DHCP and Mobile Devices

[jduawa]

Hello, We are using windows server 2003 for dhcp and have 2 dhcp servers. I have been looking through the leases and notice alot of ipods/ipads/android devices getting handed ip address via dhcp. I am wondering how they are getting them. We do have an Aruba wireless controller and a few AP 61 access points but i do not think they are authenticating through the Aruba wireless. So how else would these devices be getting ip addresses. I thought that maybe students are creating adhoc wireless networks on the few machines that have wifi cards but i don think the connected devices would be getting addresses from our dhcp server. I am out of ideas on how to track down how these devices are getting ip's handed to them. Any ideas would be appreciated.
Thanks

[Tricky_Dicky]

I get the same and we are using a Ruckus system. I'm pretty sure it's because the iPhone will try and connect to the network so the first thing it gets is an IP address but then can't get any further because it can't authenticate to the wireless.
I'm sure there is a much better/more technical reason behind it, but that's the best I can come up with at this time in the morning

[SYNACK]

Setup rogue AP detection and supression on the Aruba controller and check whether your keys have been compromised, it only takes one teacher to give out the code (and they will) or one insecured device or using WEP for whatever bad reason.

You should be able to check in the controller to see if they are active at that time too. If you really wanted you could filter their MAC addresses (copied from the DHCP lease) in the controller too but its a loosing battle.

801.11x based WPA2 enterprise security is the way foward with this for greater security as it will use machine certs to authenticate which can't be compromised as easily. Set up another limited VLAN and WLAN for student devices that only gets internet access to keep the security and also the flexability.

[jduawa]

Thanks for the replies. I am now starting to think it is not the Aruba System because we are operating on the 'a' radio band and many of those devices do not have an 'a' radio in them. In fact, I took an ipod touch there and was 15 feet from the access point and it could not find the network, but once the band was changed on the AP profile to 'b/g' then it was able to see it. So again I am lost as to how they are getting an IP from the dhcp server. I do have rogue detection on. Thanks

[pantscat]

Has someone plugged a wireless AP into a network socket somewhere?

[jduawa]

Has someone plugged a wireless AP into a network socket somewhere?

Not that I have found. I did have a teacher plug a router into a network jack and had 2 ap's plugged into that, but that has since been disconnected. I have not detected any others.
Thanks

[pantscat]

What's your LAN environment like? all managed switches?

If so - maybe look at the mac address tables on each port of each switch and look for multiple mac addresses on a single port?

[Geoff]

Easiest way to find unauthorised routers/aps on your network is to check your switches and see how many mac addresses are associated with each port. If there's more than one on a non trunk port that is your culprit. Additionally if you know the mac address of one of the mobile devices you can track the mac of it down in your switches back to a port and find out what's going on from that.

Overall though, this should of enlightened you as to why having 802.11X enabled on your wired ports is important.

[jduawa]

What's your LAN environment like? all managed switches?

If so - maybe look at the mac address tables on each port of each switch and look for multiple mac addresses on a single port?

I would say 98% of our switches are Cisco managed switches. There are a few that are plain ol linksys 5 port switches where we needed more than 1 pc/printer but only had 1 network jack.

[pantscat]

In that case it's nice and straight-forward... do what @Geoff and I suggested.

"show mac-address list" is your friend...

[jduawa]

In that case it's nice and straight-forward... do what @Geoff and I suggested.

"show mac-address list" is your friend...

So what should i be looking for in the results...I see many mac addresses on the same interface.
Thanks

[Blue_Cookeh]

You could run the MACs through a filter to determine which manufacturer they're from... if you see a load of Apple devices and you don't own any Macs you know to follow that port to it's physical location and take it from there... for example.

[jduawa]

You could run the MACs through a filter to determine which manufacturer they're from... if you see a load of Apple devices and you don't own any Macs you know to follow that port to it's physical location and take it from there... for example.

Thanks for the reply. I can already get the macs from the windows dhcp server MMC. I just am not sure how to see where the dhcp request came from.

[Geoff]

this is why you need to look at your switches mac tables. They will tell you which mac addresses are associated with which ports. Therefore you can trace a mac address down to a physical location and thus a device.

[jduawa]

I will check that out, just not having much luck so far. Thanks again everyone