tag:blogger.com,1999:blog-1988432060681510848.post8508259126249374843..comments2024-03-25T23:51:47.067-05:00Comments on Revolution Wi-Fi: Preventing DHCP Starvation AttacksAndrew von Nagyhttp://www.blogger.com/profile/12658799453646609565noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-1988432060681510848.post-33204203227937846682011-03-30T20:24:45.297-05:002011-03-30T20:24:45.297-05:00Hi Joe,
Guests connecting to an open Wi-Fi network...Hi Joe,<br />Guests connecting to an open Wi-Fi network with web-authentication are assigned an IP address prior to web authentication due to web-auth being performed at the application layer, they require an IP address and DNS resolution / redirection prior to authenticating.<br /><br />Your best option is to have a short DHCP lease time.<br /><br />Regards,<br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-58081234068960800632011-03-30T02:53:55.024-05:002011-03-30T02:53:55.024-05:00Hi Andrew,
I dont mind my legitimate user from b...Hi Andrew,<br /> I dont mind my legitimate user from being idle after association and getting IP. But i am worried about the clients from nearby buildings, parks etc associating to our guest SSID and using up IP address and association table thus preventing 'our own' legitimate guests from getting wireless access. got my point ? So i want to know if there is an option in webauth or any other open L2 authentication method wherein i can specify timeout between 'association' and the client proceeding to 'authenticated' status ? <br />regards<br />JoeJoehttp://joe.comnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-61565929684695490002011-03-30T00:35:34.727-05:002011-03-30T00:35:34.727-05:00Hi Andrew,
I think usertimeout will affect my le...Hi Andrew,<br /> I think usertimeout will affect my legitimate user also. I dont mind if a webauthenticated client remains idle, what i want to restrict is unwanted clients from automatically associating to my open guest ssid and not 'proceeding' to do webauth and remaining idle with just being associated to the AP. Is there any way to achieve this ? <br /><br />regards<br />JoeJoehttp://joe.comnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-45639819984863662022011-03-29T20:12:51.818-05:002011-03-29T20:12:51.818-05:00Hi Joe,
The client idle timeout is the setting tha...Hi Joe,<br />The client idle timeout is the setting that you are looking for. The command is "config network usertimeout " which sets the amount of time a user is idle before the controller deletes their session. The default setting is 300 seconds (5 min).<br /><br />Be careful setting this too low, or may cause a bad user experience for all users on any SSID. If set too low (minimum is 90 sec), then the user session is deleted and they have to fully re-authenticate to get back on. This could cause a really bad user experience if they have to re-login all the time after just a short idle time.<br /><br />I think what would be more appropriate for you would be to set a low DHCP lease time. Even if you kick idle clients off the controller, the DHCP lease is still active on the server until it expires. For guest networks it is not uncommon to have DHCP lease timers as short as 2 hours, 1 hour, or 30 minutes, depending on the expected usage behavior by guests in your environment.<br /><br />Cheers,<br />AndrewAndrew von Nagyhttps://www.blogger.com/profile/12658799453646609565noreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-38714578784669924892011-03-29T12:41:59.373-05:002011-03-29T12:41:59.373-05:00Andrew: is there a way to timeout clients which ar...Andrew: is there a way to timeout clients which are associated but which do not proceed to webauth in an 'open' authentication like guest SSID using webauth ? If i leave the SSID 'open' in a crowded city office, i am afraid lot of unnecessary client associations will happen using up guest DHCP and also AP association table ? <br /><br />regards<br />JoeJoehttp://joe.comnoreply@blogger.comtag:blogger.com,1999:blog-1988432060681510848.post-80475728015645704792011-03-11T17:03:39.005-06:002011-03-11T17:03:39.005-06:00Andrew: Magnificent post ! As we say, attacks ofte...Andrew: Magnificent post ! As we say, attacks often come from the inside. I've seen many customer networks without proper protection, "reaction mode" model. Hopefully, not all borrow that path. Keep on the good work !<br /><br />-steveAnonymousnoreply@blogger.com