01-27-2015 12:55 PM
I'm a long time Cisco WLAN/ISE user and starting to use Aruba more and I'm currently implementing CPPM to replace old BlueSocket gateways for wired port NAC in dorms/apartments.
I'm curious if there is any feature I can look for that will help prevent or mitigate the amount of wireless routers that get connected to housing ports. I'm our current environment with the BS Gateways, if someone connected a wireless router to the port and then connects a device to the router they then receive the captive portal and once they login in, any devices that connect through the router have access until the session timeout is reached. This also makes it difficult to track down where the routers are installed as looking at the mac address of the switch port or in BS shows the first devices that connected to the captive portal and I do not see a mac address with the routers OUI.
01-27-2015 12:57 PM
It would depend on how the consumer router is plugged in. If it is connected using the WAN/Internet port, then the device will likely DHCP and behave like a router. In this case you can use ClearPass profile information to deny access to the router.
If they connect it using one of the LAN ports, it will behave more like a bridge and you'd need your wired infrastructure and NMS to detect the rogue device and shut the port down. In theory, anything plugged into this router on the other LAN ports should be put through an auth process on the upstream switch.
Tim Cappalli | Aruba ClearPass TME
@timcappalli | ACMX #367 / ACCX #480 / ACEAP / CWSP