Controller Based WLANs

Allow/Deny access to apple updates, iTunes and Cloud-backup using AppRF
Requirement:

If WLAN administrator wish to take action(permit/block) for the following type of apple traffic, AppRF can be used to achieve the same. 

  • apple updates 
  • itunes
  • cloud backup

 



Solution:

AppRF is application aware deep packet inspection technology introduced by Aruba Networks from AOS version 6.4. This brings in the capability to create ACLs based on application rather than the traditional source, destination IP & port numbers. Below configuration module explains how access to apple updates, ituens and back-up can be allowed/denied using application specific ACLs.

 



Configuration:

Using CLI:

1) Create an ACL using AppRF to allow/deny apple traffic. 

(Controller) (config) #ip access-list session "Apple traffic block/permit"
(Controller) (config-sess-Apple traffic block/permit)#any any app apple-update deny
(Controller) (config-sess-Apple traffic block/permit)#any any app itunes deny
(Controller) (config-sess-Apple traffic block/permit)#any any app icloud deny
(Controller) (config-sess-Apple traffic block/permit)#any any app ibackup permit
(Controller) (config-sess-Apple traffic block/permit)#exit
(Controller) (config) #

2) Map above ACL to the respective user role.

(Controller) (config) #user-role Authenticated-AppRF-Role
(Controller) (config-role) #access-list session "Apple traffic block/permit"
(Controller) (config-role) #

 

Using WebUI:

1) Configuration tab ⇒ Access Control ⇒ Policies ⇒ Add.

 

 

2) Configuration tab ⇒ Access Control ⇒ Select the user role ⇒ Add the configured AppRF ACLs to the existing user role.

 

 



Verification

1) Verify the user role to ensure it has right ACLs in it.

 

(Controller) #show rights Authenticated-AppRF-Role

Derived Role = 'Authenticated-AppRF-Role'
 Up BW:No Limit   Down BW:No Limit
 L2TP Pool = default-l2tp-pool
 PPTP Pool = default-pptp-pool
 Periodic reauthentication: Disabled
 DPI Classification: Enabled
 Web Content Classification: Enabled
 ACL Number = 104/0
 Max Sessions = 65535

 Check CP Profile for Accounting = TRUE

Application Exception List
--------------------------
Name  Type
----  ----

Application BW-Contract List
----------------------------
Name  Type  BW Contract  Id  Direction
----  ----  -----------  --  ---------

access-list List
----------------
Position  Name                                 Type     Location
--------  ----                                 ----     --------
1         global-sacl                          session
2         apprf-Authenticated-AppRF-Role-sacl  session
3         dhcp-acl                             session
4         dns-acl                              session
5         Apple traffic block/permit           session

global-sacl
-----------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
apprf-Authenticated-AppRF-Role-sacl
-----------------------------------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
dhcp-acl
--------
Priority  Source  Destination  Service   Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------   -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          svc-dhcp               permit                           Low                                                           4
dns-acl
-------
Priority  Source  Destination  Service  Application  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any          svc-dns               permit                           Low                                                           4
Apple traffic block/permit
--------------------------
Priority  Source  Destination  Service  Application       Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan  ClassifyMedia  IPv4/6  Contract
--------  ------  -----------  -------  -----------       ------  ---------  ---  -------  -----  ---  -----  ---------  ------  -------  -------------  ------  --------
1         any     any                   app apple-update  deny                             Low                                                           4
2         any     any                   app itunes        deny                             Low                                                           4
3         any     any                   app icloud        deny                             Low                                                           4
4         any     any                   app ibackup       permit                           Low                                                           4

Expired Policies (due to time constraints) = 0

 

2) Once after user connects to the network, ensure he is placed into correct role using below command. 

 

(Controller) #show user-table

Users
-----
    IP           MAC            Name     Role                      Age(d:h:m)  Auth  VPN link  AP name   Roaming   Essid/Bssid/Phy                  Profile   Forward mode  Type  Host Name
----------  ------------       ------    ----                      ----------  ----  --------  -------   -------   ---------------                  -------   ------------  ----  ---------
20.20.20.1  b0:34:95:13:a2:3f            Authenticated-AppRF-Role  00:01:59                    225-AP-1  Wireless  StanStan/18:64:72:5e:db:52/a-HT  test-aaa  tunnel        iPad

User Entries: 1/1
 Curr/Cum Alloc:2/6 Free:0/4 Dyn:2 AllocErr:0 FreeErr:0

 


3) To check if the user traffic is getting hit on the AppRF Acl, below command can be used:

 

<output trimmed>

(Controller) #show acl hits

User Role ACL Hits
------------------
Role                           Policy                         Src   Dst         Service/Application  Action   Dest/Opcode  New Hits  Total Hits  Index  Ipv4/Ipv6
----                           ------                         ---   ---         -------------------  ------   -----------  --------  ----------  -----  ---------
Authenticated-AppRF-Role       Apple traffic block/permit     any   any         app apple-update     deny                  0         20          429    ipv4
Authenticated-AppRF-Role       Apple traffic block/permit     any   any         app itunes           deny                  0         3           430    ipv4
Authenticated-AppRF-Role       Apple traffic block/permit     any   any         app icloud           deny                  0         9           434    ipv4
Version History
Revision #:
2 of 2
Last update:
‎11-25-2015 04:18 PM
Updated by:
 
Labels (1)
Contributors
Comments
kevin.kincaid@gatesfoundation.org

So, when it says "apple-updates" in the controller, does that mean iOS updates for mobile devices or does that refer to Apple Software updates for computers, laptops,etc?

 

Thank you.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.