Security

Dear,

I have question on how to prevent guest terminal device(Smartphone, Laptop and etc.) connect to network by briding route via their own wireless router device.

I noted the stateful firewall of Aruba Controller 650 has relevant functions:

1.Deny Inter User Bridging

2.Deny Source Routing

My situation is:

1. terminal device directly connect to Aruba-AP --> authenticated by clearpass guest portal 6.2 --> only terminal device can connect to Internet.

2.terminal device connect to Aruba-AP via their own wireless router--> authenticated by clearpass guest portal 6.2 --> all devices connecting with Guest-side wireless router can connect to internet directly.(even a new terminal device, no authenticated anymore)

=> That's because all terminal devices are under NAT convertion via Guest-side wireless router connecting to Aruba-AP.

(and the MAC of Guest-side router has authenticated to internet by clearpass.)

The features you mention won't achieve this I'm afraid.

In order to achieve what you're looking at, I'd recommend using features of the RF Protect licenses.

Specifically, you'd want to then look at enabling features in the IDS Unauthorized Device profile. See the below screenshot for examples. There's lots of options, and you'd need to read-up on them. Protecting against ad-hoc and windows bridges would be a great start!!!

Dear Jake Cornford,

I understand this situation now. Thank you for your kind answer.