Reply
New Contributor

AP70 Question

I want to disable E1 on the AP70, is there a way to do that?
Guru Elite

Disable E1

By default E1 is disabled whenever E0 is plugged in. Describe your scenario, please.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: AP70 Question

Currently we have an AP70 conencted to users home network via E0 set up as a RAP. The user has connected an IP phone to E1 which uses the secure tunnel to route to a PBX for connectivity.

This is all well and good except there is not authentication on E1. The user could connect anything to E1 and get an IP address off of our core network. Which is a security concern if the AP ever was stolen.
Guru Elite

What you can do.

Well,

What you can do is:

(1) Create a role that has firewall policies that only allows phone traffic (DHCP, DNS, TFTP, SIP to SIP server, etc)
(2) Create a AAA profile and assign the role in (1) as the AAA profile's initial role
(3) Apply the AAA profile to the wired AP profile for port e1 and make port e1 untrusted.

That way, any device that is plugged in, traffic will be policied like if it is a phone. If it is not a phone, doing phone things, it will not be able to do anything else.

Optionally, when you are assigning a AAA profile to that port, you can turn on MAC authentication in that AAA profile and authenticate mac addresses that are located in the controller's local database.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: AP70 Question

Thanks - but we don't want anything to be plugged into E1. This was an unauthorized action that is routing voice traffic for a the users phone over international WAN. So to prevent anything like this from repeating we want to disable E1 on the AP70.
Guru Elite

Disable E1

So uncheck "enable" in the wired AP profile for that port, then.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

New Contributor

Re: AP70 Question

Thanks- I did not know that "Wired AP enable" was the control for E1.

Thanks again
MVP

Re: AP70 Question


Well,

What you can do is:

(1) Create a role that has firewall policies that only allows phone traffic (DHCP, DNS, TFTP, SIP to SIP server, etc)
(2) Create a AAA profile and assign the role in (1) as the AAA profile's initial role
(3) Apply the AAA profile to the wired AP profile for port e1 and make port e1 untrusted.

That way, any device that is plugged in, traffic will be policied like if it is a phone. If it is not a phone, doing phone things, it will not be able to do anything else.

Optionally, when you are assigning a AAA profile to that port, you can turn on MAC authentication in that AAA profile and authenticate mac addresses that are located in the controller's local database.




Colin,

I am also interested in secure the E1 port. I am fuzzy in your advice above, the # “(3) Apply the AAA profile to the wired AP profile for port e1 and make port e1 untrusted”

Question: How can I apply the AAA profile to the wired AP profile?

This is my wired ap pf:

(WC01) #show ap wired-ap-profile RAP-WIREDAP-PF
Wired AP profile "RAP-WIREDAP-PF"
---------------------------------
Parameter Value
--------- -----
Wired AP enable Enabled
Forward mode tunnel
Switchport mode access
Access mode VLAN 20
Trunk mode native VLAN 1
Trunk mode allowed VLANs 1-4094
Trusted Trusted
Broadcast Broadcast

Regards,

Peter
~Trinh Nguyen~
Boys Town
Guru Elite

Apology


Colin,

I am also interested in secure the E1 port. I am fuzzy in your advice above, the # “(3) Apply the AAA profile to the wired AP profile for port e1 and make port e1 untrusted”

Question: How can I apply the AAA profile to the wired AP profile?

This is my wired ap pf:

(WC01) #show ap wired-ap-profile RAP-WIREDAP-PF
Wired AP profile "RAP-WIREDAP-PF"
---------------------------------
Parameter Value
--------- -----
Wired AP enable Enabled
Forward mode tunnel
Switchport mode access
Access mode VLAN 20
Trunk mode native VLAN 1
Trunk mode allowed VLANs 1-4094
Trusted Trusted
Broadcast Broadcast

Regards,

Peter




What version of code is this?

The method that I mentioned allows you to apply a AAA profile to a wired PORT profile, and only exists in the "RN" code, or ArubaOS 5.0.0.0 and above:

(Aruba3000) # show ap wired-port-profile wport_prof-ojh66

AP wired port profile "wport_prof-ojh66"
----------------------------------------
Parameter Value
--------- -----
Wired AP profile wap_prof-vaf78
Ethernet interface link profile elink_prof-oyu11
Shut down? No
Remote-AP Backup Enabled
AAA Profile aaa_prof-iop40
Bridge Role N/A



Yet another reason to upgrade to ArubaOS 5.x


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II

would it be easier to....

Why not use MAC authentication and add the Phones MAC address?
you could still protect the port and use the phone, less steps than anything else.
i like the AP70's as RAPs and we are testing the new RAP 5WN and RAP 2s.:D