Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

CPPM and routers on wired ports

This thread has been viewed 0 times

  • 1.  CPPM and routers on wired ports

    Posted Jan 27, 2015 03:55 PM

    Hello,
    I'm a long time Cisco WLAN/ISE user and starting to use Aruba more and I'm currently implementing CPPM to replace old BlueSocket gateways for wired port NAC in dorms/apartments.

    I'm curious if there is any feature I can look for that will help prevent or mitigate the amount of wireless routers that get connected to housing ports. I'm our current environment with the BS Gateways, if someone connected a wireless router to the port and then connects a device to the router they then receive the captive portal and once they login in, any devices that connect through the router have access until the session timeout is reached. This also makes it difficult to track down where the routers are installed as looking at the mac address of the switch port or in BS shows the first devices that connected to the captive portal and I do not see a mac address with the routers OUI.

    Thanks,
    Kyle



  • 2.  RE: CPPM and routers on wired ports

    EMPLOYEE
    Posted Jan 27, 2015 03:58 PM

    It would depend on how the consumer router is plugged in. If it is connected using the WAN/Internet port, then the device will likely DHCP and behave like a router. In this case you can use ClearPass profile information to deny access to the router.

     

    If they connect it using one of the LAN ports, it will behave more like a bridge and you'd need your wired infrastructure and NMS to detect the rogue device and shut the port down. In theory, anything plugged into this router on the other LAN ports should be put through an auth process on the upstream switch.