Unsolved
1 Rookie
•
9 Posts
0
97
February 6th, 2024 16:24
Securing ports servicing Wireless Access Points
Our organization uses Ruckus wireless access points connected to a Ruckus wireless controller. They use a native VLAN and broadcast multiple SSIDs which correlate to appropriate VLANs. So for example, the ports on our N3248PXE-ON switches have the following configuration:
switchport mode trunk
switchport trunk native vlan [VLAN ID]
(This configuration is the only way the port will work with our WAPs)
We would like to secure the Ethernet ports to which these WAPs connect. That is, we would like to prevent other devices from being connected to those ports and gaining DHCP IP address leases in the WAP scope. I tried using port-security and limiting one MAC address to the port using sticky, but that ended up preventing the clients from having connectivity. We are trying to implement a FortiNAC solution too, but are running into issues with that as well (i.e. it sees the MAC addresses of the WAP clients and then classifies it to be rogue and puts the whole port in the isolation VLAN). Essentially, we want people to be able to use the WiFi provided via the WAPs, but we do not want the APs to be removed and the port used for other devices and if the WAP is disconnected, we would like for the port to be configured to send traffic to a dead-end VLAN or prevent the offending device from getting an IP address. Anyone have any ideas?
Thanks in advance!
DELL-Chris H
Moderator
•
9.4K Posts
0
February 6th, 2024 21:06
Rocknwatch,
While I would need time to research if we support Ruckus, you can find the steps and options for Port Security on page 695-700 here.
Let me know if this helps.
rocknwatch
1 Rookie
•
9 Posts
0
February 11th, 2024 14:31
Thanks for the response, Chris.
I did try port security with the following configuration:
[global] switchport port-security
[interface] switchport port-security maximum 1
[interface] switchport port-security mac-address sticky
[interface] switchport port-security mac-address [MAC Address of the AP]
[interface] switchport port-security violation protect
This definitely worked with allowing only the AP on the port; however, any clients connecting to the AP were unable to obtain an IP address from the DHCP server, and thus obtain access to the allowed network. I will have to test removing the maximum limit and see what the behavior is. I will test that tomorrow and respond to this thread with my findings.
rocknwatch
1 Rookie
•
9 Posts
0
February 12th, 2024 21:35
Well, I to the switchport port-security maximum 1 off the configuration, but when the AP is disconnected and replaced with a "rogue" device, the switch then adds that MAC address to the interface. I'll have to play with this some more to see if I can figure something out. So far, I'm stuck.