How to prevent users with static IP Address from passing traffic when connected to an SSID?
This article applies to all controller models and AOS versions 5.0 and higher
At times we may need to block clients having static IP address from passing traffic when connected to an SSID, A typical example would be an environment where a DHCP NAC is integrated with Aruba wireless solution. In this scenario client will get IP address from DHCP server but before providing the IP address to the client the NAC will check for compliance like if desired patches is installed or not. If it passes the compliance then client will get proper IP and if it fails then client will get different IP (quarantine network)
There is a feature on the controller which will help us to restrict clients with static IP assignment from passing traffic when connected to an SSID, this feature is a simple tweak to how the controller add users to the user-table and create entries for them in the Datapath module.
Enable the Enforce DHCP parameter in the AP group’s AAA profile.
A copy of the DHCP ACK is sent from the Datapath module to Auth module. The Auth module then records the IP address that the DHCP server assigns to this client.When a user that the datapath does not know about sends an IP packet in the upstream direction, this results in a user miss and a call into auth. At this time, auth checks to see if the source IP in the incoming frame matches the IP address assigned by a DHCP server. If yes, then a new user entry is created and policies that are associated with the user's role determine the course of action for future packets.If the source IP address does not match one that was assigned by a DHCP server, then a user entry is not created and the current packet is dropped.
This catches two scenarios - one where a user never does a successful DHCP exchange and uses a static IP instead, and another where a successful DHCP exchange was seen, but the user has since modified their IP address to something else that wasn't assigned by a DHCP server to them.
NOTE: If a client is removed from the user table by the “Logon user lifetime” AAA timer, then that client will not be able to send traffic until it renews it’s DHCP.