DHCP Enforcement on IAP
Requirement:

How to block traffic for IAP clients that do not obtain IP address from DHCP

(This article is applicable only for IAP's running on 6.4.3.4-4.2.1.0 code & later)



Solution:

Enable "enforce-dhcp" parameter in the SSID  --> This would ensure that the traffic for IAP clients that do not obtain IP address from DHCP is blocked. The device may get connected and show up under "show clients". However, the user will not be able to even ping its gateway.



Configuration:

WebUI

Edit the SSID--> Goto Security --> Enable "enforce dhcp" --> Click on Next and Finish

 

 

CLI

18:64:72:c9:c4:9c (config) # wlan ssid-profile <ssid-name>

18:64:72:c9:c4:9c (SSID Profile "<ssid-name") # enforce-dhcp

18:64:72:c9:c4:9c# commit apply



Verification

Check the running-config for the specific SSID

wlan ssid-profile <ssid-profile>
 enable
 index 3
 type employee
 essid test
 opmode opensystem
 max-authentication-failures 0
 rf-band all
 captive-portal disable
 dtim-period 1
 broadcast-filter none
 enforce-dhcp
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64

Version History
Revision #:
2 of 2
Last update:
‎03-08-2016 01:16 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.