Security

the apple device or android will still utilize the last ip address it attached to most likely the users home address 10.0.0 or 192. x
The issue is it is using up address in a scope that is in my dmz on the 10 network ( don't yell at me some idiot used it as my dmz 10 years ago long before I worked here) I will be moving it asap. but for now, is there anything I can do to prevent this from happening

 

 

(psd-master01) #show  user | include  10:1c:0c:2a:2a:1b
10.0.0.10       10:1c:0c:2a:2a:1b                             psd-guest-logon    00:00:01                    AP-RM-211.Floor 1.100.GHH                  Wireless  psd-open/d8:c7:c8:f7:39:28/a-HT    psd-open    tunnel        iPad           
10.50.146.61    10:1c:0c:2a:2a:1b                             psd-guest-logon    00:00:01                    AP-RM-211.Floor 1.100.GHH              Wireless  psd-open/d8:c7:c8:f7:39:28/a-HT    psd-open    tunnel        iPad 

 

(psd-master01) #show  user | include  84:38:35:97:a5:59
10.10.129.18    84:38:35:97:a5:59  84383597a559               psd-authenticated  00:01:34    MAC             ESC_SWITCH_ON_BENCH                        Wireless  psd-secure/ac:a3:1e:9a:3d:11/a-HT   psd-secure  tunnel        iPhone    
172.24.25.144   84:38:35:97:a5:59  84383597a559               psd-authenticated  00:01:34    MAC             ESC_SWITCH_ON_BENCH                     Wireless  psd-secure/ac:a3:1e:9a:3d:11/a-HT  psd-secure  tunnel        iPhone    

 

If you are not using the 192 space, you can add a deny rule for that subnet to the validuser acl. 


Thanks, 
Tim

Try that dosnt work

Tried that dosn't work

Do you have enforce-dhcp enabled in your AAA profile?

Edit: Cappalli already suggested that

Add the segments you want to allow on the controller to the valid user ACL. Search for valid user on the community.

All other segments will be denied