Wireless Access

Hi all,

I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect

Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

Thanks for your help!

Hi all,

I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect

Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

Thanks for your help!

Hi all,

I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect

Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

Thanks for your help!

hi,

thanks for your answers. 

The problem I ran into wasn't the access / reachability of the vlan Interface address of the controller. I know that there are ways to limit or block access to it. My problem is that a guest user can perform a subnet scan (even in pre-auth role) -> is there a way to block that?  When Deny Inter User bridging is enabled a subnet scan in pre-auth-role results in getting back the client, controller and gateway mac (no other wireless user is found) -> so far so good :)

The main problem with the mac address is that if a user spoofs the MAC of the controller all APs connected to the controller lost their connection. This might be due to a design flaw (same physical port for guest vlan and controller IP) but I wonder if there is no other configuration / feature which can prevent this.

Enable "Enforce DHCP" was also in my mind but I don't think this will prevent some to spoof its MAC address.

Hi all,

I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect

Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

Thanks for your help!

hi,

thanks for your answers. 

The problem I ran into wasn't the access / reachability of the vlan Interface address of the controller. I know that there are ways to limit or block access to it. My problem is that a guest user can perform a subnet scan (even in pre-auth role) -> is there a way to block that?  When Deny Inter User bridging is enabled a subnet scan in pre-auth-role results in getting back the client, controller and gateway mac (no other wireless user is found) -> so far so good :)

The main problem with the mac address is that if a user spoofs the MAC of the controller all APs connected to the controller lost their connection. This might be due to a design flaw (same physical port for guest vlan and controller IP) but I wonder if there is no other configuration / feature which can prevent this.

Enable "Enforce DHCP" was also in my mind but I don't think this will prevent some to spoof its MAC address.

Hi all,

I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect

Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

Thanks for your help!

hey hdemir,

unfortunately none of the settings help to prevent a user from spoofing its MAC address...

Right now I'm testing some workaround. I try to block the spoofed MAC address in the MAC Auth service in CPPM while connecting to the wifi infrastructure... Let's see...

hi,

thanks for your answers. 

The problem I ran into wasn't the access / reachability of the vlan Interface address of the controller. I know that there are ways to limit or block access to it. My problem is that a guest user can perform a subnet scan (even in pre-auth role) -> is there a way to block that?  When Deny Inter User bridging is enabled a subnet scan in pre-auth-role results in getting back the client, controller and gateway mac (no other wireless user is found) -> so far so good :)

The main problem with the mac address is that if a user spoofs the MAC of the controller all APs connected to the controller lost their connection. This might be due to a design flaw (same physical port for guest vlan and controller IP) but I wonder if there is no other configuration / feature which can prevent this.

Enable "Enforce DHCP" was also in my mind but I don't think this will prevent some to spoof its MAC address.

Hi all,

I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect

Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

Thanks for your help!

Hi all,

I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect

Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

Thanks for your help!

Hi Frederik,

to my knowledge it should be possible to remove the controller interface in the guest vlan completely. You just need to make sure, that at least one interface of the controller is reachable using the firewall. This will at least solve the Mac spoofing issue. 

BR

Florian

Hi all,

I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect

Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

Thanks for your help!

Hi all,

I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect

Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

Thanks for your help!

Sorry that I come up with the same question again, but the problem is still around.
If a user spoofs the MAC of the controller in the guest network, then all of the AP tunnels will go down as well.
I'm not quite sure, if I am the only guy around with this behaviour or problem but I think this should not be possible and is a bit of a security risk.

Hi all,

I have a question regarding a security mechanism in the guest network. Is it possible to prevent a guest from spoofing the MAC Adress of the controller? Since the controller has a IP address in the guest subnet (for captive portal redirect) a guest device can perform a subnet scan (via App) and can give its client the MAC of the Controller.
By configuring "deny inter user bridging" or "local ARP proxy" the subnet scan result is better (no wifi clients visible) but the controller IP/MAC is still visible (as expected).

Here is the setup (stripped down):
- open guest SSID
- DHCP Scope is on a firewall (behind the controller)
- redirect to a captive portal on CPPM (with data port in the same L2 subnet as guests)
- IP Interface on the controller (also in same VLAN as guests) for the redirect

Is there any chance to achieve this? Is there a feature which I haven't read about / found yet? 

Thanks for your help!