The AOS Wireless Intrusion Prevention System (WIP) in an AOS-8 architecture (Mobility Controllers or Mobility Master) is designed to detect and mitigate wireless threats, such as rogue APs and unauthorized clients. WIP classifies clients and APs based on their behavior and status in the network.
Authorized Client Definition: In the context of WIP, an "Authorized" client is one that has successfully authenticated to an authorized AP (an AP managed by the MC and part of the company’s network) and is actively passing encrypted traffic. This typically means the client has completed 802.1X authentication (e.g., in a WPA3-Enterprise network) or PSK authentication (e.g., in a WPA3-Personal network) and is communicating securely with the AP.
Option D, "A client that has successfully authenticated to an authorized AP and passed encrypted traffic," is correct. This matches the WIP definition of an Authorized client: the client must authenticate to an AP that is classified as "Authorized" (i.e., part of the company’s network) and must be passing encrypted traffic, indicating a secure connection (e.g., using WPA3 encryption).
Option A, "A client that is on the WIP whitelist," is incorrect. WIP does not use a client whitelist for classification. The AP whitelist is used to authorize APs, not clients. Client classification (e.g., Authorized, Interfering) is based on their authentication status and connection to authorized APs.
Option B, "A client that has a certificate issued by a trusted Certification Authority (CA)," is incorrect. While a certificate might be used for 802.1X authentication (e.g., EAP-TLS), WIP does not classify clients as Authorized based on their certificate status. The classification depends on successful authentication to an authorized AP and encrypted traffic.
Option C, "A client that is NOT on the WIP blacklist," is incorrect. WIP does use blacklisting (e.g., for clients that violate security policies), but being "not on the blacklist" does not make a client Authorized. A client must actively authenticate to an authorized AP and pass encrypted traffic to be classified as Authorized.
The HPE Aruba Networking AOS-8 8.11 User Guide states:
"In the Wireless Intrusion Prevention (WIP) system, an ‘Authorized’ client is defined as a client that has successfully authenticated to an authorized AP and is passing encrypted traffic. An authorized AP is one that is managed by the Mobility Controller and part of the company’s network. For example, a client that completes 802.1X authentication to an authorized AP using WPA3-Enterprise and sends encrypted traffic is classified as Authorized." (Page 414, WIP Client Classification Section)
Additionally, the HPE Aruba Networking Security Guide notes:
"WIP classifies clients as ‘Authorized’ if they have authenticated to an authorized AP and are passing encrypted traffic, indicating a secure connection. Clients that are not authenticated or are connected to rogue or neighbor APs are classified as ‘Interfering’ or other categories, depending on their behavior." (Page 78, WIP Classifications Section)
[References:, HPE Aruba Networking AOS-8 8.11 User Guide, WIP Client Classification Section, Page 414., HPE Aruba Networking Security Guide, WIP Classifications Section, Page 78., ]
