Wireless Access

Latelly, our infosec crew have noticed a lot of wireless clients sending traffic out with the wrong source IP address.  A lot of them are using T-Mobile and Sprint owned blocks, so our best guess is that it's smart phones sending traffic sourced from their 4G IP address, but using the wifi interface (this is a problem we've run into on the Linux IP stack many times over the years...)

 

My question, then, is how are people handling this kind of traffic?  On the wired side, we handle it with DHCP snooping and dynamic ARP inspection.  The Aruba controllers have the enforce-dhcp option, but it's not clear to me from what I've read that it'll actually restrict the client to only using the DHCP assigned IP address.  If not, I'm assuming I'll have tofall back to setting inbound clients based on the client subnets.

 

thanks!

Utilizing the validuser ACL is an Aruba best practice.

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-validuser-ACL-and-its-uses/ta-p/178584

Enforce DHCP in the AAA profile will only allow clients in the user table for which it has witnessed a DHCP transaction. The WAN IP address source address traffic would not be allowed.

Thanks, guys!  enforce-dhcp won't be an option for us until this summer, as we're running two sets of controllers on the same SSID to play around with the 8.0 code.  In the meantime, it sounds like the valid-user ACL is the way to go.