Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1113
Views
0
Helpful
6
Replies

Prevent access through an Access Point to internal network

Remy Gafner
Level 1
Level 1

‎04-19-2012 11:24 PM - edited ‎03-07-2019 06:14 AM

Dear all

I would like to know how to protect network access from a rought Acess Point. Is it possible to work with port-security? I mean if I would use the sticky command in connection with the maximum allowed MAC addresses of 1 that no one would be able to access the network through the access point.

Thanks in advance for your help

Cheers, Remy

Labels:
0 Helpful
6 Replies 6

Leo Laohoo
Hall of Fame
Hall of Fame

‎04-19-2012 11:34 PM

That's not how you do it.

IF you detect a rogue WAP in your network you go and find it.  I don't believe there's any other way.

0 Helpful

Remy Gafner
Level 1
Level 1
In response to Leo Laohoo

‎04-20-2012 01:34 AM

Hi leolaohoo

Thanks  for the fast reply. But is it not the case that you see more than one MAC address on the switchport when devices communicate through the Access Point?

Kind regards,

Remy

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Remy Gafner

‎04-20-2012 02:03 AM 

Thanks  for the fast reply. But is it not the case that you see more than one MAC address on the switchport when devices communicate through the Access Point?

Ok, let's look at this way:  Let's say you enable one MAC address.  Let's say you also enable sticky MAC.  What would stop, say, a colleage from bringing in his on Kumbaya WAP and plugging it into your network?

Let's say that you replace a WAP, and only you know about the sticky MAC and you're on a cruise in the Bahamas?

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to Leo Laohoo

‎04-20-2012 04:02 AM

Remy,

You could use port security on the ports that you know about, but you should shut the ports that you're not using in order to prevent someone connecting an AP to an unused port. Leo is right though. You wouldn't be able to use port security on an unused port because you either A.) have to know what mac addresses are coming into that port beforehand or B.) have to learn the addresses that are coming into that port by maximum addresses or sticky command. Even if you had port security set to 1 mac address, the AP would be able to use that.

Now you will be able to see clients off of the AP and they could trigger a security violation on the port and no one could pass traffic, but in reality you're still taking a chance. Shut your ports first if you can, and if not, you can set your port security to 1 address. Obviously the second option is going to cause more problems if you have users with phones, switches, etc. at their desk.

HTH,

John

HTH, John *** Please rate all useful posts ***
0 Helpful

Remy Gafner
Level 1
Level 1
In response to John Blakley

‎04-20-2012 08:07 AM

Hi guys

Thanks a lot for your help. The problem is bit more complex, because we use dot1x witth a guest vlan. Thats the reason why I would like to use port security. Because everyone should be able to use the guest vlan, but should not be able to use a rought Acess Point.

Guys, thank you very much for your help.

I wish you a nice weekend

Cheers, Remy

0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame
In response to Remy Gafner

‎04-21-2012 07:53 PM 

Because everyone should be able to use the guest vlan, but should not be able to use a rought Acess Point.

One of the most effective way to combat Rogue WAPs is to locate them.  Ethernet can be spliced very easily.

0 Helpful
Customers Also Viewed These Support Documents