09-19-2013 10:52 AM
I'm noticing several devices that are in a logon role under my captive portal guest wireless network. They are showing 192.168.10.x addresses but I only have 192.168.64.x/22 assigned to CP-DHCP. These are not statically IP'ed devices, but seems like an iphone is connecting to my guest portal and acting as a hotspot, then issuing its own variance of DHCP for devices associating with the hotspot device.
Has anyone else witnessed this and is there a means of blocking this capability (hotspot in the middle)? They're not getting on my guest because they don't have the passphrase and auth credentials, but my valid guest clients are also hitting the hotspot (if this is even the case). I don't want to do preferred AP setup on guests so they only connect to my aruba APs, but was wondering if anyone else has witnessed such an event and what actions you took to mitigate?
09-19-2013 04:21 PM
In the captive portal login role, you can create and add a policy to the top of the list to DENY udp 68 packets which are DHCP reply packets. If you have a rogue DHCP server, this line will prevent IP addresses from being handed out.
The syntax would be
ip access-list session prevent-rogue-dhcp-server
user any udp 68 deny
access-list session prevent-rogue-dhcp-server
access-list session logon-control
access-list session captiveportal
Consulting Systems Engineer - ACCX, ACDX, ACMX
If you found my post helpful, please give kudos
01-14-2014 10:39 AM
DOH "I'Phoned" to You!