Re: Avoid to get dhcp fully used

ariask93 · ‎07-10-2024

Hi guys,

I have a little problem in the network. We have a WLC C9800-40 in production and also we have a Guest network, this Guest network going to internet via vrf (isolate from the network) for this Guest network we use a LOCAL DHCP on the distribution L3. The problem happens when somebody try to connect he get an IP, but the 80% of the peoples who try doesn’t have an account and they dont finish that process… now the device keep trying and trying to connect on the Guest Network, all the tried that the device did to connect it get a NEW IP from the pool and that cause that the pool get fully quickly.

guest network is configure with L3 WebAuth.

have you any idea how to prevent that one device get more than 1 IP. Even when it doesn’t finish the process of L3 auth

MHM Cisco World · ‎07-10-2024

There are two solution

1- reduce lease time

2- increase the dhcp pool

MHM

ariask93 · ‎07-10-2024

I already did, I reduce to 5 minutes and increase, but is still happening. Is like a snowball falling

MHM Cisco World · ‎07-10-2024

I will consider the wifi client attack your dhcp and only solution is port secuirty which is not work with wifi so that not work

Then I think why you dont use client exclusion

This prevent same client to connect to ssid when it failed web auth

https://www.cisco.com/c/en/us/support/docs/lan-switching/8021x/214466-802-1x-client-exclusion-on-an-aireos-wlc.html

And hence protect your dhcp server

Try this

MHM

Haydn Andrews · ‎07-10-2024

the device should only get 1 IP per MAC address, so unless they triggering mac randomisation the DHCP server should never hand them a different IP.

Reducing DHCP lease time to 30-60 minutes would be where I start. I run mine generally at 1 hour for guest.

You could also drop the session timeout and idle timeout down. Its one of the challenges with open SSIDs that in order to get the portal you need to have an IP address.

A really not user friendly way is to add a PSK to the webauth SSID.

Might also pay to remove any mention to Guest in the SSID

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

Leo Laohoo · ‎07-10-2024

@ariask93 wrote:
guest network is configure with L3 WebAuth.

How many APs is the controller managing?

ariask93 · ‎07-17-2024

Right now at least 200 AP but, it is growing .

Leo Laohoo · ‎07-10-2024

@ariask93 wrote:
have you any idea how to prevent that one device get more than 1 IP. Even when it doesn’t finish the process of L3 auth

If one MAC address has been identified trying to exhaust the DHCP address pool then this could be malicious. Block the offending MAC address and see if it re-offends (randomized MAC address).

If it re-offends, flush all the known MAC addresses off the web authentication server and force the offending MAC address to "accept" the T&C.

ariask93 · ‎07-17-2024

Yeah, but there’s a little problem, most of the phone has the option of changed their mac address. On iPhone it called “Private Mac Address” is kind of mask of your real Mac address. The partial solution that I found its to reduce the time of DHCP Binding at 10 minutes, reduce the time of ARP for that vlan at 1 hour, reduce de time of idle time out or session time out and also exclude the client by 10 minutes when the put a wrong credencial. A little bit of drastic decision