Wireless Access

I am testing Aruba version 8.3.0.3 in our company.  We have setup 2  guest roles that use captive portal and they are working well; but, this company is big into security and woudl prefer me to lock the guest access down as much as possible.

One of the things I realized was that the Guest Post Suthenticatin role  denied access to everything and one must allow specific services such as DNS, http, https.  That is fine; but, I realized that multiple android cell phones would not re-connect to the Aruba Guest SSID unless I applied the rule:

ANY source to ANY destination PERMIT Service-DHCP.  The the cell phone was able to roam between access Points just fine. Without this rule I saw my android phone display 'Failed to obtain IP address' when roaming between Access Points.

My question is how can I limit this DHCP rule so an 'rouge' device cannot distribute IP addresses on the guest network?

The follwoing combinations have not worked.

- Source-USER, ANY-destination, Permit-DHCP 

- Any Device, to Host (DHCP Server IP on Guest VLAN), PERMIT-DHCP

Both at th same time

- Any Device, to Network of Access Point IP addresses, PERMIT - DHCP &

- Any Device, to Host (DHCP Server IP on Guest VLAN), PERMIT-DHCP

The only thing so far that has worked is

ANY Device, ANY Destination, PERMIT-DHCP,   See screen shot.

You would put the following ACL on top of everything:

user any udp 68 deny

This will stop a user from responding to dhcp requests.

Then you can put "any any service svc-dhcp permit"

Very good,

So if I understand correctly, "... The deny UDP 68 ACL (the default) prevents DHCP replies on a wireless network from wireless users from acting as a DHCP server. ..."

https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-the-purpose-of-denying-UDP-68-traffic/ta-p/177728

That should prevent any user sending out DHCP requests that other devices might be listening for in the Pre-Auth Role, Correct?. 

Is it a good idea to add the same rule in the Post Authentication Role as well?

Ok,

I have 2 related questions:

1.  Does the 'User' reference (in the A.C.L. rule) covers any 'physical device' like a tablet that connects to the Pre-auth policy?

2.  When I added the rule, I saw how the original rule was  listed in 'logon-control' policy; but, the new rule htat I crweated do esnot look exactly the same.  Specifically, I put down the minimum /Maximum values as 68.

     a.  See the attached screen shots.

     b.  I hope that is going to work the same.  I was not allowed to leave the Maximum field empty.

Is it a good idea to put this rule on every WLAN

Any - User, Any Destination, UDP-68, Deny access?

1.  The user refers to any user in the user table.

2.  That is the correct way to do it.

You could add it into your post authentication role, as well.  It means that no user can answer a DHCP request.

Hello Cjoseph,

Your explanation is a little different from https://community.arubanetworks.com/t5/Controller-Based-WLANs/What-is-the-purpose-of-denying-UDP-68-traffic/ta-p/177728

I just want to make sure I understand.  The follwoing article I think clarifies. https://community.arubanetworks.com/t5/Controllerless-Networks/How-do-i-create-a-rule-for-IAP-s-to-prevent-users-from-issuing/m-p/241784

Please let me know if you confirm. "... if you want to allow a client to get an IP address, allow UDP 67 traffic from the client, if you want to stop the client to Assign/Renew the IP, Deny ( Stop) UDP 68 traffic from the Client. ..."

To me it sounds as if denying UDP oort 68 prevents users (from the user-table) from assigning IP addresses to other devices.