 weeks troubleshooting and confirmed that IAP to controller tunnels will not work when controllers are clustered) 3. AP200 series APs on the 8.6x environment started randomly rebooting with "out of memory" errors 4. 7240XM controllers in the 8.6x environment having process crashes and restarts plus warnings of CPU utilization peaking over 90% 5. 'Arp Spoofing' 6. We are also detecting AP300 series reboots, but have not made any attempt to monitor or track these instances at this time. Not to mention the myriad of user complaints that we generally field Start of another school year M From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of Nick Rauer <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> Date: Monday, September 21, 2020 at 2:12 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers We just wrapped up a week's worth of troubleshooting with Aruba TAC and a group of Aruba developers to troubleshoot a similar issue. They ultimately recommended we disable blacklisting clients for "Arp Spoof". They did not correlate the issue related to the iOS update, though. I still have the case open, and will pass along the message. We are also seeing users complaining of their Windows 10 devices intermittently not connecting to an SSID after waking from sleep mode. We are still investigating that issue. We have an MM/MC dual 7220 Cluster running 8.5.0.9 / AP300,AP500 series Deployed. Thanks, Nick Rauer Manager of Networking and Telecommunications Wheaton College - Massachusetts From: The EDUCAUSE Wireless Issues Community Group Listserv [mailto:[email protected]] On Behalf Of Michael Hulko Sent: Monday, September 21, 2020 1:10 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers Yup.. we had to disable the "Arp Spoof" settings in the IDS profiles. We have other irons in the fire so we are not able to do much to investigate this issue at this time. M From: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> on behalf of "McClintic, Thomas" <[email protected]<mailto:[email protected]>> Reply-To: The EDUCAUSE Wireless Issues Community Group Listserv <[email protected]<mailto:[email protected]>> Date: Friday, September 18, 2020 at 11:46 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [WIRELESS-LAN] iOS 14 Causing ARP Spoofing Events on Aruba Controllers We have begun seeing an impact with iOS 14 on our various SSIDs with ARP Spoofing events. We had not seen an event this year until July 9th (the date beta was released). There has been a large increase since the 16th of the events. The events seem to occur randomly as we are starting to troubleshoot. They still occur even when clients disable the privacy setting for the network. Since our blacklist interval is set to 30 minutes this is causing an interruption of service when it occurs. Has anyone else seen similar events? I have opened a TAC case to assist. Thanks TJ McClintic UTHealth | The University of Texas Health Science Center at Houston Houston's Health University Communications Technology | Network Operations 7000 Fannin | Suite M60 | Houston, TX 77030 713.486.9269 netops | 713.486.2271 office ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D02-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257C38601f9a89df4dc31c3208d85e68c71c-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637363151406259049-26sdata-3D2p4QXPBnzpPDSMXNjtihSWT7n9Ia1hY8tvaS-252BGuvSHo-253D-26reserved-3D0&d=DwMF-g&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=UKqLChHroj5t4bf2b9v3NYYw7RPa8bx7dDp3kMs7BzY&s=KJChOjh1OH-_cLvmTqt6nO8jxMCsACmpKO7EPSTF36Y&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D02-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257C38601f9a89df4dc31c3208d85e68c71c-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637363151406259049-26sdata-3D2p4QXPBnzpPDSMXNjtihSWT7n9Ia1hY8tvaS-252BGuvSHo-253D-26reserved-3D0&d=DwMF-g&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=UKqLChHroj5t4bf2b9v3NYYw7RPa8bx7dDp3kMs7BzY&s=KJChOjh1OH-_cLvmTqt6nO8jxMCsACmpKO7EPSTF36Y&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D02-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257C38601f9a89df4dc31c3208d85e68c71c-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637363151406269044-26sdata-3DDU3GYLA7XVM4OgHZXqmEvea5TNxQYP3pDl90GTjD1rY-253D-26reserved-3D0&d=DwMF-g&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=UKqLChHroj5t4bf2b9v3NYYw7RPa8bx7dDp3kMs7BzY&s=xDJGlwQOhtbAAL-SaJlZE8Hz1zghX0Elgpv4d-U-NMw&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D02-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257C38601f9a89df4dc31c3208d85e68c71c-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637363151406269044-26sdata-3DDU3GYLA7XVM4OgHZXqmEvea5TNxQYP3pDl90GTjD1rY-253D-26reserved-3D0&d=DwMF-g&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=UKqLChHroj5t4bf2b9v3NYYw7RPa8bx7dDp3kMs7BzY&s=xDJGlwQOhtbAAL-SaJlZE8Hz1zghX0Elgpv4d-U-NMw&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.educause.edu-252Fcommunity-26data-3D02-257C01-257Ctim.cappalli-2540MICROSOFT.COM-257C38601f9a89df4dc31c3208d85e68c71c-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637363151406279036-26sdata-3DPuA6YlsINZ74OS09yHxRQvBaac13uXEtHPUIU6Imi5o-253D-26reserved-3D0&d=DwMF-g&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=UKqLChHroj5t4bf2b9v3NYYw7RPa8bx7dDp3kMs7BzY&s=7Pco-s8KaOFObnDFCDKJ-PxtNfGQali72c1dUKrVtXc&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.educause.edu_community&d=DwMF-g&c=bKRySV-ouEg_AT-w2QWsTdd9X__KYh9Eq2fdmQDVZgw&r=wLdFd1ZL0ZcUbF2oBZW_IGbytKgpgr2PoVwEtmgISwA&m=UKqLChHroj5t4bf2b9v3NYYw7RPa8bx7dDp3kMs7BzY&s=4DNw7F3z85Yp-sbVnRevMgAaF8gbfk2zRClJgzykDAA&e=> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
