Wireless Access

Reply
Highlighted
Occasional Contributor II

dhcp snooping and DAI in wireless

i was just set up a wireless network for a school use aruba 7xxx series. the deploy model is master/local. the clients get ip from external  dhcp server .

 

now, i meet a problem is,here someone is pretend a dhcp server in the network, i think it is a dhcp attack. is there any setting need to enable on controller to avoid this case happen?

 

many thanks everyone give me some advices


Accepted Solutions
Highlighted
Moderator

Re: dhcp snooping and DAI in wireless

If you are using the "logon-control" ACL in your user roles, there is an entry that blocks clients from serving DHCP addresses.

 

logon-control-deny-udp68.png


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post


All Replies
Highlighted
Moderator

Re: dhcp snooping and DAI in wireless

If you are using the "logon-control" ACL in your user roles, there is an entry that blocks clients from serving DHCP addresses.

 

logon-control-deny-udp68.png


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post

Highlighted
Occasional Contributor II

Re: dhcp snooping and DAI in wireless

very appreciated...very helpful idea...but is there a way for mitigate man in middle attack? i mean that if some one pretend the gateway ip address, he will ruin the whole network...any setting on the controller ?

Highlighted
Moderator

Re: dhcp snooping and DAI in wireless

There are two things you can do:

 

1) Enable "Enforce DHCP" in your AAA profile. This will stop a user from entering the user table if they did not receive their address via DHCP

 

2) Add your gateway addresses to the validuser ACL.


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Highlighted
Occasional Contributor II

Re: dhcp snooping and DAI in wireless

ok...i try it later...thank you very much

Highlighted
Moderator

Re: dhcp snooping and DAI in wireless

valid-user-deny-gateway.png

 

 

enforce-dhcp.png


| Tim Cappalli | Aruba Security | @timcappalli | timcappalli.me |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.