Hi Frederik,
to my knowledge it should be possible to remove the controller interface in the guest vlan completely. You just need to make sure, that at least one interface of the controller is reachable using the firewall. This will at least solve the Mac spoofing issue.
BR
Florian
------------------------------
-------------------------------------------------------------------------------
Florian Baaske
-------------------------------------------------------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
-------------------------------------------------------------------------------
Also visit the AirHeads Youtube Channel:
https://www.youtube.com/channel/UCFJCnuXFGfEbwEzfcgU_ERQ-------------------------------------------------------------------------------
Feel free to visit my personal Blog
https://www.flomain.de------------------------------
Original Message:
Sent: May 23, 2022 02:59 PM
From: FreddyG
Subject: MAC Spoofing Guest Network
Hi all,
I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).
Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect
Is there any chance to achieve this? Is there a feature which I haven't read about / found yet?
Thanks for your help!
------------------------------
Frederik
------------------------------