ArubaOS and Controllers

Reply
Frequent Contributor I
Posts: 99
Registered: ‎08-19-2008

validuser acl a MUST?

I am wondering if you guys changed the validuser acl from the default "any any permit" to specific subnets (or netdestinations).
We run into an issue and I was able to replicate it again right away.
Basically, a wireless user can hardcode our DNS server IP address as their IP address, connect to our open guest network without authenticating via web portal, so they have a role that blocks network access. The Aruba controller because of this user's role denies any traffic to this IP address, therefore breaking DNS resolution for all users connecting to APs that terminate on this controller. Now, if this same user authenticates and his role changes to allow network access, I'm not sure if he would be able to see DNS requests coming to him, which would be a security hole.
This situation is now fixed via the validuser acl (only allowing user vlans and ap vlans), but seems to me it should be BOLDED and CAPITALIZED on the user guide if this can create such an issue if left at default.
Aruba OS: 5.0.3.1
Thanks,
Marcelo
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Aruba Employee
Posts: 119
Registered: ‎05-16-2007

Re: validuser acl a MUST?

It's not a must, but it is highly recommended to protect the user-table from IP addresses and ranges that should not be there. Also protects against someone bridging their laptop between wired and wireless. When this happens, the user-table of the controller can fill up with these wired IP addresses and fill up user counts.

validuser acl protects against all of this. I don't see every customer configuring one, but it is highly recommended. I believe it's discussed strongly in the user documentation and the Validated Reference Guides.
Frequent Contributor I
Posts: 99
Registered: ‎08-19-2008

Re: validuser acl a MUST?

Forgot to mention, our DHCP servers are NOT in user vlans (we use helper addresses on the vlan router interface).

It is actually briefly mention on the 5.0 UG. It should be discussed strongly like you mentioned, but it is not.
Marcelo Lew
Wireless Network Architect-Engineer
University of Denver
Search Airheads
Showing results for 
Search instead for 
Did you mean: