Rouge DHCP via WLAN, is it possible?

[Eyas]

Hi

We've got a problem on our network with a rouge DHCP-server. We don't know whether it on our cabled lan or on our WLAN. My question is if it can connect via the WLAN.

We´re running a WLaN with Cisco 350 AP's. We're using the LEAP with authentication against a cisco ACS. Normaly you can't even get an IP unless your authenticated but is it possible that it works the other way around. Tha an client on our network broadcast and get an answer from an unauthenticated machine via the WLAN? Seems unlikly to me but I need to be sure.

Both fixed and wireless clients are affected (they're on the same VLAN)

TIA
/Eyas

 

[manarth]

Yes, DHCP can be served by a DHCP server on a wireless network.

Without knowing what authentification system you're using, I can't say if an unauthenticated machine could be serving... But basically, if it can connect to the WAP then it probably can serve addresses.

Next time the machine ends up with a rogue IP address, type "ipconfig /all" in a command prompt - you'll get something like this.

1 Ethernet adapter :

     Description . . . . . . . . : SMC Adapter.
     Physical Address. . . . . . : 00-00-00-00-00-A
     DHCP Enabled. . . . . . . . : Yes
     IP Address. . . . . . . . . : 192.168.2.3
     Subnet Mask . . . . . . . . : 255.255.255.0
     Default Gateway . . . . . . : 192.168.2.1
 **  DHCP Server . . . . . . . . : 192.168.2.1
     Primary WINS Server . . . . :
     Secondary WINS Server . . . :
     Lease Obtained. . . . . . . : 03 19 03 07:26:0

As you can see, it gives you the IP address of the DHCP server from where it obtained its IP address. <marc>[ul]help us help![li]please provide feedback on what works / doesn't[/li][li]not sure where to start? click here: faq581-3339[/li][/sup][/ul][/sup]

 

[Eyas]

Hi

TNX for your response. We've already tried to do an arp trace in our other network devices (Routers and switches) but since the IP of the rouge DHCP is incorrect it will only be discarded in our routers. Therefor it won't show up in the arp cache in the switches either. The only way to trace it is via the MAC-adress but you can't obtain it via ipconfig.

Our WLAN is set up in such a way that you can't connect without correct authentication. That is, you'll have to have an correct account, password and WEP to get in. Otherwise you can't connect via the WLAN. I'm pretty certain that this client can't get in that way.

The question however is whether it can reply to the broadcasts form a DHCP client even if the server itself can't authenticate to the AP?

/Eyas

 

[manarth]

&quot;Our WLAN is set up in such a way that you can't connect without correct authentication. That is, you'll have to have an correct account, password and WEP to get in. Otherwise you can't connect via the WLAN.&quot;

Ah, I see-

If it can ACCESS the AP then it can serve DHCP.
So it depends - is the AP EAP / LEAP / PEAP authenticated?
>>if the account & password you refer to is to logon to a server on your LAN, then a rogue machine could serve by accessing the AP without logging into your LAN's server...
>>alternatively, if it's an account & password for WAP access using EAP / LEAP / PEAP, it can only serve if it's permitted to logon by the authentification server.

NB &quot;A wireless client needs to be authenticated by a RADIUS server, and can only transmit EAP traffic until it is authenticated&quot;

Also, check your routers' firmware - PEAP requires firmware 11.23T or later.

&quot;since the IP of the rouge DHCP is incorrect&quot;
do you mean you can't ping the DHCP server? is the IP way out for your LAN configuration? can you ping the server from the machine which is allocated the rogue IP? (if it can be given a rogue IP, then it should be able to ping the DHCP server which gave it).

It's probably not the case, but it may be worth considering if any of the routers could have DHCP serving enabled. <marc>[ul]help us help![li]please provide feedback on what works / doesn't[/li][li]not sure where to start? click here: faq581-3339[/li][/sup][/ul][/sup]