ArubaOS and Controllers

Reply
New Contributor
Posts: 4
Registered: ‎07-06-2009

User role with multiple firewall policies

Let me first start with the problem I am trying to address. We have the need to permanently (or at least semi-permanently) block specific hosts that associate to our wifi network as they are untrusted devices. My thought on how to accomplish this was to implement a second firewall policy on the user role that gets applied to authenticated clients. The policy would deny host mac addresses. So my user policy has the following firewall policies:

mac-acl that basically looks like:
deny (mac-address)
permit any

session-acl
permits traffic that we trust on the network.

However, after applying the new mac acl, when testing I found that it basically is not doing much. I have added the mac of my wifi nic as a deny to the mac acl, and am not really seeing hits. I saw 9 hits once, and my client stopped functioning for a bit. However, when I disconnected, and then reconnected to the SSID, I was able to forward traffic without issue. In fact, I am composing this post while authenticated to the SSID that has the deny mac entry. I have verified that I have been assigned the appropriate user role with these firewall policies, and that is the case.

When looking at the configuration, I see the user-role with the mac acl applied:
user-role pre-employee
access-list mac Mac_filter
session-acl allowall
!
However, when I do a show acl hits role pre-employee, I don't see the acl listed:
User Role ACL Hits
------------------
Role Policy Src Dst Service Action Dest/Opcode New Hits Total Hits Index
---- ------ --- --- ------- ------ ----------- -------- ---------- -----
pre-employee allowall any any any permit 1933 16363 4357

If I just do a show acl hits, I do see the acl listed under the pre-employee user role, with just a few hits (sorry for the poor formating):

pre-employee Mac_filter 00:27:10:11:fb:f4 00:00:00:00:00:00 deny 0 9
4359
pre-employee Mac_filter any permit 105 122
4360

Any ideas as to why this mac filter is not behaving as I would expect it to?
Guru Elite
Posts: 20,816
Registered: ‎03-29-2007

Re: User role with multiple firewall policies

If you want to block specific hosts, you should add those devices to the blacklist:

(host) #stm add-blacklist-client ?
client to add to DoS list

MAC acls have a different purpose that would not accomplish what you desire.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: