Wireless Access

Scenerio

-----------

 

There are  vlan 5 which is 172.16.0.0/24 and a SSID guest vlan 192.168.5.0/24 . So when the guest connected to this guest VLAN. It use Iphone tether service and add as a hotspot. Inside vlan 5 there is one static ip assigned server 172.16.0.3. When this iphone enable tether, the connected device get the 172.16.0.3 ip and causes ip spoofing and making the static ip to be not working becuase of duplicate ip address.

 

The wireless lan controller is 4302.

 

How to solve this problem from preventing those who need to bring in their own device and do the tether to share it?

 

Or is it a bug as the firewall has enable checked on ip spoofing.

 

Thanks all

You can use the validuser ACL to control which IPs are added to the usertable for your guest network.  For instance, you would only allow network 192.168.5.0/24.  Any other IPs that show on the guest network would not be entered into the user table, and thus not have any connectivity.

 

Go here and use your browser's search function (cntr + f) to find "validuser".  You'll see an explanation about the ACL and how to configure it.

Hi thecompnerd I read the validuser topic. So can I say that the wireless clients can be prevented to get the wired subnets as all the different ssid falls under 172.16.0.0 and wired falls under 192.168.0.0. For by doing this acl, the illegal ip will not be injected on the wireless clients who got the wired subnet address that causing ip spoofing?

Utilizing the validuser ACL will prevent your wireless guests from being able to use any IP other than 192.168.5.X.  If any other subnet IP is in use, the client will not be placed in the user table, and will be unable to pass traffic.  So setup your validuser ACL so that 192.168.5.0/24 is permitted.  Don't allow anything else.

So if I have several ssid that have different subnet for example in this case

172.16.1.0 for guest ssid
172.16.2.0 for employee ssid
192.168.5.5 for wired network

In this how do I apply the acl that prevent the guest from getting the wired network
Any example. I am not very sure as I have multiple ssid under 172.16.0.0 but only this guest ssid 172.16.1.0 get ip of the wired network which cause the ip spoofing..

Once again thank compnerd

I am confused.  I thought 192.168.5.0/24 was the guest network.?  If your guest and employee SSID are 172.16.1.0/24 and 172.16.2.0/24, but not 192.168.5.0/24, then do the following:

 

ip access-list session validuser

  network 172.16.1.0 255.255.255.0 any any permit

  network 172.16.2.0 255.255.255.0 any any permit

 

That will only allow those IPs ranges on your wifi.  If a client connects with anything other than a 172.16.1.X or 172.16.2.X address, the client will not be able to pass traffic.

 

Alternatively, you block your wired range instead:

 

ip access-list session validuser

 

  network 192.168.5.0 255.255.255.0 any any deny

 

Either way is fine.

Hi thecompnerd,

 

i have already applied this on the ACL tie to the Guest SSID but there are still snatching ip and generate duplicate IP and making the server not able to.

 

Any other remedy

jmart537,

 

In the AAA profile, try enabling "Enforce-DHCP".:  http://www.arubanetworks.com/techdocs/ArubaOS_63_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/1CommandList/aaa_profile.htm

 

Devices that the controller cannot "See" DHCP traffic for, will not be able to enter the user table after enabling this on the AAA profile for that Virtual AP.

Hi thecompnerd, those ssid vlan get ip with ip helper, so will this be valid or it will likely cause problem? They getting ip from external dhcp server

Hi cioseoh, I am using external dhcp server. Of using this enforce dhcp will it cause problem

jmart537,

 

Do your users connect to the wifi, and then tether devices to the device that is connected to via wifi?

Cioseoh, I am not very sure because when I try to simulate as I connect to the guest ssid and to do a tether subsequently, it does not allow my mobile phone to do that. Unless my 3G /or 4G is enabled and wireless connection to the guest ssid is disconnected.

Can you please advice

Any more comments

jmart537,

 

I do not understand what is happening, so I cannot comment.

Hi cioseph

Scenerio

There are few ssid around connected to wlc 4302. One of the guest ssid client is getting a same ip of a wired connection server which causes ip spoofing. This server is not able to work as per normal.

I have used the recommended and apply validuser on only permit the allowed subnet on the ssid.

This wlc is not a dhcp server. All ssid is getting ip from external dhcp server. When I apply the validuser it is still not working.

I am eager to find out how to do a perm remedy

My current temp solution to avoid it is to keep adding the Mac address in the block list

jmart537,

 

You should try "Enforce DHCP" .  It will only allow the client to obtain an ip address that is distributed by your DHCP server.  

 

Yes it will work for a DHCP server that is external to your WLC.  It just blocks static ip addresses.