0

I'm about to setup a large wireless network, at a dorm. The hardware I'm using is going to be:

HP Procurve E2520-24G-PoE (J9299A)
Cisco Aironet 2602i Autonomous Access Point

Since the outlets at the AP's are being mounted on the wall, so everyone can access them, I would like to protect the ports on the switch, so nobody can circumvent our logs. (By connecting, without their mac addresses being registered to their room number)

The solution I have tried is setting up the ProCurve as a 802.1x authenticator against a RADIUS server, which is working. The Access Points are configured as 802.1x supplicants, and succesfully authenticates to the switch, and has access to the network.

However, while this is working exactly as it should, if somebody were to disconnect an access point and instead connect a switch to the outlet, and then connect the AP to that switch. The AP would authenticate, and full access is granted to everyone on that switch. I've tried setting up client-limit on the Procurve switch, however that prevents any users on the AP from accessing the network.

How can I prevent users from accessing the network through these outlets, and still allow people to logon to the wifi?

Daniel
  • 218
  • 1
  • 3
  • 11

3 Answers3

0

Have you tried using port security? ftp://ftp.hp.com/pub/networking/software/Security-Oct2005-59906024-Chap09-Port_Security.pdf might help?

DerekC
  • 106
  • 5
  • If I understand correctly, you are suggesting that I lock down the ports to certain mac addresses. I think 802.1x already accomplishes this, but better and more secure. Also locking down the port to a single mac address (the ap), would prevent the ap's users from connecting. – Daniel Jun 23 '13 at 17:48
0

A very naive solution would be to set the port to trunk mode and drop untagged packets. Set the access points to tag all of their outgoing packets with a vlan. Configure the switch to drop any packets not on that vlan.

This won't stop someone who understands networking and can sniff the conversation between the ap and the switch and notice the vlan tag. But it should stymie causal abusers.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • I think 802.1x authentication would scare away someone with no understanding, but I'm looking for a solution to prevent power users from connecting also. – Daniel Jun 23 '13 at 17:47
  • Technology can only back up, not replace, an acceptable use policy. At least taking this step would make it impossible for a violater to claim they did it "by accident" and didn't realise it was against the rules. – Rob Moir Jun 23 '13 at 19:39
  • You're right, we will just have to hope that it won't be an issue. – Daniel Jun 25 '13 at 10:56
0

The only way to completely prevent this would be to tunnel the ap traffic to another device and set the acl on the port to only allow traffic to the tunnel endpoint.

longneck
  • 23,082
  • 4
  • 52
  • 86