Please let me know if I posted in the wrong board.
Here is the scenario:
User connects to RAP, receives an IP from the controller hosted DHCP server. Example: user IP: 192.168.1.100
Processes external captive portal
Is now on a post-authentication role.
Client appears in the user table with the controller provided address 192.168.1.100 and another IP address.
Starting with a 25.x.y.z IP address.
Deleting the 25.x.y.z IP entry, the client losses connection and in turn would not be able to reconnect.
We opened a TAC case for this and they suggested the following:
1. Since the users are getting an IP address from the controllers DHCP server, we can enable the ‘enforce DHCP’ option under the respective AAA profile.
a. When this option is enabled on the controller, the users will not be allowed to associate to an access point, until and unless they obtain an IP address from the DHCP. This would eliminate the static IP address entries from being shown on the user-table.
b. However make sure when you delete the user from the user-table, that particular client will not be able to send traffic until it renews the IP address from the DHCP server.
2. The ‘Prohibit ARP spoofing’ option present on the firewall could also be enabled on the controller, this would detect possible ARP spoofing attacks. However this change is global and would affect all the users on the controller, unlike the previous option.
A few things that I would like to know:
1. Why is the user getting 2 IP addresses where the 2nd IP is not from any subnet that we know of.
2. Are the settings above enough? What impact does it have?
Since we host multiple customers on this 1 controller, some settings ar globally applie like 'Prohibit ARP Spoofing'.
Thanks,