Occasional Contributor II

Prevent NAT behind RAP

Has anyone encountered a similar security concern and have any effective method of dealing with it...


Currently we are looking to do 802.1x authentication on the wired port of our RAP devices. Corp PCs would have the correct LAN profile and dot3svc service running. Concern has been raised that a NAT box could be connected to the RAP, with permitted and non-permitted clients behind that. The one permitted client would authenticate, thus putting the NAT box in an employee user-role and allowing access from all non-permitted devices connected to it.


I was thinking of layering a MAC filter on top of 802.1x but that doesn't stop MAC spoofing. Is there anything either built in or external which can anyone has done to address this threat?

Guru Elite

Re: Prevent NAT behind RAP

Not sure if a 802.1x frame can even  be passed successfully through a NAT boundary.  If you are not allowing devices that do not pass 802.1x, then putting a nat box behind the RAP will not allow any unauthenticated users.

*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Search Airheads
Showing results for 
Search instead for 
Did you mean: