Wireless Access

hello we got a client that he is reporting that in the captive portal he can do an ip scan  and he can see devices that are connected to that network(the guest wifi is on their network, is not a guest wifi on the controller) I suggested them to have it on the controller but they said they didnt want to do taht as they will loose visibility in their firewall of those users...

I activated deny interuser traffic(with this they can no longer see other wifi users on the ip scanners)

on the firewall rule i used a rule which said

user deny guest network any port 

Still witht that they can see the other devices(they got a printer and other things they dont want to see in the ip scanner)

also i activate deny broadcast on the ssid and i still see them

Is there any way to block this ? so they cannot seee it on the ip scanner??

Cheers

Carlos

If you have an unencrypted network, you can see everything passively.  You don't even need to scan.  That is the drawback of having an unencrypted network.  That is always why most reputable guest networks have a disclaimer that says that everyone can see what they are doing, so users should only use SSL-encrypted networks, a personal firewall and a VPN to prevent that from happening.

It is pretty much impossible to protect the content of an unencrypted guest network from other users.

Hello Collin

Do you mean that i can see everything passively because all that traffic is layer 2? and the aps, wireless controller are acting like a switch ?

or i did missunderstood that?

I m able to block the packets going to another wifi device because it doess has to pass trhough te firewall on the controller? right?

Just trying to understand this correctly.

Cheers

Carlos

i did re read your message and i got what you mean thanks collin

Cheers

Carlos