Controller Based WLANs

What is validuser ACL and its uses?

Product and Software: This article applies to all Aruba controllers and ArubaOS versions.

 

The validuser access control list is applied to all frames before the source IP is added to the user table. All traffic from users with an IP address from a prohibited address range is dropped. It does not have any impact on 802.11 associations.

 

By default, all IP addresses are permitted, but this ACL (like any other) can be modified from CLI or WebUI:

 

(Aruba5000) #show ip access-list validuser

 

ip access-list session validuser 
validuser 

 

 

Priority  Source  Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan 
--------  ------  -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  ------- 
1         any     any          any      permit                           Low                                   

 

One of the common uses of validuser is to prevent hosts with autogenerated IP addresses from filling up the user table

 

 

(Aruba5000) (config) #ip access-list session validuser

(Aruba5000) (config-sess-validuser)#network 169.254.0.0 255.255.0.0 any any deny position 1

(Aruba5000) (config-sess-validuser)#show ip access-list validuser                  

 

ip access-list session validuser 
validuser 
--------- 
Priority  Source                   Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan 
--------  ------                   -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  ------- 
1         169.254.0.0 255.255.0.0  any          any      deny                             Low                                    
2         any                      any          any      permit                           Low        

 

 

The validuser ACL can also be used to prevent malicious users from impersonating critical IP addresses on the network.

 

 

 

For example, a user can statically assign itself the IP address of the default gateway, essentially bringing down the whole network. Using this access list, we can prevent users from using such IP addresses, for example, the default gateway, switch IP addresses, and server IP addresses.

 

 

 

For example, if 10.1.1.1 is the default gateway, the validuser access list can be changed to prevent users from using this address:

 

(Aruba5000) (config-sess-validuser)#host 10.1.1.1 any any deny position 2 
(Aruba5000) (config-sess-validuser)#show ip access-list validuser

 

ip access-list session validuser 
validuser 

 

 

Priority  Source                   Destination  Service  Action  TimeRange  Log  Expired  Queue  TOS  8021P  Blacklist  Mirror  DisScan 
--------  ------                   -----------  -------  ------  ---------  ---  -------  -----  ---  -----  ---------  ------  ------- 
1         169.254.0.0 255.255.0.0  any          any      deny                             Low                                    
2         10.1.1.1                 any          any      deny                             Low                                    
3         any                      any          any      permit                           Low

 

Version History
Revision #:
2 of 2
Last update:
‎07-02-2014 01:54 PM
Updated by:
 
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.