Wireless Access

Task:

Use /23 subnets per VLAN so that we are able to advertise more IP addresses

Example:

address range from 192.168.0.1 - 192.168.1.254

Challenge:

Restrict users from using the WiLAN if they have the first few and last few IPs for a /24 within the /23.  We will not be dispensing these IPs via DHCP however if a user assigns any of these 'off-limit' IPs statically we want to make sure they are not allowed on the WiLAN.

Example:

from above range we need to be able to restrict access to wireless for any clients using 192.168.0.1 - 192.168.0.10, 192.168.0.225 - 192.168.0.255 PLUS 192.168.1.1 - 192.168.1.10, 192.168.1.225 - 192.168.1254.

My plan was to create a Policy for the "valid-user" restricting these IPs however I am not sure if this would be the best way.  I would love to hear how other out there would tackle this issue.

Ip addresses are so dynamic, and so you might have to revisit your strategy every time you expand your IP space.  Can you use something like user group in LDAP or AD that does not change to restrict users? 

You are right, I would end up having to change or update this everytime we decide to expand IP scope, however the inention is to be able to block users using certain IPs (specifically the first few and last few in a /24) from any give scope.  So, even if I do end up adding to the scope of IPs I will always want to have those specific IPs frome each /24 blocked.

Hope that makes sense and would still love to hear back some more feedback.

So are you saying you want to block users that choose static ip addresses in a range that you do not want to give out in DHCP?

In that case, you can use reservations, or whatever you use to block off addresses in DHCP, but also enable "Enforce DHCP" in the AAA profile so that users cannot get on, unless they received their ip addresses using DHCP.  Would that work?

"So are you saying you want to block users that choose static ip addresses in a range that you do not want to give out in DHCP?"

Yes.  I am trying to block users (or Malwares/viruses) using IPs (such as the first few or last few).  So, I am excluding these IPs from DHCP pool, however wanted to ensure that if it was statically configured the network connection would still be unavailable.

"In that case, you can use reservations, or whatever you use to block off addresses in DHCP, but also enable "Enforce DHCP" in the AAA profile so that users cannot get on, unless they received their ip addresses using DHCP.  Would that work?"

That would have been great to use but it seems that "Enforce DHCP" is only available from Aruba OS 6.0.x and up and currently the controllers (that my client is using) are all on 5.0.x and lower.  :smileyindifferent:

I have decided to go with a policy-based restriction.  This is what I have done.

I have created following firewall policies under Security>User Roles>Restriction (where Restriction is the user role)

• allow DHCP so that the clients can get an IP from the DHCP
• deny all traffic for clients using the specific IPs (ie: x.x.x.1-5 and x.x.x.252-255)
• allow all other traffic as required.

Well, this seems to have worked for me and hope this helps others in the future if they are faced with similar issues in the future (although I would imagine most would just upgrade the OS).

Thanks cjoseph for your help.